Ebay/Paypal Problem

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x86cfe4d0
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x868a0330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x06FBC03D
malicious code @ sector 0x06FBC040 !
PE file found in sector at 0x06FBC056 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Hello.
Please go to Start > Run. In the Run box, copy/paste in the following:

%userprofile%\Desktop\mbr.exe -f

Please post the log when done.

When I tried that, I got a box that said

Windows cannot find 'C:/Documents'. Make sure you typed the name correctly, and try again. To search for a file, click the Start button, and then click Search.

Make sure mbr.exe is on your Desktop, then try this command.

"%userprofile%\Desktop\mbr.exe" -f

Difference is the two quote marks.

mbr.exe is Malwarebytes' right? It is on my desktop but it's saying that windows can't find C:/Documents and Settings/Owner/Desktop/mbr.exe

Hello.
I want to see one more log:

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  
• When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
  

My TDSSKiller log:

16:10:44:013 4092 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
16:10:44:013 4092 ================================================================================
16:10:44:013 4092 SystemInfo:

16:10:44:013 4092 OS Version: 5.1.2600 ServicePack: 3.0
16:10:44:013 4092 Product type: Workstation
16:10:44:013 4092 ComputerName: JENSENS
16:10:44:013 4092 UserName: Owner
16:10:44:013 4092 Windows directory: C:\WINDOWS
16:10:44:013 4092 Processor architecture: Intel x86
16:10:44:013 4092 Number of processors: 1
16:10:44:013 4092 Page size: 0x1000
16:10:44:013 4092 Boot type: Normal boot
16:10:44:013 4092 ================================================================================
16:10:44:060 4092 UnloadDriverW: NtUnloadDriver error 2
16:10:44:060 4092 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:10:44:091 4092 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:10:44:591 4092 UtilityInit: KLMD drop and load success
16:10:44:591 4092 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
16:10:44:591 4092 UtilityInit: KLMD open success
16:10:44:591 4092 UtilityInit: Initialize success
16:10:44:591 4092
16:10:44:591 4092 Scanning Services ...
16:10:44:591 4092 CreateRegParser: Registry parser init started
16:10:44:591 4092 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
16:10:44:591 4092 CreateRegParser: DisableWow64Redirection error
16:10:44:591 4092 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:10:44:623 4092 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
16:10:44:623 4092 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:10:44:623 4092 wfopen_ex: Trying to KLMD file open
16:10:44:623 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
16:10:44:623 4092 wfopen_ex: File opened ok (Flags 2)
16:10:44:623 4092 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384C10
16:10:44:623 4092 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:10:44:638 4092 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
16:10:44:638 4092 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:10:44:638 4092 wfopen_ex: Trying to KLMD file open
16:10:44:638 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
16:10:44:638 4092 wfopen_ex: File opened ok (Flags 2)
16:10:44:638 4092 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384B00
16:10:44:638 4092 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
16:10:44:638 4092 CreateRegParser: EnableWow64Redirection error
16:10:44:638 4092 CreateRegParser: RegParser init completed
16:10:45:419 4092 GetAdvancedServicesInfo: Raw services enum returned 312 services
16:10:45:419 4092 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:10:45:419 4092 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:10:45:419 4092
16:10:45:419 4092 Scanning Kernel memory ...
16:10:45:419 4092 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:10:45:419 4092 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86FD4A08
16:10:45:419 4092 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
16:10:45:419 4092
16:10:45:419 4092 DetectCureTDL3: DEVICE_OBJECT: 86F48C68
16:10:45:419 4092 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F48C68
16:10:45:419 4092 KLMD_ReadMem: Trying to ReadMemory 0x86F48C68[0x38]
16:10:45:419 4092 DetectCureTDL3: DRIVER_OBJECT: 86FD4A08
16:10:45:419 4092 KLMD_ReadMem: Trying to ReadMemory 0x86FD4A08[0xA8]
16:10:45:419 4092 KLMD_ReadMem: Trying to ReadMemory 0xE1606358[0x18]
16:10:45:419 4092 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_CREATE : F76E9BB0
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_CLOSE : F76E9BB0
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_READ : F76E3D1F
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_WRITE : F76E3D1F
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76E42E2
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76E43BB
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F76E7F28
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76E42E2
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_POWER : F76E5C82
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F76EA99E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
16:10:45:419 4092 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
16:10:45:419 4092 TDL3_FileDetect: Processing driver: Disk
16:10:45:419 4092 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:419 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:466 4092 TDL3_FileDetect: Processing driver: Disk
16:10:45:466 4092 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:466 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:482 4092 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:10:45:482 4092
16:10:45:482 4092 DetectCureTDL3: DEVICE_OBJECT: 86F499F0
16:10:45:482 4092 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F499F0
16:10:45:482 4092 KLMD_ReadMem: Trying to ReadMemory 0x86F499F0[0x38]
16:10:45:482 4092 DetectCureTDL3: DRIVER_OBJECT: 86FD4A08
16:10:45:482 4092 KLMD_ReadMem: Trying to ReadMemory 0x86FD4A08[0xA8]
16:10:45:482 4092 KLMD_ReadMem: Trying to ReadMemory 0xE1606358[0x18]
16:10:45:482 4092 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_CREATE : F76E9BB0
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_CLOSE : F76E9BB0
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_READ : F76E3D1F
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_WRITE : F76E3D1F
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76E42E2
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76E43BB
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F76E7F28
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76E42E2
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_POWER : F76E5C82
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F76EA99E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
16:10:45:482 4092 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
16:10:45:482 4092 TDL3_FileDetect: Processing driver: Disk
16:10:45:482 4092 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:482 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:482 4092 TDL3_FileDetect: Processing driver: Disk
16:10:45:482 4092 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:482 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:10:45:513 4092 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:10:45:513 4092
16:10:45:513 4092 DetectCureTDL3: DEVICE_OBJECT: 86F4BAB8
16:10:45:513 4092 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F4BAB8
16:10:45:513 4092 DetectCureTDL3: DEVICE_OBJECT: 86F47F18
16:10:45:513 4092 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F47F18
16:10:45:513 4092 DetectCureTDL3: DEVICE_OBJECT: 86FCFD98
16:10:45:513 4092 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86FCFD98
16:10:45:513 4092 KLMD_ReadMem: Trying to ReadMemory 0x86FCFD98[0x38]
16:10:45:513 4092 DetectCureTDL3: DRIVER_OBJECT: 86F51840
16:10:45:513 4092 KLMD_ReadMem: Trying to ReadMemory 0x86F51840[0xA8]
16:10:45:513 4092 KLMD_ReadMem: Trying to ReadMemory 0xE16090F0[0x1A]
16:10:45:513 4092 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_CREATE : F76166F2
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_CLOSE : F76166F2
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_READ : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_WRITE : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_QUERY_EA : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SET_EA : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F7616712
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F7612852
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_CLEANUP : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_POWER : F761673C
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F761D336
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804FA88E
16:10:45:513 4092 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804FA88E
16:10:45:513 4092 TDL3_FileDetect: Processing driver: atapi
16:10:45:513 4092 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
16:10:45:513 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
16:10:45:544 4092 KLMD_ReadMem: Trying to ReadMemory 0xF7613864[0x400]
16:10:45:544 4092 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
16:10:45:544 4092 TDL3_FileDetect: Processing driver: atapi
16:10:45:544 4092 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
16:10:45:544 4092 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
16:10:45:544 4092 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
16:10:45:544 4092
16:10:45:544 4092 Completed
16:10:45:544 4092
16:10:45:544 4092 Results:
16:10:45:544 4092 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
16:10:45:544 4092 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:10:45:544 4092 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:10:45:544 4092
16:10:45:591 4092 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:10:45:591 4092 UtilityDeinit: KLMD(ARK) unloaded successfully

MBR::
[/QUOTE]
[*]Save this as CFScript.txt, in the same location as ComboFix.exe



[*]Referring to the picture above, drag CFScript into ComboFix.exe
[*]When finished, it shall produce a log for you at C:\ComboFix.txt
[*]Please post the contents of the log in your next reply.
[/LIST]

ComboFix 10-02-21.02 - Owner 02/22/2010 18:46:44.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.408 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZV1L1E1I\cfscriptb4i[1].gif
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.spiralfrog.com
.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-19 22:51 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 22:51 . 2010-02-19 22:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 22:51 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 05:15 . 2010-02-19 05:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-17 16:19 . 2010-02-20 08:58 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IECompatCache
2010-02-17 16:19 . 2010-02-17 16:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\PrivacIE
2010-02-14 19:41 . 2010-02-14 19:41 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-02-14 19:36 . 2010-02-14 19:36 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-02-14 18:52 . 2010-02-14 18:52 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IETldCache
2010-02-14 18:40 . 2010-02-14 18:40 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-02-14 18:18 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-14 18:17 . 2010-02-14 18:17 -------- d-----w- c:\windows\ie8updates
2010-02-14 18:14 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 18:14 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 18:09 . 2010-02-17 16:19 -------- dc-h--w- c:\windows\ie8
2010-02-09 20:41 . 2005-10-19 14:59 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\WINDOWS
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\UserData
2010-01-31 16:36 . 2010-01-31 16:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-31 14:43 . 2010-02-18 17:23 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-29 03:20 . 2010-01-31 16:35 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-----w- c:\documents and settings\HelpAssistant\.SunDownloadManager
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-s---w- c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 00:46 . 2008-10-18 14:09 -------- d-----w- c:\program files\SpiralFrog
2010-02-21 02:32 . 2008-03-08 00:35 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-20 17:46 . 2008-03-08 00:36 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-20 08:49 . 2009-11-10 01:15 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 08:45 . 2008-11-07 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\StarOffice8
2010-02-15 14:49 . 2008-11-07 02:58 1 ----a-w- c:\documents and settings\Owner\Application Data\StarOffice8\user\uno_packages\cache\stamp.sys
2010-02-07 02:19 . 2009-03-12 15:42 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2010-01-31 17:22 . 2009-04-04 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-31 17:17 . 2009-04-04 13:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 16:50 . 2002-09-03 17:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 17:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 22:06 . 2009-10-03 17:38 127325 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-12-19 22:06 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-19 22:06 . 2009-12-19 22:06 1408376 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-12-16 18:43 . 2008-03-05 02:22 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-09-03 16:50 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-09-03 16:42 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2005-08-30 04:02 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2002-09-03 16:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2008-03-12 163128]
"TexTally"="c:\program files\NCH Swift Sound\TexTally\textally.exe" [2008-12-30 274436]
"FastFox"="c:\program files\NCH Swift Sound\FastFox\fastfox.exe" [2008-12-30 327684]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2008-1-21 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-4 45056]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 23:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2008 2:57 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2008 2:57 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 3:26 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 3:26 PM 297752]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HTTPFILTER
*NewlyCreated* - KLMD21
*Deregistered* - klmd21
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-11-19 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2100 seriesF56855811176EC24C9B302F94878AD886AF77CFF219100904.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: bankfirstonline.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-22 18:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86CFE4D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76e7f28
\Driver\ACPI -> 0x86cfe4d0
\Driver\atapi -> atapi.sys @ 0xf7612852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x868a0330
PacketIndicateHandler -> NDIS.sys @ 0xf752ba21
SendHandler -> NDIS.sys @ 0xf750987b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x06FBC03D
malicious code @ sector 0x06FBC040 !
PE file found in sector at 0x06FBC056 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
Completion time: 2010-02-22 18:59:51
ComboFix-quarantined-files.txt 2010-02-23 00:59
ComboFix2.txt 2010-02-21 02:04

