Jacked[RESOLVED]

[geopat89]

Can someone please help me interpret my log file results from HijackThis and help me manually clean my system of malware.

I'm hoping someone can provide information on which items might be causing me problems and how to remove them safely from my computer.

Logfile_of_Trend_Micro_HijackThis_v2.doc

StartupList_report.doc

[Rorschach112]

Don't attach the logs

Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe

Choose the language, then choose Option 1 (Search)

Wait till the end of the scan

Post the log which is created: (%SystemDrive%\lopR.txt)

[geopat89]

Here is the log.

--------------------\\ Lop S&D 4.2.4-8 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 2

X86-based PC ( Uniprocessor Free : AMD Sempron Processor 3100+ )

BIOS : Phoenix - AwardBIOS v6.00PG

USER : Owner ( Administrator )

BOOT : Normal boot

Antivirus : AVG Anti-Virus Free 8.0 (Not Activated)

C:\ (Local Disk) - NTFS - Total:107 Go (Free:92 Go)

D:\ (Local Disk) - FAT32 - Total:4 Go (Free:2 Go)

E:\ (CD or DVD)

G:\ (USB)

H:\ (USB)

I:\ (USB)

J:\ (USB)

"C:\Lop SD" ( MAJ : 27-10-2008|09:15 )

Option : [1] ( Tue 10/28/2008|12:55 )

--------------------\\ Listing folders in APPLIC~1

[10/01/2006|08:35] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> AOL

[01/09/2005|08:13] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities

[08/02/2008|08:42] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft

[02/10/2006|12:24] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> SampleView

[02/10/2006|12:25] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> You've Got Pictures Screensaver

[02/10/2006|12:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe

[10/01/2006|08:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL

[10/11/2007|06:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer

[01/20/2008|04:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Arcadetown

[08/02/2008|08:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> avg8

[05/10/2007|11:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BigFishGamesCache

[12/17/2006|01:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CA

[11/28/2007|12:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Christmasville

[09/25/2007|02:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Creative

[08/26/2007|07:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CyberLink

[05/28/2007|11:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> FloodLightGames

[10/24/2006|05:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google

[09/30/2007|05:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Grisoft

[12/24/2006|04:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HP

[01/27/2008|04:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Intuit

[04/25/2007|08:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> iWin Games

[03/01/2008|11:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> JollyBear

[12/20/2006|11:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Knowledge Adventure

[09/03/2007|02:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Kodak

[02/13/2008|07:10] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft

[02/10/2006|12:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee

[01/06/2007|08:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee.com

[10/04/2006|09:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee.com Personal Firewall

[03/18/2008|07:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft

[12/29/2007|09:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> MumboJumbo

[08/06/2007|11:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Oberon Media

[12/04/2006|01:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PlayFirst

[02/10/2006|12:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Prism Deploy

[02/10/2006|12:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Pure Networks

[02/20/2007|11:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime

[07/01/2007|08:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SpinTop Games

[12/29/2007|06:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SpinTopV1004

[09/30/2007|06:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy

[04/22/2008|08:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP

[04/10/2007|07:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TERMINAL Studio

[10/01/2006|09:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trymedia

[02/02/2007|11:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Viewpoint

[12/15/2006|12:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WildTangent

[01/10/2007|01:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage

[12/03/2007|10:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> yahoo!

[12/05/2006|11:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo! Companion

[10/01/2006|08:35] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> AOL

[01/09/2005|08:13] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities

[02/10/2006|12:24] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[02/10/2006|12:24] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> SampleView

[02/10/2006|12:25] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> You've Got Pictures Screensaver

[10/01/2006|07:16] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> McAfee.com Personal Firewall

[08/02/2008|08:42] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[08/02/2008|08:42] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

[04/21/2008|12:37] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Adobe

[05/07/2008|10:25] C:\DOCUME~1\Owner\APPLIC~1\<DIR> AdobeUM

[10/01/2006|08:35] C:\DOCUME~1\Owner\APPLIC~1\<DIR> AOL

[09/27/2007|09:11] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Apple Computer

[09/25/2007|02:58] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Creative

[08/26/2007|07:08] C:\DOCUME~1\Owner\APPLIC~1\<DIR> CyberLink

[10/29/2007|08:16] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Digital Album Organizer

