Unusably slow computer

Computer is 4 years old progressively getting slower, almost to stage it is now. Recently infected with AV security software, removed with Malware bytes. System is unusably slow now. Any help is greately appreciated.
Thanks,
Brandon

OTL.txt

OTL logfile created on: 7/15/2010 1:22:45 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.00 Mb Total Physical Memory | 305.00 Mb Available Physical Memory | 68.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 73.65 Gb Free Space | 49.41% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 120.57 Mb Total Space | 120.57 Mb Free Space | 100.00% Space Free | Partition Type: FAT32
Drive P: | 230.50 Gb Total Space | 211.93 Gb Free Space | 91.94% Space Free | Partition Type: NTFS
Drive V: | 230.50 Gb Total Space | 211.93 Gb Free Space | 91.94% Space Free | Partition Type: NTFS

Computer Name: BRANDON
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/12 10:02:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
PRC - [2009/05/26 17:18:30 | 000,413,696 | ---- | M] (Apple Inc.) -- C:\Brandon\Programs\quick\QTTask.exe
PRC - [2008/10/14 22:38:56 | 000,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/15 16:22:34 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2007/07/17 09:57:40 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2005/07/01 16:55:00 | 000,331,776 | ---- | M] (Western Digital Technologies, Inc.) -- C:\WINDOWS\system32\WDBtnMgr.exe
PRC - [2004/10/27 16:40:24 | 000,102,400 | ---- | M] (KONICA MINOLTA BUSINESS TECHNOLOGIES, INC.) -- C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
PRC - [2003/12/11 05:09:34 | 000,046,592 | R--- | M] (Dantz Development Corporation) -- C:\Program Files\Dantz\Retrospect\wdsvc.exe
PRC - [2003/03/18 01:04:34 | 000,102,400 | ---- | M] () -- C:\Program Files\Century\TinyTERM\NetUtils\CenLPD.exe
PRC - [2002/09/09 11:38:16 | 000,102,400 | ---- | M] (Century Software) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe


========== Modules (SafeList) ==========

MOD - [2010/07/12 10:02:25 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\My Documents\Downloads\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2007/11/15 16:22:34 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2006/11/13 08:32:42 | 000,237,568 | ---- | M] (Tridia Corporation) [On_Demand | Stopped] -- C:\Program Files\iTivity\bin\processor_od.exe -- (iTivityODController)
SRV - [2006/11/13 08:32:36 | 000,299,008 | ---- | M] (Tridia Corporation) [On_Demand | Stopped] -- C:\Program Files\iTivity\bin\connector_od.exe -- (iTivityODConnectToIASConnector)
SRV - [2006/11/13 08:32:36 | 000,299,008 | ---- | M] (Tridia Corporation) [On_Demand | Stopped] -- C:\Program Files\iTivity\bin\connector_od.exe -- (iTivityODConnector)
SRV - [2005/03/25 10:12:22 | 000,274,432 | ---- | M] (Tridia Corporation) [On_Demand | Stopped] -- C:\Program Files\iTivity\bin\rfbd.exe -- (tridiavnc)
SRV - [2004/10/07 08:29:01 | 000,074,360 | ---- | M] (Autodesk, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2004/04/21 12:56:00 | 000,528,448 | ---- | M] (Tridia Corporation) [On_Demand | Stopped] -- C:\Program Files\iTivity\bin\ftpd.exe -- (TridiaFTPServer)
SRV - [2003/12/11 05:09:34 | 000,046,592 | R--- | M] (Dantz Development Corporation) [Auto | Running] -- C:\Program Files\Dantz\Retrospect\wdsvc.exe -- (RetroWDSvc)
SRV - [2003/03/18 01:04:34 | 000,102,400 | ---- | M] () [Auto | Running] -- C:\Program Files\Century\TinyTERM\NetUtils\CenLPD.exe -- (CenLPD)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\sunkfiltp.sys -- (Sunkfiltp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\lv302af.sys -- (pepifilter)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2006/03/09 16:29:00 | 003,650,368 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/08/04 00:41:35 | 000,606,684 | ---- | M] (LT) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2004/08/04 00:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/05/25 15:58:04 | 000,396,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA(R) nForce(TM)
DRV - [2004/05/25 15:58:02 | 000,048,640 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA(R) nForce(TM)
DRV - [2004/04/30 09:37:02 | 000,160,640 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\a347bus.sys -- (a347bus)
DRV - [2004/04/30 09:33:00 | 000,005,248 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\a347scsi.sys -- (a347scsi)
DRV - [2004/03/22 14:27:20 | 000,042,936 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Sunkfilt39.sys -- (SunkFilt39)
DRV - [2004/03/22 14:01:38 | 000,040,564 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Sunkfilt.sys -- (SunkFilt)
DRV - [2003/11/13 21:19:48 | 000,210,304 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/13 21:18:36 | 000,679,808 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/13 21:17:00 | 001,042,816 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/08/15 21:22:16 | 000,072,771 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENET.sys -- (NVENET)
DRV - [2003/03/19 17:51:00 | 000,018,688 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2003/01/22 03:19:20 | 000,046,976 | ---- | M] (AOpen Inc ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AON325.sys -- (AON325)
DRV - [2002/08/29 04:27:50 | 000,086,912 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\atapi.sys -- (atapi)
DRV - [2001/08/17 16:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [1999/06/30 03:49:10 | 000,023,200 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\ppsio2.sys -- (ppsio2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5577

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {5B52016C-D097-4aec-BE61-9F129D8FDDBA}:2.0
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.9
FF - prefs.js..extensions.enabledItems: {9BAE5926-8513-417d-8E47-774955A7C60D}:1.1.1d
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 9666
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.socks: "localhost"
FF - prefs.js..network.proxy.socks_port: 9050
FF - prefs.js..network.proxy.socks_remote_dns: true
FF - prefs.js..network.proxy.ssl: "localhost"
FF - prefs.js..network.proxy.ssl_port: 9666
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/30 08:22:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/14 10:40:13 | 000,000,000 | ---D | M]