Pre-Run: 37,956,198,400 bytes free
Post-Run: 37,959,225,344 bytes free

- - End Of File - - 06C004BE013B36A26F013B757ECC86E4

Hello.
I know what's wrong, I've just seen something I didn't see before. I need you to stay in this with me, this one is a nasty bugger, but it can be defeated. This is one long and advanced fix, follow my instructions carefully.

---

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

control userpasswords2

Now when this next window opens, highlight the user "HelpAssistant", and click remove. Okay any prompts.

Close the user account editor.

Next, click Start > Run and copy/paste the following bolded text into the Run box and click OK:

regedit

Follow this path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters

Under the Parameters key, there's a value called "ServiceDll", which should be pointing at %systemroot%\system32\termsrv32.dll

Double click on the value "ServiceDll" so you can edit the filepath, then remove the "32" out of the filename so it should now be set to "%systemroot%\system32\termsrv.dll"
======

Next, go to this folder in bold:

C:\Windows\system32

Once in the system32 folder, find termsrv32.dll, right click and rename it. Remove the 3 so it should now be called termsrv2.dll
======

Now, please make sure mbr.exe is located on your Desktop!! << IMPORTANT

Now open a new notepad file.
Input this into the notepad file:

@echo off
cd %userprofile%
cd Desktop
mbr.exe -f
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.

Mbr.exe should make a logfile on your Desktop, DO NOT post it just yet. Once you have run my bat file once, run it AGAIN!! << IMPORTANT

please post the second log.

I hope I did this right...

mbr.exe is the same as Malwarebytes' Anti-Malware correct? The only log that I see on my desktop is a notepad file that says mbr & contains the following info - Is this what you need?

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x86cfe4d0
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x868a0330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x06FBC03D
malicious code @ sector 0x06FBC040 !
PE file found in sector at 0x06FBC056 !
Use "Recovery Console" command "fixmbr" to clear infection !

Hello.
Good work, we've killed the rootkit. The MBR is okay now, just leftover code, but we'll clean that up later.

The hacker is using remote desktop connection to your machine, so we have to close that port off.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   Registry::
   [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
   "65533:TCP"=-
   "52344:TCP"=-
   "2479:TCP"=-
   "3246:TCP"=-
   "3389:TCP"=-
   

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

Note: Made an error in my script, just edited it now, please make sure you have the updated version, refresh this page if needed.

ComboFix 10-02-22.07 - Owner 02/23/2010 10:02:12.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.381 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
.

2010-02-23 00:42 . 2010-02-23 01:00 -------- d-----w- C:\Combo-Fix
2010-02-19 22:51 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 22:51 . 2010-02-19 22:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 22:51 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 05:15 . 2010-02-19 05:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-17 16:19 . 2010-02-20 08:58 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IECompatCache
2010-02-17 16:19 . 2010-02-17 16:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\PrivacIE
2010-02-14 19:41 . 2010-02-14 19:41 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-02-14 19:36 . 2010-02-14 19:36 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-02-14 18:52 . 2010-02-14 18:52 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IETldCache
2010-02-14 18:40 . 2010-02-14 18:40 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-02-14 18:18 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-14 18:17 . 2010-02-14 18:17 -------- d-----w- c:\windows\ie8updates
2010-02-14 18:14 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 18:14 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 18:09 . 2010-02-17 16:19 -------- dc-h--w- c:\windows\ie8
2010-02-09 20:41 . 2005-10-19 14:59 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\WINDOWS
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\UserData
2010-01-31 16:36 . 2010-01-31 16:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-31 14:43 . 2010-02-18 17:23 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-29 03:20 . 2010-01-31 16:35 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-----w- c:\documents and settings\HelpAssistant\.SunDownloadManager
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-s---w- c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 12:46 . 2008-10-18 14:09 -------- d-----w- c:\program files\SpiralFrog
2010-02-23 02:10 . 2008-03-08 00:35 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-20 17:46 . 2008-03-08 00:36 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-20 08:49 . 2009-11-10 01:15 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 08:45 . 2008-11-07 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\StarOffice8
2010-02-15 14:49 . 2008-11-07 02:58 1 ----a-w- c:\documents and settings\Owner\Application Data\StarOffice8\user\uno_packages\cache\stamp.sys
2010-02-07 02:19 . 2009-03-12 15:42 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2010-01-31 17:22 . 2009-04-04 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-31 17:17 . 2009-04-04 13:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 16:50 . 2002-09-03 17:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 17:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 22:06 . 2009-10-03 17:38 127325 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-12-19 22:06 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-19 22:06 . 2009-12-19 22:06 1408376 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-12-16 18:43 . 2008-03-05 02:22 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-09-03 16:50 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-09-03 16:42 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2005-08-30 04:02 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2002-09-03 16:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2008-03-12 163128]
"TexTally"="c:\program files\NCH Swift Sound\TexTally\textally.exe" [2008-12-30 274436]
"FastFox"="c:\program files\NCH Swift Sound\FastFox\fastfox.exe" [2008-12-30 327684]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2008-1-21 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-4 45056]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 23:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2008 2:57 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2008 2:57 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 3:26 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 3:26 PM 297752]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HTTPFILTER
*NewlyCreated* - KLMD21
*Deregistered* - klmd21
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-11-19 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2100 seriesF56855811176EC24C9B302F94878AD886AF77CFF219100904.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: bankfirstonline.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-23 10:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x86CFE4D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76e7f28
\Driver\ACPI -> 0x86cfe4d0
\Driver\atapi -> atapi.sys @ 0xf7612852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x868a0330
PacketIndicateHandler -> NDIS.sys @ 0xf752ba21
SendHandler -> NDIS.sys @ 0xf750987b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x06FBC03D
malicious code @ sector 0x06FBC040 !
PE file found in sector at 0x06FBC056 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5424)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-23 10:41:37
ComboFix-quarantined-files.txt 2010-02-23 16:29
ComboFix2.txt 2010-02-23 15:17
ComboFix3.txt 2010-02-23 00:59
ComboFix4.txt 2010-02-21 02:04

Pre-Run: 37,960,187,904 bytes free
Post-Run: 37,941,014,528 bytes free

- - End Of File - - 913273236B34E60D3B87B84C10F6B82B

Hmm, something else is going on here.

Did you remove the user account and change the registry value back to what I asked?

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

• Please download RootRepeal.zip from here.
  
• Extract the program file to your Desktop.
  
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the Desktop.
  
• Please copy/paste the contents of the report in your next reply.
  

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/02/23 13:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEDFCD000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C31000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xECEE9000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: c:\documents and settings\all users\application data\spybot - search & destroy\proccache.sbc
Status: Size mismatch (API: 27516, Raw: 27482)

Stealth Objects
-------------------
Object: Hidden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86d26310 Size: 153

==EOF==

Download the GMER rootkit scan from here: GMER

1. Unzip it and start GMER.
   
2. Click the >>> tab and then click the Scan button.
   
3. Once done, click the Copy button.
   
4. This will copy the results to your clipboard.
   
5. Paste the results in your next reply.
   

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-23 20:18:24
Windows 5.1.2600 Service Pack 3
Running: GMER.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uxldypoc.sys