[05/28/2007|11:00] C:\DOCUME~1\Owner\APPLIC~1\<DIR> FloodLightGames

[09/01/2007|09:51] C:\DOCUME~1\Owner\APPLIC~1\<DIR> funkitron

[11/05/2006|12:53] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Gaijin Ent

[08/06/2007|07:01] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Google

[09/30/2007|05:41] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Grisoft

[05/30/2007|11:49] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Help

[12/25/2006|01:46] C:\DOCUME~1\Owner\APPLIC~1\<DIR> HP

[01/09/2005|08:13] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Identities

[11/07/2007|06:43] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Image Zone Express

[05/04/2007|01:52] C:\DOCUME~1\Owner\APPLIC~1\<DIR> InstallShield

[01/27/2008|04:17] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Intuit

[02/03/2008|07:44] C:\DOCUME~1\Owner\APPLIC~1\<DIR> iWin

[12/30/2007|06:00] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Legends of pirates

[10/26/2006|10:31] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Macromedia

[06/09/2007|11:29] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Magic Academy

[01/02/2008|06:26] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Magic Stones

[09/21/2006|08:42] C:\DOCUME~1\Owner\APPLIC~1\<DIR> McAfee.com Personal Firewall

[09/06/2008|03:47] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Microsoft

[10/02/2006|08:39] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Microsoft Web Folders

[10/19/2008|01:34] C:\DOCUME~1\Owner\APPLIC~1\<DIR> MP3Rocket

[04/26/2007|09:10] C:\DOCUME~1\Owner\APPLIC~1\<DIR> MysteryStudio

[12/04/2006|01:26] C:\DOCUME~1\Owner\APPLIC~1\<DIR> PlayFirst

[05/09/2007|07:55] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Printer Info Cache

[04/19/2008|02:47] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Real

[02/10/2006|12:24] C:\DOCUME~1\Owner\APPLIC~1\<DIR> SampleView

[05/28/2007|10:59] C:\DOCUME~1\Owner\APPLIC~1\<DIR> SpinTop

[03/10/2008|10:41] C:\DOCUME~1\Owner\APPLIC~1\<DIR> SprillBermudeEng

[10/30/2006|05:10] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Sun

[10/23/2006|12:38] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Template

[02/02/2007|11:11] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Viewpoint

[10/29/2007|07:26] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Wal-Mart Digital Photo Manager

[05/04/2007|01:56] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Wal-Mart Digital Photo Viewer

[10/02/2006|02:25] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Wildfire

[07/20/2008|01:38] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Yahoo!

[09/27/2007|11:29] C:\DOCUME~1\Owner\APPLIC~1\<DIR> YourPrivacyGuard

[02/10/2006|12:25] C:\DOCUME~1\Owner\APPLIC~1\<DIR> You've Got Pictures Screensaver

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[10/28/2008 12:22 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT

[08/10/2004 02:00 PM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[01/03/2008|09:45] C:\Program Files\<DIR> 2Wire