[2010/02/12 12:23:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/07/15 09:35:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions
[2010/07/15 09:11:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/04 11:16:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{5B52016C-D097-4aec-BE61-9F129D8FDDBA}
[2010/04/06 08:49:12 | 000,000,000 | ---D | M] (FireFTP button) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{9BAE5926-8513-417d-8E47-774955A7C60D}
[2010/06/30 14:31:44 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2010/07/15 09:26:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/12 09:52:38 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/12 09:52:22 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2003/03/31 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [iTivityODConnector] C:\Program Files\iTivity\bin\connector_od.exe (Tridia Corporation)
O4 - HKLM..\Run: [iTivityODController] C:\Program Files\iTivity\bin\processor_od.exe (Tridia Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Brandon\Programs\quick\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [tridiavnc] C:\Program Files\iTivity\bin\rfbd.exe (Tridia Corporation)
O4 - HKLM..\Run: [WD Button Manager] C:\WINDOWS\System32\WDBtnMgr.exe (Western Digital Technologies, Inc.)
O4 - HKLM..\Run: [WinVNC] C:\Program Files\iTivity\bin\rfbd.exe (Tridia Corporation)
O4 - HKCU..\Run: [btxedgbg] C:\Documents and Settings\Owner\Local Settings\Application Data\ppjtchyja\donnwrutssd.exe File not found
O4 - HKCU..\Run: [run] C:\Documents and Settings\Owner\Application Data\sp1\luapvs.dll File not found
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe (Autodesk, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe (Century Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FTP Utility.lnk = C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe (KONICA MINOLTA BUSINESS TECHNOLOGIES, INC.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll (Google Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Brandon\Programs\AIM\aim.exe (America Online, Inc.)
O9 - Extra Button: eBotsPrnSvc - {b234a570-7d2e-11d4-a4bd-0010a4c73bd0} - C:\Program Files\eBots\eBzLjtPrn.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} http://scpwnb.ops.placeware.com/etc/place/NOVEMBER/SCNpws-b2/5.1.7.413/lib/quicksilver.cab (Quicksilver Class)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} http://69.15.150.51/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx (Get_ActiveX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.popcap.com/games/popcaploader_v6.cab (Reg Error: Key error.)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://picsauditing.webex.com/client/T26L/support/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Web-Based Email Tools http://email.secureserver.net/Download.CAB (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\My Documents\My Pictures\dreambeach.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\My Documents\My Pictures\dreambeach.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/01/03 07:56:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk - C:\Program Files\BigFix\BigFix.exe - (BigFix Inc.)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cenlpdstatus.exe - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe - (Century Software)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE - (Microsoft Corporation)
MsConfig - StartUpReg: CHotkey - hkey= - key= - C:\WINDOWS\zHotkey.exe ()
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: nForce Tray Options - hkey= - key= - File not found
MsConfig - StartUpReg: ShowWnd - hkey= - key= - C:\WINDOWS\ShowWnd.exe ()
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: UploadMgr - Service
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {02f78298-8af6-495c-9ecb-b6ae68678186} - KB867282
ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {04d6265d-6b5d-41c3-9e7c-48be15919643} - KB890923
ActiveX: {0D6119FC-C6A6-B834-F278-D5457E9DF379} - NetShow
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {2298d453-bcae-4519-bf33-1cbf3faf1524} - Q867801
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Macromedia Shockwave Director 10.1.1
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1.1
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {377483c2-e4b4-4ee8-b577-9aed264c8735} - Q822925
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {3e7bb08a-a7a3-4692-8eac-ac5e7895755b} - KB834707
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4d64f3ba-f112-4efe-a02e-96680859937c} - KB918899
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5b7bf89d-d196-4c32-a303-a57b8ab7f18d} - KB918439
ActiveX: {5c9ff2bf-938d-47fe-85d9-9dbab4f65018} - KB897715
ActiveX: {5f3c70b3-ac2f-432c-8f9c-1624df61f54f} - Microsoft Data Access Components KB870669
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {64A63121-9DB0-28F7-B190-69275C841E50} - Viewpoint Media Player
ActiveX: {689e5762-8d75-4346-90cf-bc1902c32d63} - KB896688
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {795d0712-722c-43ec-906a-fc5e678eada9} - Q831167
ActiveX: {79844cfb-ac65-4e10-a06a-c974234f40d0} - KB883939
ActiveX: {82ced0ff-a00d-4405-ba5f-ef4699159333} - KB896727
ActiveX: {839117ee-2132-4bae-a56a-42b50204c9b9} - KB889293
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8ade8c02-8da6-4ec1-a9ee-ec00ff73ce98} - Internet Explorer Q903235
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {DBAB667D-FC8D-C42E-857F-BD7CCD9DC48C} - Q867801
ActiveX: {dd772a76-bef3-44d7-8b39-502c8504c1f1} - KB925486
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {DFE1FDD0-101D-C9A1-A462-6C935C65BD85} - Viewpoint Media Player
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: {f15ee071-deb7-4cbb-951f-431c98338d8e} - KB911567
ActiveX: {f5173cf0-1dfb-4978-8e50-a90169ee7ca9} - Q823353
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\System32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.I420 - lvcodec2.dll File not found
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/07/15 03:08:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/07/14 14:20:00 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010/07/14 10:39:19 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/07/13 10:54:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Aim
[2010/07/12 10:54:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/07/12 10:51:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2010/07/12 10:51:18 | 000,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2010/07/12 10:51:04 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2010/07/12 10:45:49 | 000,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2010/07/12 10:45:48 | 000,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2010/07/12 10:45:48 | 000,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2010/07/12 10:45:47 | 000,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2010/07/12 10:45:46 | 001,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2010/07/12 10:45:46 | 001,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2010/07/12 10:45:44 | 000,000,000 | ---D | C] -- C:\6a1e773ff39b71f88bac16
[2010/07/12 10:20:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Windows Desktop Search
[2010/07/12 10:19:37 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Desktop Search
[2010/07/12 10:19:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/07/12 10:18:27 | 000,192,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\offfilt.dll
[2010/07/12 10:18:27 | 000,098,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\nlhtml.dll
[2010/07/12 10:18:27 | 000,029,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mimefilt.dll
[2010/07/12 09:52:37 | 000,423,656 | ---- | C] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/12 09:52:37 | 000,153,376 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/12 09:52:37 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/12 09:52:37 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/12 09:52:37 | 000,073,728 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/12 09:52:15 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/07/02 08:36:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\ppjtchyja
[2010/07/01 13:57:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/07/01 13:57:31 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/01 13:57:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/01 13:57:29 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/29 18:37:15 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2005/10/27 15:31:50 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
[2005/10/27 15:31:50 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347scsi.sys
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/15 13:17:32 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003UA.job
[2010/07/15 13:04:08 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/15 11:20:23 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/07/15 09:38:04 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/07/15 09:38:04 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/07/15 09:08:09 | 000,000,456 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\STEW KITS on Kennydell.lnk
[2010/07/15 09:08:01 | 000,015,522 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\bluecreekcave.jpg
[2010/07/15 03:38:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/07/15 03:03:53 | 000,583,930 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/15 03:03:53 | 000,504,948 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/15 03:03:53 | 000,086,972 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/15 01:17:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003Core.job
[2010/07/14 23:03:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/14 21:38:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/07/14 15:38:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/07/14 10:40:15 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/07/14 10:37:04 | 000,049,871 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/07/14 10:36:39 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/14 10:36:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/14 10:36:33 | 469,291,008 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/14 10:35:25 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/07/14 10:35:25 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/07/14 10:35:16 | 002,642,226 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/07/14 09:38:04 | 001,655,607 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\pat green tickets.pdf
[2010/07/14 03:10:49 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/13 10:02:01 | 000,000,086 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Buy jv16 PowerTools.url
[2010/07/13 10:00:48 | 000,000,022 | -HS- | M] () -- C:\Documents and Settings\Owner\Application Data\Sys6925.Config Collection.sys
[2010/07/13 10:00:48 | 000,000,022 | -HS- | M] () -- C:\WINDOWS\Sys3390 SettingsCollection.bin
[2010/07/13 10:00:40 | 000,001,589 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\jv16 PowerTools 2010.lnk
[2010/07/13 10:00:40 | 000,001,571 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\jv16 PowerTools 2010.lnk
[2010/07/13 08:22:09 | 000,121,216 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/07/12 12:59:29 | 000,388,792 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/12 10:20:00 | 000,001,787 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2010/07/12 10:08:42 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/12 09:52:21 | 000,423,656 | ---- | M] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/12 09:52:21 | 000,153,376 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/12 09:52:21 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/12 09:52:21 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/12 09:52:21 | 000,073,728 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/09 16:16:53 | 000,066,001 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\team deez 1.75in.dxf
[2010/07/09 16:02:54 | 000,066,048 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\arc stencils.xls
[2010/07/09 14:29:08 | 000,354,414 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Proco.pdf
[2010/07/09 14:23:17 | 002,236,212 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\hosemaster.pdf
[2010/07/07 16:09:38 | 000,000,415 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Contracts.xls.lnk
[2010/07/07 16:09:29 | 000,000,439 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\All Computer info.xls.lnk
[2010/07/06 08:19:21 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google Chrome.lnk
[2010/07/06 08:19:21 | 000,002,262 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/07/01 13:57:34 | 000,000,850 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/30 14:44:34 | 000,011,300 | -HS- | M] () -- C:\WINDOWS\System32\.winconf
[2010/06/28 13:34:22 | 000,000,500 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Negative Reports.lnk
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/15 09:08:01 | 000,015,522 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\bluecreekcave.jpg
[2010/07/14 10:40:14 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/07/14 09:38:04 | 001,655,607 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\pat green tickets.pdf
[2010/07/14 03:07:27 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/07/13 10:02:01 | 000,000,086 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Buy jv16 PowerTools.url
[2010/07/13 10:00:48 | 000,000,022 | -HS- | C] () -- C:\Documents and Settings\Owner\Application Data\Sys6925.Config Collection.sys
[2010/07/13 10:00:48 | 000,000,022 | -HS- | C] () -- C:\WINDOWS\Sys3390 SettingsCollection.bin
[2010/07/13 10:00:40 | 000,001,589 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\jv16 PowerTools 2010.lnk
[2010/07/13 10:00:40 | 000,001,571 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\jv16 PowerTools 2010.lnk
[2010/07/13 08:20:00 | 469,291,008 | -HS- | C] () -- C:\hiberfil.sys
[2010/07/12 10:20:00 | 000,001,787 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2010/07/12 09:46:00 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/07/09 16:16:53 | 000,066,001 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\team deez 1.75in.dxf
[2010/07/09 14:29:08 | 000,354,414 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Proco.pdf
[2010/07/09 14:23:17 | 002,236,212 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\hosemaster.pdf
[2010/07/07 16:09:38 | 000,000,415 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Contracts.xls.lnk
[2010/07/07 16:09:29 | 000,000,439 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\All Computer info.xls.lnk
[2010/07/01 13:57:34 | 000,000,850 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/28 13:34:22 | 000,000,500 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Negative Reports.lnk
[2010/04/06 12:34:29 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\omnithread_rt.dll
[2009/11/11 17:38:19 | 000,000,393 | ---- | C] () -- C:\WINDOWS\ETCWIN.INI
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/08/20 19:26:52 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/08/20 19:26:52 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/08/15 17:33:14 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/08/15 17:30:26 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/05/30 15:02:35 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2006/03/09 16:29:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/03/09 16:29:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/03/09 16:29:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/03/09 16:29:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/03/09 16:29:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/03/09 16:29:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/03/09 16:29:00 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/12/21 15:21:51 | 000,000,036 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2005/12/21 15:21:50 | 000,000,056 | ---- | C] () -- C:\WINDOWS\Addrfixr.ini
[2005/12/21 15:21:17 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\DYMOCFG.DLL
[2005/12/21 15:21:16 | 000,005,604 | ---- | C] () -- C:\WINDOWS\System32\dymourl.ini
[2005/10/12 11:26:20 | 000,000,103 | ---- | C] () -- C:\WINDOWS\System32\hptrace.ini
[2005/10/12 11:22:15 | 000,003,564 | ---- | C] () -- C:\WINDOWS\hpdj5100.ini
[2005/09/16 15:23:37 | 000,000,615 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2005/09/07 17:45:07 | 000,001,125 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2005/05/23 13:54:31 | 000,000,084 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
[2005/05/23 13:54:31 | 000,000,055 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2005/05/23 13:44:25 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL
[2005/05/23 08:23:33 | 000,000,066 | ---- | C] () -- C:\WINDOWS\JcAdmin32.ini
[2005/05/23 08:21:38 | 000,000,027 | ---- | C] () -- C:\WINDOWS\EZSET_SP.INI
[2005/05/02 13:56:42 | 000,001,613 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2005/05/02 13:56:42 | 000,000,410 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2005/05/02 13:56:42 | 000,000,152 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2005/05/02 13:56:42 | 000,000,052 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2005/05/02 13:30:11 | 000,027,263 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2005/02/22 16:21:58 | 000,000,052 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/02/17 10:05:05 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\cdTextCtl.dll
[2004/12/03 17:43:25 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2004/11/17 15:56:40 | 000,023,200 | ---- | C] () -- C:\WINDOWS\System32\drivers\ppsio2.sys
[2004/11/17 15:56:27 | 000,000,082 | ---- | C] () -- C:\WINDOWS\calera.ini
[2004/11/17 15:52:46 | 000,001,184 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2004/11/15 11:05:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mtstack16.INI
[2004/10/05 09:10:21 | 000,003,890 | ---- | C] () -- C:\WINDOWS\System32\SETUP.INI
[2004/10/05 08:34:09 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/10/04 16:20:30 | 000,000,479 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/03/26 09:19:44 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBLLCNP.DLL
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2003/01/03 09:44:52 | 000,532,544 | ---- | C] () -- C:\WINDOWS\PIC.dll
[2003/01/03 09:44:52 | 000,024,576 | ---- | C] () -- C:\WINDOWS\HKNTDLL.dll
[2003/01/03 09:32:53 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/01/03 09:07:48 | 000,086,912 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2003/01/03 08:08:51 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/01/03 06:42:37 | 000,018,253 | ---- | C] () -- C:\WINDOWS\System32\ssnvfx.ini
[2003/01/03 06:42:32 | 000,001,212 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/01/03 06:42:32 | 000,000,456 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2002/11/13 10:40:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxblvs.dll
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[1999/01/22 08:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/13 19:12:00 | 001,384,479 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll
[8 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[8 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2002/08/29 04:27:50 | 000,086,912 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< %systemroot%\System32\config\*.sav >
[2003/01/02 23:48:06 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2003/01/02 23:48:06 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2003/01/02 23:48:06 | 000,409,600 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2003/03/31 07:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2003/03/31 07:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2003/03/31 07:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2003/03/31 07:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2003/03/31 07:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2003/03/31 07:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2003/03/31 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2003/03/31 07:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2003/03/31 07:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2003/03/31 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2004/05/17 17:43:02 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2004/05/17 17:43:07 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2004/05/17 17:43:04 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2004/05/17 17:43:09 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2004/05/17 17:43:06 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2008/04/13 13:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2010/05/02 00:22:50 | 001,851,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[8 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2008/04/13 19:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/13 19:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/13 19:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/13 19:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/13 19:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/13 19:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/13 19:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2008/04/13 19:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/13 19:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/13 19:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/13 19:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/13 19:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/13 19:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2008/04/13 19:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008/04/13 19:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2010/07/14 03:32:20 | 000,009,628 | ---- | M] () -- C:\aaw7boot.log
[2003/01/03 07:56:51 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2007/11/15 10:43:07 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2003/01/03 07:56:51 | 000,000,000 | RHS- | M] () -- C:\CONFIG.SYS
[2007/09/21 14:55:15 | 000,000,055 | ---- | M] () -- C:\DVDPATH.TXT
[2010/07/14 10:36:33 | 469,291,008 | -HS- | M] () -- C:\hiberfil.sys
[2003/01/03 07:56:51 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2003/01/03 08:27:58 | 000,000,919 | -H-- | M] () -- C:\IPH.PH
[2010/07/12 09:58:37 | 000,013,618 | ---- | M] () -- C:\JavaRa.log
[2008/02/19 10:37:09 | 000,000,478 | ---- | M] () -- C:\LOG173.log
[2009/10/08 14:06:42 | 000,001,130 | ---- | M] () -- C:\lxbl.log
[2003/01/03 07:56:51 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2005/08/10 23:30:48 | 000,000,878 | ---- | M] () -- C:\new_log.html
[2007/11/15 10:37:24 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/04/20 15:13:24 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/07/14 10:36:30 | 704,643,072 | -HS- | M] () -- C:\pagefile.sys
[1 C:\*.tmp files -> C:\*.tmp -> ]