---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[220] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 017B28F5
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[220] WS2_32.dll!send 71AB4C27 5 Bytes JMP 017B2781
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[220] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 017B2873
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[220] WS2_32.dll!recv 71AB676F 5 Bytes JMP 017B27B9
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[220] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 017B27F1
.text C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe[292] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F228F5
.text C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe[292] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F22781
.text C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe[292] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F22873
.text C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe[292] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F227B9
.text C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe[292] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F227F1
.text C:\Program Files\Bonjour\mDNSResponder.exe[304] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 007D28F5
.text C:\Program Files\Bonjour\mDNSResponder.exe[304] WS2_32.dll!send 71AB4C27 5 Bytes JMP 007D2781
.text C:\Program Files\Bonjour\mDNSResponder.exe[304] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 007D2873
.text C:\Program Files\Bonjour\mDNSResponder.exe[304] WS2_32.dll!recv 71AB676F 5 Bytes JMP 007D27B9
.text C:\Program Files\Bonjour\mDNSResponder.exe[304] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 007D27F1
.text C:\WINDOWS\BCMSMMSG.exe[484] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CC28F5
.text C:\WINDOWS\BCMSMMSG.exe[484] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CC2781
.text C:\WINDOWS\BCMSMMSG.exe[484] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CC2873
.text C:\WINDOWS\BCMSMMSG.exe[484] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CC27B9
.text C:\WINDOWS\BCMSMMSG.exe[484] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CC27F1
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C628F5
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C62781
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C62873
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C627B9
.text C:\Program Files\Java\jre6\bin\jusched.exe[536] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C627F1
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[592] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01C528F5
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[592] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01C52781
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[592] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01C52873
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[592] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01C527B9
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[592] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01C527F1
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[888] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010528F5
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[888] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01052781
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[888] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01052873
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[888] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010527B9
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[888] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010527F1
.text C:\Program Files\iTunes\iTunesHelper.exe[976] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011028F5
.text C:\Program Files\iTunes\iTunesHelper.exe[976] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01102781
.text C:\Program Files\iTunes\iTunesHelper.exe[976] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01102873
.text C:\Program Files\iTunes\iTunesHelper.exe[976] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011027B9
.text C:\Program Files\iTunes\iTunesHelper.exe[976] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011027F1
.text C:\Program Files\SpiralFrog\Spiralfrog.exe[988] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03A028F5
.text C:\Program Files\SpiralFrog\Spiralfrog.exe[988] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03A02781
.text C:\Program Files\SpiralFrog\Spiralfrog.exe[988] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03A02873
.text C:\Program Files\SpiralFrog\Spiralfrog.exe[988] WS2_32.dll!recv 71AB676F 5 Bytes JMP 03A027B9
.text C:\Program Files\SpiralFrog\Spiralfrog.exe[988] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 03A027F1
.text C:\Program Files\Messenger\msmsgs.exe[1088] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00A528F5
.text C:\Program Files\Messenger\msmsgs.exe[1088] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A52781
.text C:\Program Files\Messenger\msmsgs.exe[1088] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00A52873
.text C:\Program Files\Messenger\msmsgs.exe[1088] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00A527B9
.text C:\Program Files\Messenger\msmsgs.exe[1088] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00A527F1
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1120] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E328F5
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1120] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E32781
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1120] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E32873
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1120] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E327B9
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1120] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E327F1
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe[1236] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D228F5
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe[1236] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D22781
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe[1236] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D22873
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe[1236] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D227B9
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe[1236] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D227F1
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe[1300] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D028F5
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe[1300] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D02781
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe[1300] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D02873
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe[1300] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D027B9
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe[1300] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D027F1
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[1312] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E428F5
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[1312] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E42781
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[1312] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E42873
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[1312] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E427B9
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[1312] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E427F1
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1360] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 013D28F5
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1360] WS2_32.dll!send 71AB4C27 5 Bytes JMP 013D2781
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1360] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 013D2873
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1360] WS2_32.dll!recv 71AB676F 5 Bytes JMP 013D27B9
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1360] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 013D27F1
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1424] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010E28F5
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1424] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010E2781
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1424] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010E2873
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1424] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010E27B9
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1424] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010E27F1
.text C:\WINDOWS\Explorer.EXE[1668] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 017728F5
.text C:\WINDOWS\Explorer.EXE[1668] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01772781
.text C:\WINDOWS\Explorer.EXE[1668] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01772873
.text C:\WINDOWS\Explorer.EXE[1668] WS2_32.dll!recv 71AB676F 5 Bytes JMP 017727B9
.text C:\WINDOWS\Explorer.EXE[1668] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 017727F1
.text C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[1696] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 052128F5
.text C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[1696] WS2_32.dll!send 71AB4C27 5 Bytes JMP 05212781
.text C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[1696] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 05212873
.text C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[1696] WS2_32.dll!recv 71AB676F 5 Bytes JMP 052127B9
.text C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[1696] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 052127F1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 02C5299D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02C5294D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02C52911
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 02C52EA5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 02C52F01
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 02C52BF3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 02C529B9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 02C5370F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 02C52D5B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] CRYPT32.dll!CertGetCertificateChain 77A92F67 5 Bytes JMP 02C532E9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2344] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 5 Bytes JMP 02C532F2
.text C:\Program Files\Sun\StarOffice 8\program\soffice.BIN[2456] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 06A328F5
.text C:\Program Files\Sun\StarOffice 8\program\soffice.BIN[2456] WS2_32.dll!send 71AB4C27 5 Bytes JMP 06A32781
.text C:\Program Files\Sun\StarOffice 8\program\soffice.BIN[2456] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 06A32873
.text C:\Program Files\Sun\StarOffice 8\program\soffice.BIN[2456] WS2_32.dll!recv 71AB676F 5 Bytes JMP 06A327B9
.text C:\Program Files\Sun\StarOffice 8\program\soffice.BIN[2456] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 06A327F1
.text C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN[2460] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 06BA28F5
.text C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN[2460] WS2_32.dll!send 71AB4C27 5 Bytes JMP 06BA2781
.text C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN[2460] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 06BA2873
.text C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN[2460] WS2_32.dll!recv 71AB676F 5 Bytes JMP 06BA27B9
.text C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN[2460] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 06BA27F1
.text C:\Program Files\Outlook Express\msimn.exe[2836] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 034828F5
.text C:\Program Files\Outlook Express\msimn.exe[2836] ws2_32.dll!send 71AB4C27 5 Bytes JMP 03482781
.text C:\Program Files\Outlook Express\msimn.exe[2836] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03482873
.text C:\Program Files\Outlook Express\msimn.exe[2836] ws2_32.dll!recv 71AB676F 5 Bytes JMP 034827B9
.text C:\Program Files\Outlook Express\msimn.exe[2836] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 034827F1
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe[2876] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CD28F5
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe[2876] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CD2781
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe[2876] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CD2873
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe[2876] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CD27B9
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe[2876] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CD27F1
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2904] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01F228F5
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2904] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01F22781
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2904] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01F22873
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2904] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01F227B9
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[2904] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01F227F1
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2964] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011428F5
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2964] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01142781
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2964] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01142873
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2964] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011427B9
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[2964] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011427F1
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3656] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 023528F5
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3656] ws2_32.dll!send 71AB4C27 5 Bytes JMP 02352781
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3656] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02352873
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3656] ws2_32.dll!recv 71AB676F 5 Bytes JMP 023527B9
.text C:\Program Files\Java\jre6\bin\jucheck.exe[3656] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 023527F1
.text C:\Program Files\iPod\bin\iPodService.exe[3816] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B228F5
.text C:\Program Files\iPod\bin\iPodService.exe[3816] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B22781
.text C:\Program Files\iPod\bin\iPodService.exe[3816] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B22873
.text C:\Program Files\iPod\bin\iPodService.exe[3816] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B227B9
.text C:\Program Files\iPod\bin\iPodService.exe[3816] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B227F1
.text C:\WINDOWS\System32\alg.exe[4024] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B228F5
.text C:\WINDOWS\System32\alg.exe[4024] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B22781
.text C:\WINDOWS\System32\alg.exe[4024] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B22873
.text C:\WINDOWS\System32\alg.exe[4024] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B227B9
.text C:\WINDOWS\System32\alg.exe[4024] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B227F1
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[4072] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F728F5
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[4072] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F72781
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[4072] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F72873
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[4072] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F727B9
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[4072] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F727F1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 02FF299D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02FF294D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02FF2911
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD189 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2548CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED9C0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 02FF2EA5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 02FF2F01
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 02FF2BF3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 02FF29B9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 02FF370F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 02FF2D5B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] CRYPT32.dll!CertGetCertificateChain 77A92F67 5 Bytes JMP 02FF32E9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 5 Bytes JMP 02FF32F2

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[4244] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI \Device\00000050 86D26310
Device \Driver\ACPI \Device\00000051 86D26310
Device \Driver\ACPI \Device\00000044 86D26310
Device \Driver\ACPI \Device\00000047 86D26310
Device \Driver\ACPI \Device\00000048 86D26310
Device \Driver\ACPI \Device\00000055 86D26310

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI \Device\00000049 86D26310
Device \Driver\ACPI \Device\00000056 86D26310

---- EOF - GMER 1.0.15 ----

Hello.

Now, please make sure mbr.exe is located on your Desktop!! << IMPORTANT

Now open a new notepad file.
Input this into the notepad file:

@echo off
cd %userprofile%
cd Desktop
mbr.exe -f
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.

Mbr.exe should make a logfile on your Desktop, DO NOT post it just yet. Once you have run my bat file once, run it AGAIN!! << IMPORTANT

Next, DO NOT reboot the machine.

Download OTL by OldTimer to your Desktop.

• Close all windows and double click OTL.exe
  
• Click Run Scan and let the program run uninterrupted
  
• It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  
• You may need to use two posts to get it all.
  