[05/10/2007|11:29] C:\Program Files\<DIR> Activision Value

[05/03/2007|04:19] C:\Program Files\<DIR> Adobe

[03/17/2008|09:52] C:\Program Files\<DIR> Adzgalore Games Collection

[01/04/2008|12:20] C:\Program Files\<DIR> AgeOfCastles_at

[02/17/2008|02:09] C:\Program Files\<DIR> AmazingAdventures_at

[02/08/2008|05:25] C:\Program Files\<DIR> AskSBar

[08/02/2008|08:43] C:\Program Files\<DIR> AVG

[05/04/2007|01:52] C:\Program Files\<DIR> aVinci

[05/04/2007|10:40] C:\Program Files\<DIR> BFG

[05/10/2007|11:36] C:\Program Files\<DIR> bfgclient

[09/30/2007|01:52] C:\Program Files\<DIR> CCleaner

[01/27/2008|04:13] C:\Program Files\<DIR> Common Files

[01/09/2005|08:07] C:\Program Files\<DIR> ComPlus Applications

[02/10/2006|12:06] C:\Program Files\<DIR> CONEXANT

[10/15/2007|01:34] C:\Program Files\<DIR> Creative

[10/28/2008|08:19] C:\Program Files\<DIR> Crusty.exe

[02/10/2006|12:13] C:\Program Files\<DIR> CyberLink

[02/10/2006|12:23] C:\Program Files\<DIR> Digital Media Reader

[05/03/2008|12:56] C:\Program Files\<DIR> Disney

[08/05/2007|10:20] C:\Program Files\<DIR> GameHouse

[01/04/2008|12:26] C:\Program Files\<DIR> Games

[10/15/2007|12:26] C:\Program Files\<DIR> Google

[08/02/2008|08:47] C:\Program Files\<DIR> Grisoft

[07/04/2007|11:26] C:\Program Files\<DIR> Hewlett-Packard

[03/24/2007|07:55] C:\Program Files\<DIR> HP

[02/13/2008|07:04] C:\Program Files\<DIR> InstallShield Installation Information

[10/15/2008|03:06] C:\Program Files\<DIR> Internet Explorer

[08/01/2007|05:07] C:\Program Files\<DIR> Java

[10/09/2007|10:26] C:\Program Files\<DIR> Kodak

[02/27/2008|11:00] C:\Program Files\<DIR> Kudos_at

[09/30/2007|05:56] C:\Program Files\<DIR> Lavasoft

[02/10/2006|12:27] C:\Program Files\<DIR> McAfee

[08/14/2008|04:41] C:\Program Files\<DIR> Messenger

[02/10/2006|12:21] C:\Program Files\<DIR> Microsoft Digital Image 2006

[01/09/2005|08:13] C:\Program Files\<DIR> microsoft frontpage

[10/08/2007|06:31] C:\Program Files\<DIR> Microsoft Money 2006

[11/14/2007|06:59] C:\Program Files\<DIR> Microsoft Office

[06/21/2008|08:12] C:\Program Files\<DIR> Microsoft Picture It! PhotoPub

[02/10/2006|12:24] C:\Program Files\<DIR> Microsoft Works

[10/15/2007|12:27] C:\Program Files\<DIR> Mindscape

[01/09/2005|08:09] C:\Program Files\<DIR> Movie Maker

[10/19/2008|01:34] C:\Program Files\<DIR> MP3 Rocket

[11/14/2007|06:59] C:\Program Files\<DIR> MSECache

[08/16/2007|05:14] C:\Program Files\<DIR> MSN

[02/10/2006|12:23] C:\Program Files\<DIR> MSN Encarta Plus

[01/09/2005|08:05] C:\Program Files\<DIR> MSN Gaming Zone

[11/20/2006|05:32] C:\Program Files\<DIR> MSXML 4.0

[09/27/2007|07:58] C:\Program Files\<DIR> MSXML 6.0

[09/25/2007|04:12] C:\Program Files\<DIR> MTV Networks

[01/09/2005|08:09] C:\Program Files\<DIR> NetMeeting

[11/26/2006|11:53] C:\Program Files\<DIR> Oberon Media

[01/09/2005|08:09] C:\Program Files\<DIR> Online Services

[06/13/2007|04:52] C:\Program Files\<DIR> Outlook Express

[10/01/2006|08:43] C:\Program Files\<DIR> Pure Networks

[09/25/2007|03:31] C:\Program Files\<DIR> QuickTime

[02/05/2007|10:31] C:\Program Files\<DIR> Real

[12/24/2006|02:17] C:\Program Files\<DIR> Realore

[03/06/2008|08:45] C:\Program Files\<DIR> ReflexiveArcade

[11/20/2007|12:08] C:\Program Files\<DIR> SBC Yahoo!

[12/12/2006|08:55] C:\Program Files\<DIR> Scholastic Digital Downloads

[02/04/2007|01:49] C:\Program Files\<DIR> Serif

[02/02/2007|11:27] C:\Program Files\<DIR> Shockwave.com

[02/16/2008|07:09] C:\Program Files\<DIR> Spybot - Search & Destroy

[10/22/2006|07:11] C:\Program Files\<DIR> Trymedia

[01/27/2008|04:10] C:\Program Files\<DIR> TurboTax

[01/09/2005|08:19] C:\Program Files\<DIR> Uninstall Information

[02/10/2006|12:25] C:\Program Files\<DIR> Viewpoint

[05/04/2007|01:57] C:\Program Files\<DIR> Wal-Mart

[02/13/2007|07:50] C:\Program Files\<DIR> Web Publish

[05/27/2007|06:16] C:\Program Files\<DIR> Windows Media Connect 2

[05/27/2007|06:16] C:\Program Files\<DIR> Windows Media Player

[01/09/2005|08:05] C:\Program Files\<DIR> Windows NT

[01/09/2005|08:06] C:\Program Files\<DIR> Windows Plus

[01/09/2005|08:10] C:\Program Files\<DIR> WindowsUpdate

[01/09/2005|08:13] C:\Program Files\<DIR> xerox

[12/03/2007|10:24] C:\Program Files\<DIR> Yahoo!