< %PROGRAMFILES%\*. >
[2010/02/12 11:54:23 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2003/01/04 01:51:03 | 000,000,000 | ---D | M] -- C:\Program Files\Ahead
[2004/10/07 08:28:07 | 000,000,000 | ---D | M] -- C:\Program Files\AnswerWorks 4.0
[2008/12/22 10:47:50 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2005/10/10 13:43:42 | 000,000,000 | ---D | M] -- C:\Program Files\AppsPro
[2004/10/07 08:28:48 | 000,000,000 | ---D | M] -- C:\Program Files\AutoCAD 2005
[2004/10/07 08:29:05 | 000,000,000 | ---D | M] -- C:\Program Files\Autodesk
[2004/10/05 08:45:08 | 000,000,000 | ---D | M] -- C:\Program Files\AWS
[2003/01/03 08:58:48 | 000,000,000 | ---D | M] -- C:\Program Files\BigFix
[2009/06/12 10:12:29 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2005/05/23 13:44:33 | 000,000,000 | ---D | M] -- C:\Program Files\Brother
[2004/10/07 08:07:23 | 000,000,000 | ---D | M] -- C:\Program Files\Century
[2009/11/12 11:19:01 | 000,000,000 | ---D | M] -- C:\Program Files\Citrix
[2010/02/26 13:04:33 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2003/01/02 23:51:28 | 000,000,000 | ---D | M] -- C:\Program Files\CONEXANT
[2003/01/03 08:41:03 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink
[2004/10/11 11:26:00 | 000,000,000 | ---D | M] -- C:\Program Files\D-Link
[2005/07/01 16:54:42 | 000,000,000 | ---D | M] -- C:\Program Files\Dantz
[2003/01/03 09:43:11 | 000,000,000 | ---D | M] -- C:\Program Files\Digital Media Reader
[2010/03/30 14:18:42 | 000,000,000 | ---D | M] -- C:\Program Files\DYMO
[2010/04/06 09:24:09 | 000,000,000 | ---D | M] -- C:\Program Files\DYMO Label
[2010/03/30 14:23:32 | 000,000,000 | ---D | M] -- C:\Program Files\DYMO LabelWriter Drivers
[2005/12/21 16:58:02 | 000,000,000 | ---D | M] -- C:\Program Files\eBots
[2010/03/18 14:24:10 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2010/04/01 15:50:03 | 000,000,000 | ---D | M] -- C:\Program Files\GPS Utility
[2010/04/06 12:33:41 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/07/12 11:21:45 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/04/06 12:34:25 | 000,000,000 | ---D | M] -- C:\Program Files\iTivity
[2010/07/12 09:52:15 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2008/02/21 12:05:51 | 000,000,000 | ---D | M] -- C:\Program Files\KONICA MINOLTA
[2003/01/03 08:27:48 | 000,000,000 | ---D | M] -- C:\Program Files\Learn2.com
[2007/02/20 11:57:04 | 000,000,000 | ---D | M] -- C:\Program Files\MarKen
[2009/04/20 15:29:18 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2005/10/10 13:39:39 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2004/10/05 08:21:49 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2003/01/03 08:32:44 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Money
[2010/02/11 15:45:37 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2003/01/03 08:57:30 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Picture It! 9
[2004/10/05 08:24:42 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2003/01/03 08:40:03 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2010/07/12 12:49:12 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2010/03/10 04:03:11 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/06/30 08:22:36 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2010/07/12 10:51:18 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2010/02/11 15:44:48 | 000,000,000 | ---D | M] -- C:\Program Files\MSECache
[2003/01/03 07:54:02 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2003/01/03 08:09:38 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Encarta Plus
[2003/01/03 07:53:53 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2007/03/28 08:56:55 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2009/04/20 15:15:20 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2010/02/25 10:41:44 | 000,000,000 | ---D | M] -- C:\Program Files\Norton AntiVirus
[2003/01/03 07:55:30 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/05/12 03:17:04 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2009/08/20 18:48:58 | 000,000,000 | ---D | M] -- C:\Program Files\Qantel Technologies Inc
[2008/04/27 09:17:58 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2010/07/12 10:51:04 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/02/26 13:05:22 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2005/07/13 11:06:14 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2003/01/03 08:27:48 | 000,000,000 | ---D | M] -- C:\Program Files\Viewpoint
[2004/11/17 16:13:36 | 000,000,000 | ---D | M] -- C:\Program Files\Visioneer OneTouch
[2010/07/14 03:32:20 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Desktop Search
[2007/12/07 11:24:05 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2009/04/20 15:15:11 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/04/20 15:15:08 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2005/06/23 14:01:35 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2003/01/03 07:57:02 | 000,000,000 | ---D | M] -- C:\Program Files\xerox