OTL logfile created on: 2/24/2010 6:31:50 PM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 449.00 Mb Available Physical Memory | 44.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 33.15 Gb Free Space | 59.38% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JENSENS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/24 18:31:16 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/12/12 10:00:20 | 002,043,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/08/20 17:42:52 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/20 17:42:51 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/20 17:42:44 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/20 17:42:40 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/08/20 17:42:28 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/01/26 14:31:16 | 002,144,088 | ---- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/03 18:11:57 | 000,382,384 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2009/01/03 18:11:57 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/01/03 18:11:57 | 000,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/09/10 16:40:06 | 000,289,576 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008/09/10 16:39:48 | 000,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/09/10 15:50:26 | 000,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/09/10 12:00:00 | 000,525,664 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2008/08/29 09:18:44 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/14 20:41:18 | 001,241,088 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Sun\StarOffice 8\program\soffice.bin
PRC - [2008/03/14 20:41:18 | 001,019,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Sun\StarOffice 8\program\soffice.exe
PRC - [2008/03/12 12:05:36 | 000,163,128 | ---- | M] (SpiralFrog) -- C:\Program Files\SpiralFrog\Spiralfrog.exe
PRC - [2008/02/05 14:29:20 | 000,054,512 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
PRC - [2008/01/04 13:27:08 | 000,587,096 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PRC - [2007/11/13 18:51:24 | 002,510,848 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
PRC - [2007/11/13 18:49:22 | 002,359,296 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
PRC - [2005/12/08 10:03:02 | 000,811,008 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2005/10/20 10:54:16 | 000,126,976 | ---- | M] (Intuit, Inc.) -- C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe
PRC - [2005/10/19 08:59:12 | 000,126,976 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2003/08/29 04:59:24 | 000,122,880 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\BCMSMMSG.exe
PRC - [2002/08/14 17:29:26 | 000,090,112 | ---- | M] (MUSICMATCH, Inc.) -- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
PRC - [2002/06/27 00:53:26 | 000,303,104 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2002/06/27 00:34:44 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
PRC - [2002/06/27 00:21:30 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
PRC - [2002/06/27 00:20:58 | 000,323,646 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
PRC - [2002/04/11 03:19:36 | 000,077,824 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
PRC - [2002/04/11 03:19:34 | 000,069,632 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
PRC - [2002/02/15 10:31:42 | 000,045,056 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/02/24 18:31:16 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/08/20 17:42:40 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/20 17:42:28 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/01/03 18:11:57 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/09/10 16:39:48 | 000,536,872 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/09/10 15:50:26 | 000,116,040 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/08/29 09:18:44 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/03/04 20:22:53 | 000,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2008/01/04 13:27:08 | 000,587,096 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2005/10/20 10:54:16 | 000,126,976 | ---- | M] (Intuit, Inc.) [Auto | Running] -- C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe -- (QuickBooksDB)
SRV - [2004/07/15 01:49:26 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2003/03/09 21:31:02 | 000,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2009/08/20 17:42:52 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/20 17:42:52 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/05/10 09:00:08 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2008/08/21 23:49:58 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2008/08/21 23:49:22 | 000,018,688 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2008/06/18 09:49:16 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/17 12:12:54 | 000,015,464 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/03/05 19:46:22 | 000,028,164 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MxlW2k.sys -- (MxlW2k)
DRV - [2007/11/13 04:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motport.sys -- (motport)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2006/10/18 03:00:00 | 000,036,624 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2005/10/19 08:59:12 | 000,807,998 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2004/10/07 19:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2003/03/09 21:31:02 | 000,021,456 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2003/03/09 21:31:02 | 000,016,080 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2003/03/09 21:31:00 | 000,051,024 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2003/01/15 14:45:06 | 000,042,368 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/01/14 12:38:36 | 000,108,736 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel(R) Graphics Platform (SoftBIOS)
DRV - [2003/01/14 12:38:30 | 000,078,272 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel(R) Graphics Chipset (KCH)
DRV - [2002/12/19 17:48:48 | 000,539,008 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/09/03 10:53:10 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2002/04/01 13:15:00 | 000,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/23 00:33:12 | 000,010,192 | R--- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipfilter.sys -- (IPFilter)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 07:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local



O1 HOSTS File: ([2009/04/04 07:30:30 | 000,304,232 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10480 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BCMSMMSG] C:\WINDOWS\BCMSMMSG.exe (Broadcom Corporation)
O4 - HKLM..\Run: [FastFox] C:\Program Files\NCH Swift Sound\FastFox\fastfox.exe (NCH Software)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe (MUSICMATCH, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe (SpiralFrog)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TexTally] C:\Program Files\NCH Swift Sound\TexTally\textally.exe (NCH Software)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: bankfirstonline.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} http://www.worldwinner.com/games/v41/mines/mines.cab (Mines Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} http://www.worldwinner.com/games/v47/skillgam/skillgam.cab (SkillGam Control)
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} http://gsn.worldwinner.com/games/v47/shared/FunGamesLoader.cab (FunGamesLoader Object)
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} http://www.worldwinner.com/games/v50/tpir/tpir.cab (TPIR Control)
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} http://www.worldwinner.com/games/v48/brickout/brickout.cab (Brickout Control)
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} http://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab (Jigsaw Genius Control)
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} http://www.worldwinner.com/games/v47/solitairerush/solitairerush.cab (SolitaireRush Control)
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} http://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab (WWHearts Control)
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} http://www.worldwinner.com/games/v63/bjattack/bja.cab (BJA Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab (Bejeweled Control)
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} http://www.worldwinner.com/games/v56/spidersolitaire/spidersolitaire.cab (SpiderSolitaire Control)
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} http://www.worldwinner.com/games/v49/blockwerx/blockwerx.cab (Blockwerx Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204769920910 (WUWebControl Class)
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} https://www.facebook.com/controls/contactx.dll (ContactExtractor Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} https://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab (WordMojo Control)
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} http://www.worldwinner.com/games/v57/cubis/cubis.cab (Cubis Control)
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} http://www.worldwinner.com/games/v57/wof/wof.cab (WoF Control)
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} http://www.worldwinner.com/games/v67/swapit/swapit.cab (SwapIt Control)
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} http://www.worldwinner.com/games/v41/hangman/hangman.cab (Hangman Control)
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} http://www.worldwinner.com/games/v42/tilecity/tilecity.cab (Tilecity Control)
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} http://www.worldwinner.com/games/v45/royal/royal.cab (Royal Control)
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} http://www.worldwinner.com/games/v43/paint/paint.cab (Paint Control)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab (FamilyFeud Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} http://www.worldwinner.com/games/v44/golfsol/golfsol.cab (GolfSol Control)
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} http://www.worldwinner.com/games/v53/wwspades/wwspades.cab (WWSpades Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/04 20:27:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/24 18:31:09 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/02/24 05:54:36 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/02/23 12:20:16 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2010/02/23 09:59:16 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/22 18:42:06 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2010/02/20 19:47:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/20 19:46:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/20 19:46:09 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/20 19:46:09 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/20 19:46:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/20 19:30:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/19 16:51:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/19 16:51:12 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/19 16:51:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/15 19:39:02 | 000,175,880 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/02/14 13:41:59 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IECompatCache
[2010/02/14 13:36:17 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\PrivacIE
[2010/02/14 12:40:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IETldCache
[2010/02/14 12:17:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/02/14 12:09:49 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/02/09 14:41:07 | 000,163,840 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll
[2010/01/31 08:43:00 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/01/30 07:33:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/01/29 08:36:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/01/29 08:36:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/30 20:21:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/08/13 12:38:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/05/24 15:26:51 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/05/24 15:26:51 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/05/24 15:26:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/24 18:31:16 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/02/24 18:29:52 | 000,000,062 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\fix.bat
[2010/02/24 18:02:09 | 056,199,314 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/24 17:59:09 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/24 17:59:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/24 06:33:16 | 007,602,176 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/02/24 06:31:36 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/24 06:30:41 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/02/23 14:09:17 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GMER.exe
[2010/02/23 12:20:26 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2010/02/23 12:19:19 | 000,464,491 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RootRepeal.zip
[2010/02/23 12:15:00 | 000,000,488 | ---- | M] () -- C:\hpfr5550.xml
[2010/02/23 10:19:44 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/23 08:43:19 | 003,869,515 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe
[2010/02/22 16:08:47 | 000,175,880 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/02/22 16:06:20 | 000,153,078 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/02/21 22:58:20 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Stealth MBR Rootkit Detector.exe
[2010/02/20 19:47:30 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/19 16:51:20 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/18 23:15:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/02/15 10:23:17 | 000,009,612 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Our address labels.odt
[2010/02/15 09:12:49 | 000,129,024 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Christmas Card List.doc
[2010/02/15 09:09:47 | 000,011,524 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Junior Disciple Phone List.odt
[2010/02/15 08:57:03 | 000,016,888 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Junior Disciple Invitation.odt
[2010/02/14 10:32:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/07 18:55:44 | 000,012,800 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/30 21:07:33 | 000,078,848 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Announcement List.doc
[2010/01/28 19:27:57 | 000,090,624 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Jen's Shower Invitation List.doc
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/23 14:09:12 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GMER.exe
[2010/02/23 12:20:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2010/02/23 12:19:17 | 000,464,491 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RootRepeal.zip
[2010/02/22 21:35:51 | 000,000,062 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\fix.bat
[2010/02/22 16:06:17 | 000,153,078 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/02/21 22:58:19 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Stealth MBR Rootkit Detector.exe
[2010/02/20 19:47:30 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/02/20 19:47:26 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/20 19:46:09 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/20 19:46:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/20 19:46:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/20 19:46:09 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/20 19:46:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/20 19:44:29 | 003,869,515 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe
[2010/02/19 16:51:20 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/15 10:23:16 | 000,009,612 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Our address labels.odt
[2010/01/28 18:31:50 | 000,090,624 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Jen's Shower Invitation List.doc
[2010/01/26 16:21:01 | 000,078,848 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Announcement List.doc
[2009/06/09 18:03:43 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/11/26 18:19:07 | 000,000,053 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/11/26 18:19:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2008/11/06 14:37:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSINFO32.INI
[2008/08/18 17:08:06 | 000,000,158 | ---- | C] () -- C:\WINDOWS\pagesuit.ini
[2008/08/18 17:08:03 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2008/08/01 16:16:12 | 000,012,800 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/27 14:08:16 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2008/03/07 18:48:51 | 000,000,457 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2003/03/09 21:31:04 | 000,552,960 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
< End of report >