[09/30/2007|02:12] C:\Program Files\<DIR> Zone Labs

--------------------\\ Listing Folders in C:\Program Files\Common Files

[05/07/2008|10:26] C:\Program Files\Common Files\<DIR> Adobe

[01/27/2008|04:13] C:\Program Files\Common Files\<DIR> AnswerWorks 4.0

[10/01/2006|08:35] C:\Program Files\Common Files\<DIR> AOL

[02/10/2006|12:16] C:\Program Files\Common Files\<DIR> DESIGNER

[12/24/2006|04:20] C:\Program Files\Common Files\<DIR> Hewlett-Packard

[07/04/2007|11:28] C:\Program Files\Common Files\<DIR> HP

[02/10/2006|12:23] C:\Program Files\Common Files\<DIR> InstallShield

[01/27/2008|04:11] C:\Program Files\Common Files\<DIR> Intuit

[02/10/2006|12:20] C:\Program Files\Common Files\<DIR> Java

[12/18/2006|08:51] C:\Program Files\Common Files\<DIR> Knowledge Adventure

[09/03/2007|02:31] C:\Program Files\Common Files\<DIR> Kodak

[11/14/2007|06:59] C:\Program Files\Common Files\<DIR> Microsoft Shared

[01/09/2005|08:09] C:\Program Files\Common Files\<DIR> MSSoap

[02/10/2006|12:09] C:\Program Files\Common Files\<DIR> New Boundary

[02/10/2006|12:25] C:\Program Files\Common Files\<DIR> Nullsoft

[01/09/2005|12:00] C:\Program Files\Common Files\<DIR> ODBC

[03/18/2007|08:52] C:\Program Files\Common Files\<DIR> Real

[10/11/2007|06:52] C:\Program Files\Common Files\<DIR> Scanner

[01/09/2005|08:09] C:\Program Files\Common Files\<DIR> Services

[01/09/2005|12:00] C:\Program Files\Common Files\<DIR> SpeechEngines

[06/13/2007|04:52] C:\Program Files\Common Files\<DIR> System

[09/30/2007|05:55] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

[03/18/2007|08:53] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 44 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\Owner\Cookies\owner@advertising[1].txt

C:\DOCUME~1\Owner\Cookies\[email protected][1].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-28 12:56:23

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden files: 0

--------------------\\ Searching for other infections

C:\WINDOWS\system32\ttutv.bak1

C:\WINDOWS\system32\ttutv.bak2

C:\WINDOWS\system32\ttutv.ini

C:\WINDOWS\system32\ttutv.ini2

C:\WINDOWS\system32\ttutv.tmp

C:\WINDOWS\system32\hQXaIRqr.ini

C:\WINDOWS\system32\hQXaIRqr.ini2

==> VUNDO <==

[F:71][D:8]-> C:\DOCUME~1\Owner\LOCALS~1\Temp

[F:150][D:0]-> C:\DOCUME~1\Owner\Cookies

[F:4545][D:9]-> C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Tue 10/28/2008|12:58 - Option : [1]

--------------------\\ Scan completed at 12:58:20

[Rorschach112]

Hello

Please download the OTMoveIt3 by OldTimer or from here.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  
  :Files
  C:\WINDOWS\system32\ttutv.bak1
  C:\WINDOWS\system32\ttutv.bak2
  C:\WINDOWS\system32\ttutv.ini
  C:\WINDOWS\system32\ttutv.ini2
  C:\WINDOWS\system32\ttutv.tmp
  C:\WINDOWS\system32\hQXaIRqr.ini
  C:\WINDOWS\system32\hQXaIRqr.ini2
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

  
  

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  
• Double click on RSIT.exe to run RSIT.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
  

[geopat89]

Ok Here is the log from the OTMoveIT scan.

But the other program was in the process of running and it cam up with an error code:

It was on the task of "Performing Registry Dump". The error code was this:

Auto It Error

Line: -1:

Error: Error Parsing function call.

(Ok here is the log from the OTMoveIT scan)

========== PROCESSES ==========

Process explorer.exe killed successfully.

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

C:\WINDOWS\system32\ttutv.bak1 moved successfully.