< %appdata%\*.* >
[2003/01/02 23:49:29 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Owner\Application Data\desktop.ini
[2010/07/13 10:00:48 | 000,000,022 | -HS- | M] () -- C:\Documents and Settings\Owner\Application Data\Sys6925.Config Collection.sys
[2009/10/06 08:23:03 | 000,000,496 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat


< MD5 for: AGP440.SYS >
[2007/11/15 10:34:38 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/04/20 15:07:18 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2007/11/15 10:34:38 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2009/04/20 15:07:18 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 01:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004/08/04 01:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2003/03/31 07:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2007/11/15 10:34:38 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/04/20 15:07:18 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2003/03/31 07:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp1.cab:atapi.sys
[2007/11/15 10:34:38 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2009/04/20 15:07:18 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2003/03/31 07:00:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/04 00:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2002/08/29 04:27:50 | 000,086,912 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: DISK.SYS >
[2003/03/31 07:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:disk.sys
[2007/11/15 10:34:38 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2009/04/20 15:07:18 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2003/03/31 07:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp1.cab:disk.sys
[2007/11/15 10:34:38 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:disk.sys
[2009/04/20 15:07:18 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/04 00:59:54 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 02:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 02:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2003/09/02 18:51:00 | 000,054,656 | ---- | M] (NVIDIA Corporation) MD5=04EF5690AC54924CF745A4A2D1FBF9C1 -- C:\Drivers\System\IDE\Win2K\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 02:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2003/03/31 07:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:usbstor.sys
[2007/11/15 10:34:38 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2009/04/20 15:07:18 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2003/03/31 07:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp1.cab:usbstor.sys
[2007/11/15 10:34:38 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:usbstor.sys
[2009/04/20 15:07:18 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2004/08/04 01:08:46 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\$NtServicePackUninstall$\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-15 08:10:28

========== Alternate Data Streams ==========

@Alternate Data Stream - 2956 bytes -> C:\WINDOWS\System32\OEMLOGO.BMP:Q30lsldxJoudresxAaaqpcawXc
< End of report >