OTL Extras logfile created on: 2/24/2010 6:31:50 PM - Run 1
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 449.00 Mb Available Physical Memory | 44.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 33.15 Gb Free Space | 59.38% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JENSENS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager -- (Intuit, Inc.)
"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox -- (Yahoo! Inc.)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01BDFB08-EE88-4E5E-94A6-AE9EDCFA40C5}" = Microsoft IntelliPoint 4.0
"{0B8FF60F-C012-4459-AADF-A3AD4E3757DE}" = Dell Picture Studio - Dell Image Expert
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{1CD870CF-D67A-4691-962A-56E202D66733}" = StarOffice 8
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 11
"{2F29D6D2-824E-4FEF-8AED-7013F39F642A}" = OpenOffice.org 2.3
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java(TM) 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Dell Modem-On-Hold
"{41B9E2CF-0B3F-442A-B5B3-592A4A355634}" = iTunes
"{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = BACS
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = B44Inst
"{5C52CED3-D45C-4DA9-932F-B91BD44BB461}" = Adabas D 13.01.00
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69B02159-7622-4DBB-B9EE-F933039830AD}" = QuickBooks Pro 2006
"{6DA9102E-199F-43A0-A36B-6EF48081A658}" = MobileMe Control Panel
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{82DFB852-9594-4668-9C66-28BB6E94BCB2}" = HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{95738B44-49CF-4C62-A620-320F1007B14A}" = SpiralFrog Download Manager 0.8.25
"{9BFFB382-0B2C-11D6-AB3E-000102B0F79A}" = Readiris 7.5
"{AA9768AA-FF0B-4C66-A085-31E934F77841}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = B57Inst
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware 2007
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EC3B8CA2-49B8-4D38-BE9C-ABD0F6029168}" = Yahoo! Music Jukebox
"{ED93995E-8BF2-480F-8EA4-7D29E29A7052}" = HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet Drivers
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AVG8Uninstall" = AVG 8.5
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Express" = Express Dictate
"FastFox" = FastFox
"hp instant support" = hp instant support
"hp psc 2100 series_Driver" = hp psc 2100 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = Broadcom Advanced Control Suite
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x Driver Installer
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Driver Installer
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mavis Beacon Teaches Typing 16" = Mavis Beacon Teaches Typing 16
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MUSICMATCH Jukebox" = MUSICMATCH Jukebox
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Photo Viewer" = Photo Viewer 2.3
"PSC 2000 Series" = HP Photo and Imaging 1.0 - HP PSC - HP OfficeJet
"Scribe" = Express Scribe
"Sky Rangers Simulator" = Sky Rangers Simulator
"TexTally" = TexTally
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/24/2010 3:04:07 AM | Computer Name = JENSENS | Source = Spiralfrog | ID = 0
Description = General Information ********************************************* Additional
Info: ExceptionManager.MachineName: JENSENS ExceptionManager.TimeStamp: 2/24/2010
1:04:07 AM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName:
Spiralfrog.exe ExceptionManager.ThreadIdentity: ExceptionManager.WindowsIdentity:
JENSENS\Owner 1) Exception Information *********************************************
Exception
Type: System.Exception Message: The BITS service returned an error for the job with
the ID '920a7a9e-a356-4fd5-bfad-71c52e63610c'; the job's name and description are
'Updater job.' and 'Updater: Download the Server XML File.'. The BITS service
error message for this job is 'Not enough storage is available to process this command.

'.
This
job has been canceled, and the DownloaderManager will attempt it again. If you
see this error frequently, you may have a mis-configuration, or another administrator
process/user is canceling BITS jobs. It is also possible that some mis-configuration
of the Manifest file is causing BITS to have trouble with a source or destination
path; be sure that all SOURCE paths are valid URLs, and that all DESTINATION paths
are valid LOCAL UNC paths--__shares are not allowed__. TargetSite: NULL HelpLink:
NULL Source: NULL

Error - 2/24/2010 3:04:09 AM | Computer Name = JENSENS | Source = Spiralfrog | ID = 0
Description = General Information ********************************************* Additional
Info: ExceptionManager.MachineName: JENSENS ExceptionManager.TimeStamp: 2/24/2010
1:04:09 AM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName:
Spiralfrog.exe ExceptionManager.ThreadIdentity: ExceptionManager.WindowsIdentity:
JENSENS\Owner 1) Exception Information *********************************************
Exception
Type: System.Exception Message: The metadata file (the Server Manifest) can't be
downloaded for the application 'SpiralfrogClient'. Either the manifest is unavailable
(check download URL in Updater config file), the downloader failed, or the Manifest
failed validation. TargetSite: NULL HelpLink: NULL Source: NULL 2) Exception Information
*********************************************
Exception
Type: System.Runtime.InteropServices.COMException ErrorCode: -2145386481 Message:
Exception from HRESULT: 0x8020000F. TargetSite: Void GetError(Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyError
ByRef) HelpLink: NULL Source: Microsoft.ApplicationBlocks.ApplicationUpdater StackTrace
Information ********************************************* at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyJob.GetError(IBackgroundCopyError&
ppError) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.HandleDownloadErrorCancelJob(IBackgroundCopyJob
copyJob, String& errMessage) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.Microsoft.ApplicationBlocks.ApplicationUpdater.Interfaces.IDownloader.Download(String
sourceFile, String destFile, TimeSpan maxTimeWait) at Microsoft.ApplicationBlocks.ApplicationUpdater.DownloaderManager.IsServerManifestDownloaded()

Error - 2/24/2010 4:53:51 AM | Computer Name = JENSENS | Source = Spiralfrog | ID = 0
Description = General Information ********************************************* Additional
Info: ExceptionManager.MachineName: JENSENS ExceptionManager.TimeStamp: 2/24/2010
2:53:50 AM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName:
Spiralfrog.exe ExceptionManager.ThreadIdentity: ExceptionManager.WindowsIdentity:
JENSENS\Owner 1) Exception Information *********************************************
Exception
Type: System.Exception Message: The BITS service returned an error for the job with
the ID '63d18033-b994-4a8e-a8f6-2258bf85e518'; the job's name and description are
'Updater job.' and 'Updater: Download the Server XML File.'. The BITS service
error message for this job is 'The client does not have sufficient access rights
to the requested server object. '. This job has been canceled, and the DownloaderManager
will attempt it again. If you see this error frequently, you may have a mis-configuration,
or another administrator process/user is canceling BITS jobs. It is also possible
that some mis-configuration of the Manifest file is causing BITS to have trouble
with a source or destination path; be sure that all SOURCE paths are valid URLs,
and that all DESTINATION paths are valid LOCAL UNC paths--__shares are not allowed__.
TargetSite:
NULL HelpLink: NULL Source: NULL

Error - 2/24/2010 4:53:53 AM | Computer Name = JENSENS | Source = Spiralfrog | ID = 0
Description = General Information ********************************************* Additional
Info: ExceptionManager.MachineName: JENSENS ExceptionManager.TimeStamp: 2/24/2010
2:53:53 AM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName:
Spiralfrog.exe ExceptionManager.ThreadIdentity: ExceptionManager.WindowsIdentity:
JENSENS\Owner 1) Exception Information *********************************************
Exception
Type: System.Exception Message: The metadata file (the Server Manifest) can't be
downloaded for the application 'SpiralfrogClient'. Either the manifest is unavailable
(check download URL in Updater config file), the downloader failed, or the Manifest
failed validation. TargetSite: NULL HelpLink: NULL Source: NULL 2) Exception Information
*********************************************
Exception
Type: System.Runtime.InteropServices.COMException ErrorCode: -2145386481 Message:
Exception from HRESULT: 0x8020000F. TargetSite: Void GetError(Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyError
ByRef) HelpLink: NULL Source: Microsoft.ApplicationBlocks.ApplicationUpdater StackTrace
Information ********************************************* at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyJob.GetError(IBackgroundCopyError&
ppError) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.HandleDownloadErrorCancelJob(IBackgroundCopyJob
copyJob, String& errMessage) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.Microsoft.ApplicationBlocks.ApplicationUpdater.Interfaces.IDownloader.Download(String
sourceFile, String destFile, TimeSpan maxTimeWait) at Microsoft.ApplicationBlocks.ApplicationUpdater.DownloaderManager.IsServerManifestDownloaded()

Error - 2/24/2010 8:12:57 AM | Computer Name = JENSENS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/24/2010 8:13:24 AM | Computer Name = JENSENS | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 2/24/2010 8:25:37 PM | Computer Name = JENSENS | Source = Application Hang | ID = 1002
Description = Hanging application fastfox.exe, version 0.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2/24/2010 8:25:45 PM | Computer Name = JENSENS | Source = Application Hang | ID = 1001
Description = Fault bucket 335464970.

Error - 2/24/2010 8:26:11 PM | Computer Name = JENSENS | Source = Spiralfrog | ID = 0
Description = General Information ********************************************* Additional
Info: ExceptionManager.MachineName: JENSENS ExceptionManager.TimeStamp: 2/24/2010
6:26:10 PM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName:
Spiralfrog.exe ExceptionManager.ThreadIdentity: ExceptionManager.WindowsIdentity:
JENSENS\Owner 1) Exception Information *********************************************
Exception
Type: System.Exception Message: The BITS service returned an error for the job with
the ID '633bda85-cc56-4b6b-aa96-7aea465ce85f'; the job's name and description are
'Updater job.' and 'Updater: Download the Server XML File.'. The BITS service
error message for this job is 'The client does not have sufficient access rights
to the requested server object. '. This job has been canceled, and the DownloaderManager
will attempt it again. If you see this error frequently, you may have a mis-configuration,
or another administrator process/user is canceling BITS jobs. It is also possible
that some mis-configuration of the Manifest file is causing BITS to have trouble
with a source or destination path; be sure that all SOURCE paths are valid URLs,
and that all DESTINATION paths are valid LOCAL UNC paths--__shares are not allowed__.
TargetSite:
NULL HelpLink: NULL Source: NULL

Error - 2/24/2010 8:26:14 PM | Computer Name = JENSENS | Source = Spiralfrog | ID = 0
Description = General Information ********************************************* Additional
Info: ExceptionManager.MachineName: JENSENS ExceptionManager.TimeStamp: 2/24/2010
6:26:14 PM ExceptionManager.FullName: Microsoft.ApplicationBlocks.ExceptionManagement,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=null ExceptionManager.AppDomainName:
Spiralfrog.exe ExceptionManager.ThreadIdentity: ExceptionManager.WindowsIdentity:
JENSENS\Owner 1) Exception Information *********************************************
Exception
Type: System.Exception Message: The metadata file (the Server Manifest) can't be
downloaded for the application 'SpiralfrogClient'. Either the manifest is unavailable
(check download URL in Updater config file), the downloader failed, or the Manifest
failed validation. TargetSite: NULL HelpLink: NULL Source: NULL 2) Exception Information
*********************************************
Exception
Type: System.Runtime.InteropServices.COMException ErrorCode: -2145386481 Message:
Exception from HRESULT: 0x8020000F. TargetSite: Void GetError(Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyError
ByRef) HelpLink: NULL Source: Microsoft.ApplicationBlocks.ApplicationUpdater StackTrace
Information ********************************************* at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.IBackgroundCopyJob.GetError(IBackgroundCopyError&
ppError) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.HandleDownloadErrorCancelJob(IBackgroundCopyJob
copyJob, String& errMessage) at Microsoft.ApplicationBlocks.ApplicationUpdater.Downloaders.BITSDownloader.Microsoft.ApplicationBlocks.ApplicationUpdater.Interfaces.IDownloader.Download(String
sourceFile, String destFile, TimeSpan maxTimeWait) at Microsoft.ApplicationBlocks.ApplicationUpdater.DownloaderManager.IsServerManifestDownloaded()

[ System Events ]
Error - 2/14/2010 10:00:04 AM | Computer Name = JENSENS | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 2/14/2010 10:12:04 AM | Computer Name = JENSENS | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 2/14/2010 10:24:04 AM | Computer Name = JENSENS | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 2/14/2010 10:36:04 AM | Computer Name = JENSENS | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 2/14/2010 10:48:04 AM | Computer Name = JENSENS | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 2/14/2010 11:00:04 AM | Computer Name = JENSENS | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 2/14/2010 11:07:20 AM | Computer Name = JENSENS | Source = System Error | ID = 1003
Description = Error code 100000d4, parameter1 ee6d0038, parameter2 00000002, parameter3
00000001, parameter4 804dbc9a.