C:\WINDOWS\system32\ttutv.bak2 moved successfully.

C:\WINDOWS\system32\ttutv.ini moved successfully.

C:\WINDOWS\system32\ttutv.ini2 moved successfully.

C:\WINDOWS\system32\ttutv.tmp moved successfully.

C:\WINDOWS\system32\hQXaIRqr.ini moved successfully.

C:\WINDOWS\system32\hQXaIRqr.ini2 moved successfully.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\Perflib_Perfdata_34c.dat scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF13B8.tmp scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF1E07.tmp scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.

Local Service Temp folder emptied.

Local Service Temporary Internet Files folder emptied.

Windows Temp folder emptied.

Java cache emptied.

Temp folders emptied.

Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10282008_151310

Files moved on Reboot...

File C:\DOCUME~1\Owner\LOCALS~1\Temp\Perflib_Perfdata_34c.dat not found!

File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF13B8.tmp not found!

File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF1E07.tmp not found!

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.

[Rorschach112]

Hello

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[geopat89]

ComboFix 08-10-28.01 - Owner 2008-10-28 16:46:59.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.91 [GMT -5:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML

C:\Documents and Settings\Owner\Start Menu\Programs\Adzgalore Games Collection

C:\Documents and Settings\Owner\Start Menu\Programs\Adzgalore Games Collection\Bob and Bill adventures - Wild Hunting.lnk

C:\Documents and Settings\Owner\Start Menu\Programs\Adzgalore Games Collection\Crazy Blocks.lnk

C:\Documents and Settings\Owner\Start Menu\Programs\Adzgalore Games Collection\Lines.lnk

C:\Documents and Settings\Owner\Start Menu\Programs\Adzgalore Games Collection\The Battles Of Helicopters.lnk

C:\Documents and Settings\Owner\Start Menu\Programs\Adzgalore Games Collection\Video Pool.lnk

C:\Program Files\Adzgalore Games Collection

C:\Program Files\Adzgalore Games Collection\BattlesOfHelicopters.exe

C:\Program Files\Adzgalore Games Collection\BobAndBill.exe

C:\Program Files\Adzgalore Games Collection\CrazyBlocks.exe

C:\Program Files\Adzgalore Games Collection\Lines.exe

C:\Program Files\Adzgalore Games Collection\uninstall.exe

C:\Program Files\Adzgalore Games Collection\VideoPool.exe

C:\WINDOWS\system32\adssite-remove.exe

C:\WINDOWS\system32\cpmsky-uninst.exe

C:\WINDOWS\system32\dcodpbxewrge.dll

C:\WINDOWS\system32\dygrunso.ini

C:\WINDOWS\system32\efbyefvc.ini

C:\WINDOWS\system32\ivhmlwun.ini

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\MSINET.oca

C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe

C:\WINDOWS\system32\myss_sb_uninstall.exe

C:\WINDOWS\system32\rightonadz-uninst.exe

C:\WINDOWS\system32\xlsprugc.ini

.

((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 )))))))))))))))))))))))))))))))

.

2008-10-28 15:32 . 2008-10-28 15:32 <DIR> d-------- C:\rsit

2008-10-28 15:13 . 2008-10-28 15:13 <DIR> d-------- C:\_OTMoveIt

2008-10-28 12:54 . 2008-10-28 12:58 <DIR> d-------- C:\Lop SD

2008-10-15 03:05 . 2008-10-15 03:07 1,393 --a------ C:\WINDOWS\imsins.BAK

2008-10-11 22:16 . 2008-10-11 22:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-10-11 22:16 . 2008-10-11 22:16 1,409 --a------ C:\WINDOWS\QTFont.for

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-28 20:35 --------- d-----w C:\Program Files\Crusty.exe

2008-10-19 18:34 --------- d-----w C:\Program Files\MP3 Rocket

2008-10-19 18:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\MP3Rocket

2008-08-28 21:30 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys

2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys

2008-08-12 02:47 23 ----a-w C:\Documents and Settings\Owner\jagex_runescape_preferences.dat

2008-05-27 04:37 580 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat

2006-10-02 04:33 774,144 ----a-w C:\Program Files\RngInterstitial.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"2wSysTray"="C:\Program Files\2Wire\2PortalMon.exe" [2003-10-10 393216]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 7204864]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 286720]

"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-18 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk

backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Event Reminder.lnk]

path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Event Reminder.lnk

backup=C:\WINDOWS\pss\Event Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2004-08-10 14:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2006-02-19 03:41 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