OTL Extras logfile created on: 7/15/2010 1:22:45 PM - Run 1
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Owner\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.00 Mb Total Physical Memory | 305.00 Mb Available Physical Memory | 68.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 73.65 Gb Free Space | 49.41% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 120.57 Mb Total Space | 120.57 Mb Free Space | 100.00% Space Free | Partition Type: FAT32
Drive P: | 230.50 Gb Total Space | 211.93 Gb Free Space | 91.94% Space Free | Partition Type: NTFS
Drive V: | 230.50 Gb Total Space | 211.93 Gb Free Space | 91.94% Space Free | Partition Type: NTFS

Computer Name: BRANDON
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Brandon\Programs\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Brandon\Programs\Winamp\Winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Brandon\Programs\Winamp\Winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"7303:UDP" = 7303:UDP:*:Enabled:Control Center UDP Port

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe" = C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe:*:Enabled:KONICA MINOLTA FTP Utility -- (KONICA MINOLTA BUSINESS TECHNOLOGIES, INC.)
"C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE" = C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE:*:Enabled:Microsoft Office Access -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" = C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE:*:Enabled:Microsoft Office Word -- (Microsoft Corporation)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google)
"C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\DYMO\LabelWriter Print Server\Control Center.exe" = C:\Program Files\DYMO\LabelWriter Print Server\Control Center.exe:*:Enabled:Control Center -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{135740AF-5662-4ABD-8CAA-389AAB164E01}" = iTivity Support Agent
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{215FDF43-02B0-49D5-817F-FAA48ECF59D9}" = Qantel QIC-PC II (x86)
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java(TM) 6 Update 21
"{26B878A8-5704-3B64-BDBC-4F0EACA38121}" = Google Talk Plugin
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5783F2D7-0301-0409-0002-0060B0CE6BBA}" = AutoCAD 2005 - English
"{597E70FF-7C46-4EED-8092-91B7C2E0529D}" = Google SketchUp 7
"{65FA5E6D-B3D7-46D9-9571-CBBA1968346B}" = FileMaker Pro 7
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{73B69C5C-87D6-471E-B695-0BD736C4B644}" = Retrospect 6.5
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}" = Digital Media Reader
"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support
"{84F1DE76-C48C-4281-87A0-CC9548D1E7F9}" = Rhapsody Player Engine
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6
"{9DE3F260-B88E-42CE-90E7-73C78C37D95E}" = 32 Bit HP BiDi Channel Components Installer
"{A17EABB6-D0C6-44E5-820C-72DC7F495064}" = PaperPort
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5EC243A-AAB4-4AF0-85A5-07F9F4618353}" = FTP Utility
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{AD88355B-A4E0-4DA1-BAC3-EA4FEA930691}" = Ipswitch WS_FTP Professional 2006
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C18FA14C-8338-471F-856A-970EE36A9EF9}" = eBizBots Printer Services
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE16D92B-50F3-4FC5-B29C-13FAFEE1A6C6}" = DYMO LabelWriter Drivers
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{DBA8B9E1-C6FF-4624-9598-73D3B41A0903}" = Microsoft Picture It! Photo Premium 9
"{E9F81423-211E-46B6-9AE0-38568BC5CF6F}" =
"{F2BB456F-C07B-4EDE-975F-4D6DED19750A}" = 530TX
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F598E260-A067-11D4-8F18-00D0B740B228}" = Compaq Commercial Monitor INF/ ICM Software
"{FF262740-C85A-11D5-BBEC-00D0B740900A}" = Multimedia Keyboard Driver
"ActiveTouchMeetingClient" = WebEx
"Adobe Acrobat 8 Professional" = Adobe Acrobat 8.1.4 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Autodesk DWF Viewer" = Autodesk DWF Viewer
"CADViewXLite7_is1" = Soft Gold
"Click'N Design 3D (V5)" = Click'N Design 3D (V5)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = SoftV92 Data Fax Modem with SmartCP
"Crayon Physics Deluxe_is1" = Crayon Physics Deluxe - release 52
"Excel Utilities 1.5" = Excel Utilities 1.5
"Font FX Version 2.50" = Font FX Version 2.50
"Google Updater" = Google Updater
"GoogleVideoPlayer" = Google Video Player
"GPS Utility_is1" = GPSU version 5.04
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}" = Digital Media Reader
"InstallShield_{A5EC243A-AAB4-4AF0-85A5-07F9F4618353}" = FTP Utility
"InstallShield_{F2BB456F-C07B-4EDE-975F-4D6DED19750A}" = DFE-530TX Driver
"jv16 PowerTools 2010" = jv16 PowerTools 2010
"Lexmark Z700-P700 Series" = Lexmark Z700-P700 Series
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Office Live Meeting" = Microsoft Office Live Meeting
"Mozilla Firefox (3.6.6)" = Mozilla Firefox (3.6.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Nero BurnRights!UninstallKey" = Nero BurnRights
"NetUtils" = NetUtils
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"PictureIt_v9" = Microsoft Picture It! Photo Premium 9
"Q903235" = Internet Explorer Q903235
"Remington Shoot!" = Remington Shoot!
"ST6UNST #1" = MarKen
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TinyTERM Plus Edition" = TinyTERM Plus Edition
"ViewpointMediaPlayer" = Viewpoint Media Player
"Visioneer 8100 Scanner, One Touch V2.2" = Visioneer 8100 Scanner, One Touch V2.2
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"GoToMeeting" = GoToMeeting 4.1.0.366

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/13/2010 10:40:36 AM | Computer Name = BRANDON | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 7/13/2010 4:39:34 PM | Computer Name = BRANDON | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 7/14/2010 4:32:58 AM | Computer Name = BRANDON | Source = .NET Runtime Optimization Service | ID = 1103
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Tried to start a service that wasn't the latest version of CLR Optimization service.
Will shutdown

Error - 7/14/2010 4:39:09 AM | Computer Name = BRANDON | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 7/14/2010 10:47:30 AM | Computer Name = BRANDON | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/14/2010 1:40:13 PM | Computer Name = BRANDON | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/14/2010 1:48:46 PM | Computer Name = BRANDON | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/15/2010 9:28:37 AM | Computer Name = BRANDON | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/15/2010 10:34:03 AM | Computer Name = BRANDON | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/15/2010 1:41:17 PM | Computer Name = BRANDON | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 7/12/2010 4:17:28 PM | Computer Name = BRANDON | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 7/12/2010 4:17:28 PM | Computer Name = BRANDON | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 7/12/2010 4:17:28 PM | Computer Name = BRANDON | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 7/12/2010 4:17:28 PM | Computer Name = BRANDON | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD AmdK7 Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 7/12/2010 4:17:40 PM | Computer Name = BRANDON | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 7/12/2010 4:17:57 PM | Computer Name = BRANDON | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 7/13/2010 9:19:05 AM | Computer Name = BRANDON | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 7/13/2010 11:59:57 AM | Computer Name = BRANDON | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NetbiosSmb because
another computer on the network has the same name. The server could not start.

Error - 7/14/2010 11:26:47 AM | Computer Name = BRANDON | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

Error - 7/14/2010 11:26:56 AM | Computer Name = BRANDON | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 2 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.


< End of report >

Welcome to GeekPolice Forums! I'm Crush but, you can call me Chris too and I will be helping you with your Malware issues.

A few things to keep in mind as we progress:

1. We are all volunteer staff here so we log in and assess threads when real life, work, family, and other obligations permit. Additionally, we are located all over the world. There may be a bit of a time delay due to this.