Error - 2/14/2010 11:54:08 AM | Computer Name = JENSENS | Source = System Error | ID = 1003
Description = Error code 1000000a, parameter1 00000000, parameter2 00000002, parameter3
00000000, parameter4 804fd603.

Error - 2/24/2010 4:53:30 AM | Computer Name = JENSENS | Source = System Error | ID = 1003
Description = Error code 1000008e, parameter1 c0000005, parameter2 ec5631f4, parameter3
ecc84aa0, parameter4 00000000.

Error - 2/24/2010 8:25:58 PM | Computer Name = JENSENS | Source = System Error | ID = 1003
Description = Error code 1000000a, parameter1 ffffff94, parameter2 00000002, parameter3
00000000, parameter4 804fd682.


< End of report >

Hello.

Please reboot your computer, and when booting, select the new extra option you should have, and boot into the recovery console.



Once in the RC, type in "fixmbr" and hit Enter.



Type 'y' if asked to, and allow it to do it's job.

Once it's done that and shows the next bit for another command, type "exit"

This will reboot your machine again, allow it to boot normally this time.
=====

Next, please re-run Combofix and post the new log.

ComboFix 10-02-24.01 - Owner 02/24/2010 20:37:17.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.526 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.spiralfrog.com
.
((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.

2010-02-23 19:25 . 2010-02-23 19:25 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\WINDOWS
2010-02-23 19:25 . 2010-02-23 19:25 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\UserData
2010-02-23 19:24 . 2010-02-23 19:24 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\PrivacIE
2010-02-23 19:19 . 2010-02-23 19:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\IETldCache
2010-02-23 19:19 . 2010-02-23 19:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\IECompatCache
2010-02-23 00:42 . 2010-02-23 01:00 -------- d-----w- C:\Combo-Fix
2010-02-19 22:51 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 22:51 . 2010-02-19 22:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 22:51 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 05:15 . 2010-02-19 05:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-17 16:19 . 2010-02-20 08:58 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IECompatCache
2010-02-17 16:19 . 2010-02-17 16:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\PrivacIE
2010-02-14 19:41 . 2010-02-14 19:41 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-02-14 19:36 . 2010-02-14 19:36 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-02-14 18:52 . 2010-02-14 18:52 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IETldCache
2010-02-14 18:40 . 2010-02-14 18:40 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-02-14 18:18 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-14 18:17 . 2010-02-14 18:17 -------- d-----w- c:\windows\ie8updates
2010-02-14 18:14 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 18:14 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 18:09 . 2010-02-17 16:19 -------- dc-h--w- c:\windows\ie8
2010-02-09 20:41 . 2005-10-19 14:59 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\WINDOWS
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\UserData
2010-01-31 16:36 . 2010-01-31 16:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-31 14:43 . 2010-02-18 17:23 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-29 03:20 . 2010-01-31 16:35 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-----w- c:\documents and settings\HelpAssistant\.SunDownloadManager
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-s---w- c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 02:34 . 2008-10-18 14:09 -------- d-----w- c:\program files\SpiralFrog
2010-02-25 02:34 . 2008-11-07 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\StarOffice8
2010-02-25 02:33 . 2008-03-08 00:35 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-25 00:30 . 2009-11-10 01:15 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 17:46 . 2008-03-08 00:36 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-15 14:49 . 2008-11-07 02:58 1 ----a-w- c:\documents and settings\Owner\Application Data\StarOffice8\user\uno_packages\cache\stamp.sys
2010-02-07 02:19 . 2009-03-12 15:42 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2010-01-31 17:22 . 2009-04-04 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-31 17:17 . 2009-04-04 13:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 16:50 . 2002-09-03 17:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 17:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 22:06 . 2009-10-03 17:38 127325 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-12-19 22:06 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-19 22:06 . 2009-12-19 22:06 1408376 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-12-16 18:43 . 2008-03-05 02:22 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-09-03 16:50 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-09-03 16:42 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2005-08-30 04:02 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2002-09-03 16:46 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2002-09-03 16:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-21_02.01.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-25 02:31 . 2010-02-25 02:31 16384 c:\windows\Temp\Perflib_Perfdata_b8.dat
+ 2007-11-13 11:31 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
- 2007-11-13 11:31 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2008-03-05 02:22 . 2008-03-05 02:22 295424 c:\windows\system32\termsrv2.dll
- 2002-09-03 16:37 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2002-09-03 16:37 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2008-05-09 10:53 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2010-02-24 12:32 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-02-24 12:32 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-02-24 12:32 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2008-03-12 163128]
"TexTally"="c:\program files\NCH Swift Sound\TexTally\textally.exe" [2008-12-30 274436]
"FastFox"="c:\program files\NCH Swift Sound\FastFox\fastfox.exe" [2008-12-30 327684]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2008-1-21 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-4 45056]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 23:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2008 2:57 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2008 2:57 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 3:26 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 3:26 PM 297752]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-11-19 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2100 seriesF56855811176EC24C9B302F94878AD886AF77CFF219100904.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: bankfirstonline.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 20:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-02-24 20:51:41
ComboFix-quarantined-files.txt 2010-02-25 02:51
ComboFix2.txt 2010-02-23 16:41
ComboFix3.txt 2010-02-23 15:17
ComboFix4.txt 2010-02-23 00:59
ComboFix5.txt 2010-02-25 02:36

Pre-Run: 36,036,419,584 bytes free
Post-Run: 36,001,275,904 bytes free

- - End Of File - - BD2FBB9B85562A727339FE9655E92369

Hello.

Good work, we squashed it. Did you remove the HelpAssistant user accounts via control userpasswords2 like I asked? just making sure so we can move onto the next bit.

Ummm....I'm not sure....I think I've done everything you've asked. I follow your steps step by step. How can I double check that this is done?

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

control userpasswords2

When this user account control window opens, check what users are listed, and make sure HelpAssistant isn't there.

If if it there, highlight it by clicking on it once, and press remove.

let me know.

Ok...I do remember doing that but for some reason it was still there. I did it again & removed it.

Please run OTL.exe.

• Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :reg
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
  "65533:TCP=-
  "52344:TCP"=-
  "2479:TCP"=-
  "3246:TCP"=-
  "3389:TCP"=-
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
  "65533:TCP=-
  "52344:TCP"=-
  "2479:TCP"=-
  "3246:TCP"=-
  "3389:TCP"=-
  
  
  
• Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  
  
• Click the red Run Fix button.
  
• A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTL.exe
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\52344:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\2479:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\3246:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\\3389:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\52344:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2479:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\3246:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\3389:TCP deleted successfully.

OTL by OldTimer - Version 3.1.30.1 log created on 02272010_093924

Hello.
Well done, we are getting close to end. I'm still slightly paranoid, so next, please delete the two OTL mades, and re-run OTL.

Please post only EXTRAS.txt.

I ran it but it did not create a file called extras.txt. It only created otl.txt & here is the log

OTL logfile created on: 2/27/2010 4:15:48 PM - Run 2
OTL by OldTimer - Version 3.1.30.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 233.00 Mb Available Physical Memory | 23.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 52.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 33.41 Gb Free Space | 59.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JENSENS
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/24 18:31:16 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/12/28 08:07:10 | 000,761,600 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgscanx.exe
PRC - [2009/12/12 10:00:20 | 002,043,160 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/08/20 17:42:52 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/20 17:42:51 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2009/08/20 17:42:44 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/08/20 17:42:40 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/08/20 17:42:28 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/01/26 14:31:16 | 002,144,088 | ---- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/03 18:11:57 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/01/03 18:11:57 | 000,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/09/10 16:40:06 | 000,289,576 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008/09/10 16:39:48 | 000,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/09/10 15:50:26 | 000,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/09/10 12:00:00 | 000,525,664 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2008/08/29 09:18:44 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 18:12:28 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/14 20:41:18 | 001,241,088 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Sun\StarOffice 8\program\soffice.bin
PRC - [2008/03/14 20:41:18 | 001,019,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Sun\StarOffice 8\program\soffice.exe
PRC - [2008/03/12 12:05:36 | 000,163,128 | ---- | M] (SpiralFrog) -- C:\Program Files\SpiralFrog\Spiralfrog.exe
PRC - [2008/02/05 14:29:20 | 000,054,512 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
PRC - [2008/01/04 13:27:08 | 000,587,096 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PRC - [2007/11/13 18:51:24 | 002,510,848 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
PRC - [2007/11/13 18:49:22 | 002,359,296 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
PRC - [2005/12/08 10:03:02 | 000,811,008 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2005/10/20 10:54:16 | 000,126,976 | ---- | M] (Intuit, Inc.) -- C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe
PRC - [2005/10/19 08:59:12 | 000,126,976 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2003/08/29 04:59:24 | 000,122,880 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\BCMSMMSG.exe
PRC - [2002/08/14 17:29:26 | 000,090,112 | ---- | M] (MUSICMATCH, Inc.) -- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
PRC - [2002/06/27 00:53:26 | 000,303,104 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
PRC - [2002/06/27 00:34:44 | 000,286,720 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
PRC - [2002/06/27 00:21:30 | 000,147,456 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
PRC - [2002/06/27 00:20:58 | 000,323,646 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
PRC - [2002/04/11 03:19:36 | 000,077,824 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
PRC - [2002/04/11 03:19:34 | 000,069,632 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
PRC - [2002/02/15 10:31:42 | 000,045,056 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/02/24 18:31:16 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2008/04/13 18:11:56 | 000,019,968 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\linkinfo.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/08/20 17:42:40 | 000,908,056 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc)
SRV - [2009/08/20 17:42:28 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/01/03 18:11:57 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/09/10 16:39:48 | 000,536,872 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/09/10 15:50:26 | 000,116,040 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/08/29 09:18:44 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/01/04 13:27:08 | 000,587,096 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2005/10/20 10:54:16 | 000,126,976 | ---- | M] (Intuit, Inc.) [Auto | Running] -- C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe -- (QuickBooksDB)
SRV - [2004/07/15 01:49:26 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2003/03/09 21:31:02 | 000,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2009/08/20 17:42:52 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/20 17:42:52 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/05/10 09:00:08 | 000,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2008/08/21 23:49:58 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2008/08/21 23:49:22 | 000,018,688 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2008/06/18 09:49:16 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/17 12:12:54 | 000,015,464 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/03/05 19:46:22 | 000,028,164 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MxlW2k.sys -- (MxlW2k)
DRV - [2007/11/13 04:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motport.sys -- (motport)
DRV - [2007/06/18 20:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2006/10/18 03:00:00 | 000,036,624 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2005/10/19 08:59:12 | 000,807,998 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2004/10/07 19:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2003/03/09 21:31:02 | 000,021,456 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2003/03/09 21:31:02 | 000,016,080 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2003/03/09 21:31:00 | 000,051,024 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2003/01/15 14:45:06 | 000,042,368 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/01/14 12:38:36 | 000,108,736 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E}) Intel(R) Graphics Platform (SoftBIOS)
DRV - [2003/01/14 12:38:30 | 000,078,272 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) Intel(R) Graphics Chipset (KCH)
DRV - [2002/12/19 17:48:48 | 000,539,008 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2002/09/03 10:53:10 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2002/04/01 13:15:00 | 000,004,816 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/23 00:33:12 | 000,010,192 | R--- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipfilter.sys -- (IPFilter)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 07:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local