--a------ 2006-11-07 15:49 1121280 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2005-09-18 11:32 7204864 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

--a------ 2007-03-18 20:52 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

--a------ 2007-08-30 18:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]

--a------ 2006-07-21 17:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]

--a------ 2007-06-26 14:48 509224 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=

"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-28 97928]

R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-28 875288]

R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-28 231704]

R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-02 76040]

R3 2WIREPCP;2Wire USB;C:\WINDOWS\system32\DRIVERS\2WirePCP.sys [2003-04-17 68672]

R3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys [2008-02-22 27008]

S3 f5ipfw;F5 Networks StoneWall Filter;C:\WINDOWS\system32\drivers\urfltw2k.sys [2008-02-22 10752]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cdc2481-9a57-11da-8810-806d6172696f}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d33fa3a5-a3c0-11da-8d87-806d6172696f}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.

- - - - ORPHANS REMOVED - - - -

BHO-{2DE8FF04-0F4B-4379-80BF-9850D7FF7BF4} - C:\WINDOWS\system32\rqRIaXQh.dll

BHO-{7100ecbd-ff8b-0d31-06ac-b44fa92c285b} - C:\WINDOWS\system32\dcodpbxewrge.dll

BHO-{fa31d4cd-1e85-c8b4-21a4-5133a5abebb0} - C:\WINDOWS\system32\{5c420320-234a-80a6-4b74-506951f54b7d}.dll

HKLM-Run-0cb968e5 - C:\WINDOWS\system32\nuwlmhvi.dll

Notify-byXPFULb - byXPFULb.dll

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.ask.com/web?o=1369

R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

R0 -: HKLM-Main,Start Page = hxxp://yahoo.sbc.com/dsl

R0 -: HKLM-Main,Search Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

R1 -: HKCU-SearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 -: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 -: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Can%20You%20See%20What%20I%20See/Images/stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.3\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.4\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.5\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.6\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.7\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.8\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.9\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.10\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.11\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.12\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.13\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.14\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.15\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.16\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.17\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.18\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.19\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.20\stg_drm.ocx

C:\WINDOWS\Downloaded Program Files\CONFLICT.21\stg_drm.ocx

O16 -: {255B1372-180C-4A22-A02D-1D4AB65F6AC2} - file:///C:/Program%20Files/Magic%20Academy/Images/stg_drm.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\stg_drm.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\stg_drm.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.3\stg_drm.dll

O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/armhelper.ocx

C:\WINDOWS\Downloaded Program Files\armhelper.ocx

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-28 16:51:05

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\LexBceS.exe

C:\WINDOWS\system32\Lexpps.exe

C:\WINDOWS\system32\CTSVCCDA.EXE

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\WINDOWS\ehome\ehrecvr.exe

C:\WINDOWS\ehome\ehSched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\AVG\AVG8\avgrsx.exe

C:\Program Files\AVG\AVG8\avgrsx.exe

.

**************************************************************************

.

Completion time: 2008-10-28 17:02:26 - machine was rebooted

ComboFix-quarantined-files.txt 2008-10-28 22:02:20

ComboFix2.txt 2007-10-01 01:42:06

Pre-Run: 99,603,812,352 bytes free

Post-Run: 99,627,024,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

228 --- E O F --- 2008-10-28 12:41:44

[Rorschach112]

Hello

Please download the OTMoveIt3 by OldTimer or from here.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cdc2481-9a57-11da-8810-806d6172696f}]
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d33fa3a5-a3c0-11da-8d87-806d6172696f}]
  
  :Files
  C:\Program Files\Crusty.exe
  
  
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

  
  

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
   
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
   
3. When the downloads have finished, click on Settings.
   
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
     

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[geopat89]

Here is the OTMovit log. I didn't see the others. I'll do them now and post them on the next reply.

========== PROCESSES ==========

Process explorer.exe killed successfully.

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cdc2481-9a57-11da-8810-806d6172696f}\\ deleted successfully.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d33fa3a5-a3c0-11da-8d87-806d6172696f}\\ deleted successfully.

========== FILES ==========

C:\Program Files\Crusty.exe\backups moved successfully.

C:\Program Files\Crusty.exe moved successfully.

========== COMMANDS ==========

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.

Local Service Temp folder emptied.

Local Service Temporary Internet Files folder emptied.

Windows Temp folder emptied.