2. Malware Removal threads are very time intensive. Each entry must be researched until it can be said with 100% certainty whether or not it can stay or needs to be removed. Sometimes additional work is needed to weed out suspect entries

3. This may turn into a long ordeal but, rest assured we will stay with you until you are completely disinfected.

4. Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer. Do not run any tools unless specifically asked to by a member of one of these usergroups

5. If you are not the original poster of this thread DO NOT run any fixes given to the poster in this thread. They are all custom tailored specifically to this user. It could prove to be disastrous.

6. Please keep responding until I give you the "All Clear". Absence of symptoms does not mean that everything is clear.

7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

8. If you have any questions or issues please stop and ask! We are all here to help.

---

IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.


If you follow these instructions, everything should go smoothly .

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

To do this click , then click Preferences. Make sure Always notify me of replies is set to Yes

---

With that out of the way:

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

ComboFix 10-07-15.01 - Owner 07/15/2010 15:44:01.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.211 [GMT -5:00]
Running from: c:\documents and settings\Owner\desktop\commy.exe
Command switches used :: /stepdel
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hack
c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Sys5889.Data Repository.sys
C:\LOG173.tmp
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\hack\OEMLINK\OEM1.reg
c:\windows\system32\hack\OEMLINK\OEM2.reg
c:\windows\system32\hack\OEMLINK\OEM3.reg
c:\windows\system32\setup.ini
c:\windows\system32\SHELLLNK.TLB
c:\windows\system32\sstray.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-14 19:20 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 15:54 . 2010-07-13 15:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Aim
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\windows\Sys3390 SettingsCollection.bin
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\documents and settings\Owner\Application Data\Sys6925.Config Collection.sys
2010-07-12 15:54 . 2010-07-12 15:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\MSBuild
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\Reference Assemblies
2010-07-12 15:49 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-12 15:45 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-12 15:45 . 2010-07-12 15:49 -------- d-----w- C:\6a1e773ff39b71f88bac16
2010-07-12 15:20 . 2010-07-12 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Windows Desktop Search
2010-07-12 15:19 . 2010-07-14 08:32 -------- d-----w- c:\program files\Windows Desktop Search
2010-07-12 15:19 . 2010-07-12 15:19 -------- d-----w- c:\windows\system32\GroupPolicy
2010-07-12 15:18 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-07-12 15:18 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-07-12 15:18 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-07-12 14:52 . 2010-07-12 14:52 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcp71.dll
2010-07-12 14:52 . 2010-07-12 14:52 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\jmc.dll
2010-07-12 14:52 . 2010-07-12 14:52 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcr71.dll
2010-07-12 14:52 . 2010-07-12 14:52 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-sse.dll
2010-07-12 14:52 . 2010-07-12 14:52 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-d3d.dll
2010-07-12 14:52 . 2010-07-12 14:52 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-12 14:52 . 2010-07-12 14:52 -------- d-----w- c:\program files\Java
2010-07-02 15:51 . 2010-07-02 15:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-02 15:50 . 2010-07-02 15:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-02 13:36 . 2010-07-02 16:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ppjtchyja
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 19:31 . 2010-05-23 22:50 73216 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-06-30 19:31 . 2010-04-18 19:33 307200 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2010-06-30 19:31 . 2010-04-18 19:33 172032 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2010-06-29 23:37 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 15:34 . 2010-02-11 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-13 15:18 . 2005-05-23 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-13 13:22 . 2004-10-07 13:29 121216 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 17:49 . 2005-10-10 18:36 -------- d-----w- c:\program files\Microsoft.NET
2010-07-12 14:52 . 2003-01-03 13:44 -------- d-----w- c:\program files\Common Files\Java
2010-06-29 14:43 . 2008-06-17 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-14 14:31 . 2003-01-03 12:54 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-11 21:51 . 2010-06-11 21:51 3055600 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 21:36 . 2010-06-11 21:36 275952 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-06 10:41 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-01-03 11:42 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2003-01-03 11:41 285696 ----a-w- c:\windows\system32\atmfd.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 18:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2003-03-31 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 68856]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-03-09 7561216]
"nwiz"="nwiz.exe" [2006-03-09 1519616]
"WD Button Manager"="WDBtnMgr.exe" [2005-07-01 331776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-03-09 86016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\brandon\Programs\quick\QTTask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"WinVNC"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODConnector"="c:\program files\iTivity\bin\connector_od.exe" [2006-11-13 299008]
"tridiavnc"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODController"="c:\program files\iTivity\bin\processor_od.exe" [2006-11-13 237568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\brandon\Programs\Picasa\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-24 10872]
Cenlpdstatus.exe [2002-9-9 102400]
FTP Utility.lnk - c:\program files\KONICA MINOLTA\FTP Utility\KMFtp.exe [2004-10-27 102400]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cenlpdstatus.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe
backup=c:\windows\pss\Cenlpdstatus.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-05-18 02:30 543232 ----a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
2003-09-19 17:09 36864 ----a-w- c:\windows\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KONICA MINOLTA\\FTP Utility\\KMFtp.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\MSACCESS.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7303:UDP"= 7303:UDP:Control Center UDP Port

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [10/27/2005 3:31 PM 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [10/27/2005 3:31 PM 5248]
R2 CenLPD;CenLPD;c:\program files\Century\TinyTERM\NetUtils\CenLPD.exe [10/7/2004 8:07 AM 102400]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [11/17/2004 3:56 PM 23200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9d4c2231e140c;Google Update Service (gupdate1c9d4c2231e140c);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 1:30 PM 133104]
S3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\drivers\AON325.sys [2/21/2003 4:25 PM 46976]
S3 iTivityODConnector;iTivity Live Support Connector Direct;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODConnectToIASConnector;iTivity Live Support Connector To IAS;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODController;iTivity Live Support Controller;c:\program files\iTivity\bin\processor_od.exe [4/6/2010 12:34 PM 237568]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [11/17/2004 4:26 PM 15104]
S3 TridiaFTPServer;TridiaFTP Server;c:\program files\iTivity\bin\ftpd.exe [4/6/2010 12:34 PM 528448]
S3 tridiavnc;Tridia Screen Server;c:\program files\iTivity\bin\rfbd.exe [4/6/2010 12:34 PM 274432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 22:27]

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]

2010-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{b234a570-7d2e-11d4-a4bd-0010a4c73bd0} - c:\program files\eBots\\eBzLjtPrn.exe
TCP: {4BD4F3EB-5658-4F24-A7A3-EF9FC566C4B1} = 151.164.11.201,151.164.1.8
TCP: {FF51B570-A98E-4D22-82B9-C9F63504606E} = 151.164.11.201,151.164.1.8
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwnb.ops.placeware.com/etc/place/NOVEMBER/SCNpws-b2/5.1.7.413/lib/quicksilver.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Content Uploader\npUpload.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Web Player\npdivx32.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa2.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin2.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin4.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin5.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin6.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin7.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.scr=AutoCADscriptFile
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-btxedgbg - c:\documents and settings\Owner\Local Settings\Application Data\ppjtchyja\donnwrutssd.exe
MSConfigStartUp-nForce Tray Options - sstray.exe
AddRemove-Font FX Version 2.50 - c:\documents and settings\owner\desktop\programs\new folder\Uninstall Font FX Version 2.50
AddRemove-Macromedia Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-Remington Shoot! - c:\documents and settings\Owner\Desktop\Balistic\remshoot\uninstall.exe
AddRemove-WinZip - c:\documents and settings\Owner\Desktop\Programs\winzip\WINZIP32.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-15 16:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84C51F00]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf7416cb8
\Driver\atapi -> 0x84c51f00
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: NVIDIA nForce MCP Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf72c2bb0
PacketIndicateHandler -> NDIS.sys @ 0xf72cfa21
SendHandler -> NDIS.sys @ 0xf72ad87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 60 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8AC0FFDC-D68A-4D5F-75BF0D842EDCB137}\{3647E330-7B13-5DC9-623E15C2DE512604}\{FDA52484-33A0-4DF1-40A7FB2F70E68E7D}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4092)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-07-15 16:09:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-15 21:09

Pre-Run: 81,174,061,056 bytes free
Post-Run: 81,799,835,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - A97DF54D012F096B84A09095AF07A89A

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
  
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  
• It may ask you to reboot the computer to complete the process. Allow it to do so.
  