O1 HOSTS File: ([2009/04/04 07:30:30 | 000,304,232 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10480 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BCMSMMSG] C:\WINDOWS\BCMSMMSG.exe (Broadcom Corporation)
O4 - HKLM..\Run: [FastFox] C:\Program Files\NCH Swift Sound\FastFox\fastfox.exe (NCH Software)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe (MUSICMATCH, Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe (SpiralFrog)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TexTally] C:\Program Files\NCH Swift Sound\TexTally\textally.exe (NCH Software)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: bankfirstonline.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} http://www.worldwinner.com/games/v41/mines/mines.cab (Mines Control)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} http://www.worldwinner.com/games/v47/skillgam/skillgam.cab (SkillGam Control)
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} http://gsn.worldwinner.com/games/v47/shared/FunGamesLoader.cab (FunGamesLoader Object)
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} http://www.worldwinner.com/games/v50/tpir/tpir.cab (TPIR Control)
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} http://www.worldwinner.com/games/v48/brickout/brickout.cab (Brickout Control)
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} http://www.worldwinner.com/games/v43/jigsaw/jigsaw.cab (Jigsaw Genius Control)
O16 - DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} http://www.worldwinner.com/games/v47/solitairerush/solitairerush.cab (SolitaireRush Control)
O16 - DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} http://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab (WWHearts Control)
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} http://www.worldwinner.com/games/v63/bjattack/bja.cab (BJA Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab (Bejeweled Control)
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} http://www.worldwinner.com/games/v56/spidersolitaire/spidersolitaire.cab (SpiderSolitaire Control)
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} http://www.worldwinner.com/games/v49/blockwerx/blockwerx.cab (Blockwerx Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204769920910 (WUWebControl Class)
O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} https://www.facebook.com/controls/contactx.dll (ContactExtractor Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} https://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab (WordMojo Control)
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} http://www.worldwinner.com/games/v57/cubis/cubis.cab (Cubis Control)
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} http://www.worldwinner.com/games/v57/wof/wof.cab (WoF Control)
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} http://www.worldwinner.com/games/v67/swapit/swapit.cab (SwapIt Control)
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} http://www.worldwinner.com/games/v41/hangman/hangman.cab (Hangman Control)
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} http://www.worldwinner.com/games/v42/tilecity/tilecity.cab (Tilecity Control)
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} http://www.worldwinner.com/games/v45/royal/royal.cab (Royal Control)
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} http://www.worldwinner.com/games/v43/paint/paint.cab (Paint Control)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab (FamilyFeud Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} http://www.worldwinner.com/games/v44/golfsol/golfsol.cab (GolfSol Control)
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} http://www.worldwinner.com/games/v53/wwspades/wwspades.cab (WWSpades Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/04 20:27:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/27 15:52:12 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/02/27 09:39:24 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/02/24 18:31:09 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/02/23 12:20:16 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2010/02/23 09:59:16 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/22 18:42:06 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2010/02/20 19:47:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/20 19:46:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/20 19:46:09 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/20 19:46:09 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/20 19:46:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/20 19:30:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/19 16:51:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/19 16:51:12 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/19 16:51:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/15 19:39:02 | 000,175,880 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/02/14 13:41:59 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IECompatCache
[2010/02/14 13:36:17 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\PrivacIE
[2010/02/14 12:40:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Owner\IETldCache
[2010/02/14 12:17:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/02/14 12:09:49 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/02/09 14:41:07 | 000,163,840 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\igfxres.dll
[2010/01/31 08:43:00 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/01/30 07:33:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/01/29 08:36:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/01/29 08:36:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/30 20:21:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/08/13 12:38:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/05/24 15:26:51 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/05/24 15:26:51 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/05/24 15:26:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/26 18:00:33 | 056,305,693 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/02/26 17:58:11 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/26 17:58:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/26 07:08:00 | 007,602,176 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/02/26 07:08:00 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/02/25 23:15:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/02/25 18:17:22 | 000,000,488 | ---- | M] () -- C:\hpfr5550.xml
[2010/02/24 20:47:03 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/24 20:35:36 | 003,871,969 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe
[2010/02/24 18:31:16 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/02/24 18:29:52 | 000,000,062 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\fix.bat
[2010/02/24 06:31:36 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/23 14:09:17 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\GMER.exe
[2010/02/23 12:20:26 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2010/02/23 12:19:19 | 000,464,491 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RootRepeal.zip
[2010/02/22 16:08:47 | 000,175,880 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Owner\Desktop\TDSSKiller.exe
[2010/02/22 16:06:20 | 000,153,078 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/02/21 22:58:20 | 000,077,312 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Stealth MBR Rootkit Detector.exe
[2010/02/20 19:47:30 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/19 16:51:20 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/15 10:23:17 | 000,009,612 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Our address labels.odt
[2010/02/15 09:12:49 | 000,129,024 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Christmas Card List.doc
[2010/02/15 09:09:47 | 000,011,524 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Junior Disciple Phone List.odt
[2010/02/15 08:57:03 | 000,016,888 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Junior Disciple Invitation.odt
[2010/02/14 10:32:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/07 18:55:44 | 000,012,800 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/30 21:07:33 | 000,078,848 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Announcement List.doc
[2010/01/28 19:27:57 | 000,090,624 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Jen's Shower Invitation List.doc
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/23 14:09:12 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\GMER.exe
[2010/02/23 12:20:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2010/02/23 12:19:17 | 000,464,491 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RootRepeal.zip
[2010/02/22 21:35:51 | 000,000,062 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\fix.bat
[2010/02/22 16:06:17 | 000,153,078 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\tdsskiller.zip
[2010/02/21 22:58:19 | 000,077,312 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Stealth MBR Rootkit Detector.exe
[2010/02/20 19:47:30 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/02/20 19:47:26 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/20 19:46:09 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/20 19:46:09 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/20 19:46:09 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/20 19:46:09 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/20 19:46:09 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/20 19:44:29 | 003,871,969 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\Combo-Fix.exe
[2010/02/19 16:51:20 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/15 10:23:16 | 000,009,612 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Our address labels.odt
[2010/01/28 18:31:50 | 000,090,624 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Jen's Shower Invitation List.doc
[2009/06/09 18:03:43 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/11/26 18:19:07 | 000,000,053 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/11/26 18:19:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2008/11/06 14:37:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSINFO32.INI
[2008/08/18 17:08:06 | 000,000,158 | ---- | C] () -- C:\WINDOWS\pagesuit.ini
[2008/08/18 17:08:03 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2008/08/01 16:16:12 | 000,012,800 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/27 14:08:16 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2008/03/07 18:48:51 | 000,000,457 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2003/03/09 21:31:04 | 000,552,960 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
< End of report >

Hello.
That's OTL.txt, please post extras.txt.

Yes, I know...like I said it didn't create extras.txt.

Okay, please re-run Combofix one more time.