Java cache emptied.

Temp folders emptied.

Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10282008_195652

Files moved on Reboot...

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.

Edited October 29, 2008 by Geopat89

[geopat89]

Malwarebytes' Anti-Malware 1.30

Database version: 1334

Windows 5.1.2600 Service Pack 2

10/28/2008 8:21:00 PM

mbam-log-2008-10-28 (20-21-00).txt

Scan type: Quick Scan

Objects scanned: 51320

Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adssitesearchassistant (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\Owner\Application Data\Yourprivacyguard (Rogue.Yourprivacyguard) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Application Data\Yourprivacyguard\Logs (Rogue.Yourprivacyguard) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\Owner\Application Data\Yourprivacyguard\Logs\update.log (Rogue.Yourprivacyguard) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\{4358eff3-2842-fc3b-8e89-475247cf3a49}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\{5c02b952-919f-e71b-0464-2b206ce14549}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\{5c420320-234a-80a6-4b74-506951f54b7d}.dll-uninst.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\adssite_sidebar_uninstall.exe (Adware.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Tuesday, October 28, 2008

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Wednesday, October 29, 2008 00:04:12

Records in database: 1354891

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

G:\

H:\

I:\

J:\

Scan statistics:

Files scanned: 73339

Threat name: 3

Infected objects: 3

Suspicious objects: 0

Duration of the scan: 01:29:00

File name / Threat name / Threats count

C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\qoobox\Quarantine\C\WINDOWS\system32\dcodpbxewrge.dll.vir Infected: Trojan-Downloader.Win32.Zlob.zhl 1

D:\i386\Apps\App17981\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.

[Rorschach112]

Hello

Please download the OTMoveIt3 by OldTimer or from here.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  
  :Files
  D:\i386\Apps\App17981\comps\toolbar\toolbr.exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

  
  

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Also post a new HJT log

[geopat89]

========== PROCESSES ==========

Process explorer.exe killed successfully.

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

D:\i386\Apps\App17981\comps\toolbar\toolbr.exe moved successfully.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\AcrFA08.tmp scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.

Local Service Temp folder emptied.

Local Service Temporary Internet Files folder emptied.

Windows Temp folder emptied.

Java cache emptied.

Temp folders emptied.

Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10292008_172852

Files moved on Reboot...

File C:\DOCUME~1\Owner\LOCALS~1\Temp\AcrFA08.tmp not found!

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.

[Rorschach112]

Post a new HJT log

[geopat89]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:28:22 PM, on 10/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\2Wire\2PortalMon.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\devldr32.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/web?o=1369

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Can%20You%20See%20What%20I%20See/Images/stg_drm.ocx

O16 - DPF: {255B1372-180C-4A22-A02D-1D4AB65F6AC2} (SDANetConClass Class) - file:///C:/Program%20Files/Magic%20Academy/Images/stg_drm.dll

O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://connect.hctx.net/vdesk/cachecleaner...,2008,0717,1603

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://connect.hctx.net/vdesk/terminal/urx...,2008,0222,2309

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://connect.hctx.net/vdesk/terminal/Ins...,2008,0717,1611

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://connect.hctx.net/vdesk/terminal/urT...,2008,0212,2002

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - http://a.download.toontown.com/sv1.0.31.5/ttinst.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/armhelper.ocx

O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://connect.hctx.net/vdesk/terminal/urx...,2008,0212,2006

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://connect.hctx.net/vdesk/terminal/urx...,2008,0212,2005

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--

End of file - 9377 bytes

[Rorschach112]

Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
  
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Make sure you have an Internet Connection.
  
• Download OTCleanIt to your desktop and run it
  
• A list of tool components used in the Cleanup of malware will be downloaded.
  
• If your Firewall or Real Time protection attempts to block OTCleanUp to reach the Internet, please allow the application to do so.
  
• Click Yes to beging the Cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
  

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  
• Accept any prompts.
  
• Open JavaRa.exe again and select Search For Updates.
  
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
  

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :

http://windowsupdate.microsoft.com/

This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all

Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure

• Click Start > Run
  
• Type Inetcpl.cpl & click OK
  
• Click on the Security tab
  
• Click Reset all zones to default level
  
• Make sure the Internet Zone is selected & Click Custom level
  
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  

*ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

*Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more

secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up

blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from

Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'

Here

Thank you for your patience, and performing all of the procedures requested.

[Rorschach112]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.