• When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" attach the contents of that file here.
  

I will need the tdsskiller log along with a fresh combofix log. Please attach them in your next post

TDSSKiller didnt find anything. No log file.

Did it run successfully? Was the folder created?

It finished the scan. Said completed with no objects found. press any key to continue. press a key and the dos prompt disappears.

Ok. Can you generate a new combofix log please

Here is the second log.

For some reason it changed all the icons in my quicklaunch bar. They still point to the correct program but with wrong icons. I will wait to restart to see if it fixes until I hear from you.


ComboFix 10-07-15.05 - Owner 07/16/2010 13:21:27.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.212 [GMT -5]
Running from: c:\documents and settings\Owner\desktop\commy.exe
Command switches used :: /stepdel
.

((((((((((((((((((((((((( Files Created from 2010-06-16 to 2010-07-16 )))))))))))))))))))))))))))))))
.

2010-07-16 01:41 . 2008-04-13 23:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-07-16 01:41 . 2008-04-13 23:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-07-14 19:20 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 15:54 . 2010-07-13 15:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Aim
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\windows\Sys3390 SettingsCollection.bin
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\documents and settings\Owner\Application Data\Sys6925.Config Collection.sys
2010-07-12 15:54 . 2010-07-12 15:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\MSBuild
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\Reference Assemblies
2010-07-12 15:49 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-12 15:45 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-12 15:45 . 2010-07-12 15:49 -------- d-----w- C:\6a1e773ff39b71f88bac16
2010-07-12 15:20 . 2010-07-12 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Windows Desktop Search
2010-07-12 15:19 . 2010-07-14 08:32 -------- d-----w- c:\program files\Windows Desktop Search
2010-07-12 15:19 . 2010-07-12 15:19 -------- d-----w- c:\windows\system32\GroupPolicy
2010-07-12 15:18 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-07-12 15:18 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-07-12 15:18 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-07-12 14:52 . 2010-07-12 14:52 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcp71.dll
2010-07-12 14:52 . 2010-07-12 14:52 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\jmc.dll
2010-07-12 14:52 . 2010-07-12 14:52 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcr71.dll
2010-07-12 14:52 . 2010-07-12 14:52 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-sse.dll
2010-07-12 14:52 . 2010-07-12 14:52 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-d3d.dll
2010-07-12 14:52 . 2010-07-12 14:52 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-12 14:52 . 2010-07-12 14:52 -------- d-----w- c:\program files\Java
2010-07-02 15:51 . 2010-07-02 15:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-02 15:50 . 2010-07-02 15:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-02 13:36 . 2010-07-02 16:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ppjtchyja
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 19:31 . 2010-05-23 22:50 73216 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-06-30 19:31 . 2010-04-18 19:33 307200 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2010-06-30 19:31 . 2010-04-18 19:33 172032 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2010-06-29 23:37 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 15:34 . 2010-02-11 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-13 15:18 . 2005-05-23 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-13 13:22 . 2004-10-07 13:29 121216 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 17:49 . 2005-10-10 18:36 -------- d-----w- c:\program files\Microsoft.NET
2010-07-12 14:52 . 2003-01-03 13:44 -------- d-----w- c:\program files\Common Files\Java
2010-06-29 14:43 . 2008-06-17 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-14 14:31 . 2003-01-03 12:54 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-11 21:51 . 2010-06-11 21:51 3055600 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 21:36 . 2010-06-11 21:36 275952 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-06 10:41 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-01-03 11:42 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2003-01-03 11:41 285696 ----a-w- c:\windows\system32\atmfd.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 23:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2003-03-31 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 68856]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-03-09 7561216]
"nwiz"="nwiz.exe" [2006-03-09 1519616]
"WD Button Manager"="WDBtnMgr.exe" [2005-07-01 331776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-03-09 86016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\brandon\Programs\quick\QTTask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"WinVNC"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODConnector"="c:\program files\iTivity\bin\connector_od.exe" [2006-11-13 299008]
"tridiavnc"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODController"="c:\program files\iTivity\bin\processor_od.exe" [2006-11-13 237568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\brandon\Programs\Picasa\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-24 10872]
Cenlpdstatus.exe [2002-9-9 102400]
FTP Utility.lnk - c:\program files\KONICA MINOLTA\FTP Utility\KMFtp.exe [2004-10-27 102400]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cenlpdstatus.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe
backup=c:\windows\pss\Cenlpdstatus.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-05-18 02:30 543232 ----a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
2003-09-19 17:09 36864 ----a-w- c:\windows\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KONICA MINOLTA\\FTP Utility\\KMFtp.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\MSACCESS.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7303:UDP"= 7303:UDP:Control Center UDP Port

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [10/27/2005 3:31 PM 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [10/27/2005 3:31 PM 5248]
R2 CenLPD;CenLPD;c:\program files\Century\TinyTERM\NetUtils\CenLPD.exe [10/7/2004 8:07 AM 102400]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [11/17/2004 3:56 PM 23200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9d4c2231e140c;Google Update Service (gupdate1c9d4c2231e140c);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 1:30 PM 133104]
S3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\drivers\AON325.sys [2/21/2003 4:25 PM 46976]
S3 iTivityODConnector;iTivity Live Support Connector Direct;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODConnectToIASConnector;iTivity Live Support Connector To IAS;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODController;iTivity Live Support Controller;c:\program files\iTivity\bin\processor_od.exe [4/6/2010 12:34 PM 237568]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [11/17/2004 4:26 PM 15104]
S3 TridiaFTPServer;TridiaFTP Server;c:\program files\iTivity\bin\ftpd.exe [4/6/2010 12:34 PM 528448]
S3 tridiavnc;Tridia Screen Server;c:\program files\iTivity\bin\rfbd.exe [4/6/2010 12:34 PM 274432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 22:27]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{b234a570-7d2e-11d4-a4bd-0010a4c73bd0} - c:\program files\eBots\\eBzLjtPrn.exe
TCP: {4BD4F3EB-5658-4F24-A7A3-EF9FC566C4B1} = 151.164.11.201,151.164.1.8
TCP: {FF51B570-A98E-4D22-82B9-C9F63504606E} = 151.164.11.201,151.164.1.8
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwnb.ops.placeware.com/etc/place/NOVEMBER/SCNpws-b2/5.1.7.413/lib/quicksilver.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Content Uploader\npUpload.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Web Player\npdivx32.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa2.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin2.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin4.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin5.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin6.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin7.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.scr=AutoCADscriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-16 13:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84BA8CA0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf7416cb8
\Driver\atapi -> 0x84ba8ca0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: NVIDIA nForce MCP Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf72c2bb0
PacketIndicateHandler -> NDIS.sys @ 0xf72cfa21
SendHandler -> NDIS.sys @ 0xf72ad87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 60 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8AC0FFDC-D68A-4D5F-75BF0D842EDCB137}\{3647E330-7B13-5DC9-623E15C2DE512604}\{FDA52484-33A0-4DF1-40A7FB2F70E68E7D}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2776)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-07-16 13:39:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-16 18:39
ComboFix2.txt 2010-07-15 21:09

Pre-Run: 81,958,662,144 bytes free
Post-Run: 81,946,853,376 bytes free

- - End Of File - - 89D0AF14E805DADA2391F1DDD0DF4F6C

Ok icons fixed computer went into screen saver, when it came back they were fixed.