ComboFix 10-02-27.04 - Owner 02/27/2010 20:04:38.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.394 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://www.spiralfrog.com
.
((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-27 15:39 . 2010-02-27 15:39 -------- d-----w- C:\_OTL
2010-02-23 19:25 . 2010-02-23 19:25 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\WINDOWS
2010-02-23 19:25 . 2010-02-23 19:25 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\UserData
2010-02-23 19:24 . 2010-02-23 19:24 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\PrivacIE
2010-02-23 19:19 . 2010-02-23 19:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\IETldCache
2010-02-23 19:19 . 2010-02-23 19:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS.000\IECompatCache
2010-02-23 00:42 . 2010-02-23 01:00 -------- d-----w- C:\Combo-Fix
2010-02-19 22:51 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 22:51 . 2010-02-19 22:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 22:51 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 05:15 . 2010-02-19 05:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-17 16:19 . 2010-02-20 08:58 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IECompatCache
2010-02-17 16:19 . 2010-02-17 16:19 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\PrivacIE
2010-02-14 19:41 . 2010-02-14 19:41 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2010-02-14 19:36 . 2010-02-14 19:36 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2010-02-14 18:52 . 2010-02-14 18:52 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\IETldCache
2010-02-14 18:40 . 2010-02-14 18:40 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2010-02-14 18:18 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-02-14 18:17 . 2010-02-14 18:17 -------- d-----w- c:\windows\ie8updates
2010-02-14 18:14 . 2009-12-21 19:14 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-02-14 18:14 . 2009-12-21 19:14 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-14 18:09 . 2010-02-17 16:19 -------- dc-h--w- c:\windows\ie8
2010-02-09 20:41 . 2005-10-19 14:59 163840 ----a-w- c:\windows\system32\igfxres.dll
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\WINDOWS
2010-01-31 17:08 . 2010-01-31 17:08 -------- d-----w- c:\documents and settings\HelpAssistant.JENSENS\UserData
2010-01-31 16:36 . 2010-01-31 16:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-31 14:43 . 2010-02-18 17:23 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-01-29 14:36 . 2010-01-29 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-29 03:20 . 2010-01-31 16:35 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-----w- c:\documents and settings\HelpAssistant\.SunDownloadManager
2010-01-29 02:20 . 2010-01-31 16:36 -------- d-s---w- c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 00:06 . 2008-10-18 14:09 -------- d-----w- c:\program files\SpiralFrog
2010-02-27 00:05 . 2008-11-07 02:57 -------- d-----w- c:\documents and settings\Owner\Application Data\StarOffice8
2010-02-27 00:05 . 2008-03-08 00:35 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2010-02-25 00:30 . 2009-11-10 01:15 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 17:46 . 2008-03-08 00:36 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-15 14:49 . 2008-11-07 02:58 1 ----a-w- c:\documents and settings\Owner\Application Data\StarOffice8\user\uno_packages\cache\stamp.sys
2010-02-07 02:19 . 2009-03-12 15:42 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6
2010-01-31 17:22 . 2009-04-04 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-31 17:17 . 2009-04-04 13:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 16:50 . 2002-09-03 17:04 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 17:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 22:06 . 2009-10-03 17:38 127325 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-12-19 22:06 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-12-19 22:06 . 2009-12-19 22:06 1408376 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-12-16 18:43 . 2008-03-05 02:22 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2002-09-03 16:29 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-09-03 16:50 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-09-03 16:42 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-02-21_02.01.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-26 23:58 . 2010-02-26 23:58 16384 c:\windows\Temp\Perflib_Perfdata_b4.dat
+ 2007-11-13 11:31 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
- 2007-11-13 11:31 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2008-03-05 02:22 . 2008-03-05 02:22 295424 c:\windows\system32\termsrv2.dll
- 2002-09-03 16:37 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2002-09-03 16:37 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
+ 2008-05-09 10:53 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2010-02-24 12:32 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-02-24 12:32 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-02-24 12:32 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2008-03-12 163128]
"TexTally"="c:\program files\NCH Swift Sound\TexTally\textally.exe" [2008-12-30 274436]
"FastFox"="c:\program files\NCH Swift Sound\FastFox\fastfox.exe" [2008-12-30 327684]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2008-1-21 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-4 45056]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-6-27 323646]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-6-27 147456]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-9-10 525664]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 23:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2008 2:57 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2008 2:57 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 3:26 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 3:26 PM 297752]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2008-11-19 c:\windows\Tasks\FRU Task 2002-06-27 08:46ewlett-Packard2002-06-27 08:46p psc 2100 seriesF56855811176EC24C9B302F94878AD886AF77CFF219100904.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-06-27 06:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: bankfirstonline.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-27 20:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-02-27 20:20:21
ComboFix-quarantined-files.txt 2010-02-28 02:20
ComboFix2.txt 2010-02-25 02:51
ComboFix3.txt 2010-02-23 16:41
ComboFix4.txt 2010-02-23 15:17
ComboFix5.txt 2010-02-28 02:03

Pre-Run: 35,794,292,736 bytes free
Post-Run: 35,842,961,408 bytes free

- - End Of File - - 8E572E75B12AA9DA6B7F682EABF7404E

Hello.

Good work, were winning, last bit to take out, that HelpAssistant account. Follow my instructions in the order they are written.

Please create a folder on your Desktop called SWReg.

1. Download SWReg.exe from here.
   
2. Save SWReg.exe inside the SWReg folder you just created.
   
   Do not run SWReg.exe.
   
   Now open a new Notepad file, and input this into the Notepad file:
   

   
   @echo off
   swreg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /s >>log.txt
   swreg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /s >>log.txt
   start notepad log.txt
   

   
   
   Save this as SWReg.bat, save it inside the SWReg folder as well.
   Double click SWReg.bat and the black cmd window will open and close, this is normal.
   
   
3. Make sure both SWReg.exe and SWReg.bat as located next to each other for this to work.
   
4. Now, double click on SWReg.bat to run the script.
   
5. Once done, a Notepad log file will open, copy and paste that log back here.
   

Next,

Now open a new Notepad file, and input this into the Notepad file:

@echo off
net user HelpAssistant>"%userprofile%\desktop\log.txt"
start notepad "%userprofile%\desktop\log.txt"
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.

---

Copy and paste the 2 logs back here.

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Documents and Settings
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-18
Flags REG_DWORD 12 (0xc)
State REG_DWORD 0 (0x0)
RefCount REG_DWORD 1 (0x1)
Sid REG_BINARY 010100000000000512000000
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService
Sid REG_BINARY 010100000000000513000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 858229908 (0x33278c94)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService
Sid REG_BINARY 010100000000000514000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 848386158 (0x3291586e)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.JENSENS
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628e8030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1429914964 (0x553ac554)
ProfileLoadTimeHigh REG_DWORD 30061066 (0x1cab20a)
RefCount REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Owner
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628eb030000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1528698658 (0x5b1e1722)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 1 (0x1)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1006
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\QBDataServiceUser
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628ee030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 998229908 (0x3b7fc794)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1007
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.JENSENS.000
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628ef030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD -1266069296 (0xb48950d0)
ProfileLoadTimeHigh REG_DWORD 30062000 (0x1cab5b0)
RefCount REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628f4010000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 260 (0x104)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 666469788 (0x27b9859c)
ProfileLoadTimeHigh REG_DWORD 29996347 (0x1c9b53b)
RefCount REG_DWORD 0 (0x0)
RunLogonScriptSync REG_DWORD 0 (0x0)

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll
Certificate REG_BINARY 01000000010000000100000006005c005253413148000000000200003f0000000100010089c288264ae933f4519421ce4634af44ffe6c4c5c23b5d448970d0e5f0cc10bb46e2915f8eaf15e973900f302492ae95d67cdf7943160331d2e1769c973138d600000000000000000800480000d4fb42b4a710b7a4cc933bbaae8589927b38cad56058d3c7493d2fad47e0ffe42fdbe87f01406aacdc44c01061e26c37c727ccf6fc79fdc0e3ea005f5c34410000000000000000

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Documents and Settings
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-18
Flags REG_DWORD 12 (0xc)
State REG_DWORD 0 (0x0)
RefCount REG_DWORD 1 (0x1)
Sid REG_BINARY 010100000000000512000000
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService
Sid REG_BINARY 010100000000000513000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 858229908 (0x33278c94)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 3 (0x3)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService
Sid REG_BINARY 010100000000000514000000
Flags REG_DWORD 9 (0x9)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 848386158 (0x3291586e)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 2 (0x2)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1000
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.JENSENS
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628e8030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1429914964 (0x553ac554)
ProfileLoadTimeHigh REG_DWORD 30061066 (0x1cab20a)
RefCount REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Owner
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628eb030000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 1528698658 (0x5b1e1722)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 1 (0x1)
RunLogonScriptSync REG_DWORD 0 (0x0)
OptimizedLogonStatus REG_DWORD 11 (0xb)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1006
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\QBDataServiceUser
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628ee030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 0 (0x0)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 998229908 (0x3b7fc794)
ProfileLoadTimeHigh REG_DWORD 30063002 (0x1cab99a)
RefCount REG_DWORD 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1007
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HelpAssistant.JENSENS.000
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628ef030000
Flags REG_DWORD 1 (0x1)
State REG_DWORD 256 (0x100)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD -1266069296 (0xb48950d0)
ProfileLoadTimeHigh REG_DWORD 30062000 (0x1cab5b0)
RefCount REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator
Sid REG_BINARY 01050000000000051500000093e36248da16eb23828ba628f4010000
Flags REG_DWORD 0 (0x0)
State REG_DWORD 260 (0x104)
CentralProfile REG_SZ
ProfileLoadTimeLow REG_DWORD 666469788 (0x27b9859c)
ProfileLoadTimeHigh REG_DWORD 29996347 (0x1c9b53b)
RefCount REG_DWORD 0 (0x0)
RunLogonScriptSync REG_DWORD 0 (0x0)

SteelWerX Registry Console Tool 3.0
Written by Bobbi Flekman 2006 (C)

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll
Certificate REG_BINARY 01000000010000000100000006005c005253413148000000000200003f0000000100010089c288264ae933f4519421ce4634af44ffe6c4c5c23b5d448970d0e5f0cc10bb46e2915f8eaf15e973900f302492ae95d67cdf7943160331d2e1769c973138d600000000000000000800480000d4fb42b4a710b7a4cc933bbaae8589927b38cad56058d3c7493d2fad47e0ffe42fdbe87f01406aacdc44c01061e26c37c727ccf6fc79fdc0e3ea005f5c34410000000000000000

When I double clicked on the fix.bat, it opened & closed like normal & opened a notepad file but it's blank...I have nothing to post from that.

Try this instead.

Now open a new Notepad file, and input this into the Notepad file:

@echo off
net user HelpAssistant.JENSENS>"%userprofile%\desktop\log.txt"
net user HelpAssistant.JENSENS.000>"%userprofile%\desktop\log.txt"
start notepad "%userprofile%\desktop\log.txt"
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.

Still a blank notepad.

I tried your last instructions but it still comes up with a blank notepad........

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
C:\Documents and Settings\HelpAssistant.JENSENS
C:\Documents and Settings\HelpAssistant.JENSENS.000

Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1000
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1007

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\Documents and Settings\HelpAssistant.JENSENS" deleted successfully.
Folder "C:\Documents and Settings\HelpAssistant.JENSENS.000" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1000" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-1214440339-602609370-682003330-1007" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Well that worked.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

It is doing much better! Thank you! One problem I have & have had for a long time...just haven't done anything about it is my monitor switches colors...it rarely has color...it's like a green or grey hugh. Is there anything to fix it or do I just need a new monitor?

Probably a new monitor, the cable on it is dying.