Hi,

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   FCopy::
   c:\windows\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\System32\Drivers\atapi.sys
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

ComboFix 10-07-18.03 - Owner 07/19/2010 9:47.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.199 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\commy.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\System32\Drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-16 21:15 . 2010-07-16 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MemeoCommon
2010-07-16 21:14 . 2010-07-16 21:15 -------- d-----w- C:\backups
2010-07-16 21:09 . 2010-07-16 21:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-07-16 21:07 . 2010-07-16 21:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Memeo
2010-07-16 21:07 . 2010-07-16 21:07 -------- d-----w- c:\program files\Common Files\Memeo
2010-07-16 21:07 . 2010-07-16 21:08 -------- d-----w- c:\program files\Memeo
2010-07-16 06:41 . 2008-04-13 18:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-07-16 06:41 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-07-14 19:20 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 15:54 . 2010-07-13 15:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Aim
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\windows\Sys3390 SettingsCollection.bin
2010-07-12 15:54 . 2010-07-12 15:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\MSBuild
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\Reference Assemblies
2010-07-12 15:49 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-12 15:45 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-12 15:45 . 2010-07-12 15:49 -------- d-----w- C:\6a1e773ff39b71f88bac16
2010-07-12 15:20 . 2010-07-12 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Windows Desktop Search
2010-07-12 15:19 . 2010-07-14 08:32 -------- d-----w- c:\program files\Windows Desktop Search
2010-07-12 15:19 . 2010-07-12 15:19 -------- d-----w- c:\windows\system32\GroupPolicy
2010-07-12 15:18 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-07-12 15:18 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-07-12 15:18 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-07-12 14:52 . 2010-07-12 14:52 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-12 14:52 . 2010-07-12 14:52 -------- d-----w- c:\program files\Java
2010-07-02 15:51 . 2010-07-02 15:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-02 15:50 . 2010-07-02 15:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-02 13:36 . 2010-07-02 16:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ppjtchyja
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 23:37 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 15:34 . 2010-02-11 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-13 15:18 . 2005-05-23 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\documents and settings\Owner\Application Data\Sys6925.Config Collection.sys
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\documents and settings\Owner\Application Data\Sys6925.Config Collection.sys
2010-07-13 13:22 . 2004-10-07 13:29 121216 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 17:49 . 2005-10-10 18:36 -------- d-----w- c:\program files\Microsoft.NET
2010-07-12 14:52 . 2010-07-12 14:52 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcp71.dll
2010-07-12 14:52 . 2010-07-12 14:52 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\jmc.dll
2010-07-12 14:52 . 2010-07-12 14:52 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcr71.dll
2010-07-12 14:52 . 2003-01-03 13:44 -------- d-----w- c:\program files\Common Files\Java
2010-07-12 14:52 . 2010-07-12 14:52 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-sse.dll
2010-07-12 14:52 . 2010-07-12 14:52 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-d3d.dll
2010-06-29 14:43 . 2008-06-17 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-14 14:31 . 2003-01-03 12:54 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-11 21:51 . 2010-06-11 21:51 3055600 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 21:36 . 2010-06-11 21:36 275952 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-23 22:50 . 2010-06-30 19:31 73216 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-05-06 10:41 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-01-03 11:42 1851264 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 18:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2003-03-31 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 68856]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-03-09 7561216]
"nwiz"="nwiz.exe" [2006-03-09 1519616]
"WD Button Manager"="WDBtnMgr.exe" [2005-07-01 331776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-03-09 86016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\brandon\Programs\quick\QTTask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"WinVNC"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODConnector"="c:\program files\iTivity\bin\connector_od.exe" [2006-11-13 299008]
"tridiavnc"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODController"="c:\program files\iTivity\bin\processor_od.exe" [2006-11-13 237568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Memeo Backup Pro"="c:\program files\Memeo\AutoBackupPro\MemeoLauncher2.exe" [2010-04-09 136416]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\brandon\Programs\Picasa\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-24 10872]
Cenlpdstatus.exe [2002-9-9 102400]
FTP Utility.lnk - c:\program files\KONICA MINOLTA\FTP Utility\KMFtp.exe [2004-10-27 102400]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cenlpdstatus.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe
backup=c:\windows\pss\Cenlpdstatus.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-05-18 02:30 543232 ----a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
2003-09-19 17:09 36864 ----a-w- c:\windows\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KONICA MINOLTA\\FTP Utility\\KMFtp.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\MSACCESS.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7303:UDP"= 7303:UDP:Control Center UDP Port

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [10/27/2005 3:31 PM 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [10/27/2005 3:31 PM 5248]
R2 CenLPD;CenLPD;c:\program files\Century\TinyTERM\NetUtils\CenLPD.exe [10/7/2004 8:07 AM 102400]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackupPro\MemeoBackgroundService.exe [4/9/2010 4:19 PM 25824]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [11/17/2004 3:56 PM 23200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9d4c2231e140c;Google Update Service (gupdate1c9d4c2231e140c);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 1:30 PM 133104]
S3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\drivers\AON325.sys [2/21/2003 4:25 PM 46976]
S3 iTivityODConnector;iTivity Live Support Connector Direct;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODConnectToIASConnector;iTivity Live Support Connector To IAS;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODController;iTivity Live Support Controller;c:\program files\iTivity\bin\processor_od.exe [4/6/2010 12:34 PM 237568]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [11/17/2004 4:26 PM 15104]
S3 TridiaFTPServer;TridiaFTP Server;c:\program files\iTivity\bin\ftpd.exe [4/6/2010 12:34 PM 528448]
S3 tridiavnc;Tridia Screen Server;c:\program files\iTivity\bin\rfbd.exe [4/6/2010 12:34 PM 274432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 22:27]

2010-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]

2010-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{b234a570-7d2e-11d4-a4bd-0010a4c73bd0} - c:\program files\eBots\\eBzLjtPrn.exe
TCP: {4BD4F3EB-5658-4F24-A7A3-EF9FC566C4B1} = 151.164.11.201,151.164.1.8
TCP: {FF51B570-A98E-4D22-82B9-C9F63504606E} = 151.164.11.201,151.164.1.8
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwnb.ops.placeware.com/etc/place/NOVEMBER/SCNpws-b2/5.1.7.413/lib/quicksilver.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Content Uploader\npUpload.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Web Player\npdivx32.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa2.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin2.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin4.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin5.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin6.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin7.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 09:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84BB2950]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf7416cb8
\Driver\atapi -> 0x84bb2950
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: NVIDIA nForce MCP Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf72c2bb0
PacketIndicateHandler -> NDIS.sys @ 0xf72cfa21
SendHandler -> NDIS.sys @ 0xf72ad87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 60 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8AC0FFDC-D68A-4D5F-75BF0D842EDCB137}\{3647E330-7B13-5DC9-623E15C2DE512604}\{FDA52484-33A0-4DF1-40A7FB2F70E68E7D}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3300)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Memeo\AutoBackupPro\MemeoBackup.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-07-19 10:07:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-19 15:07
ComboFix2.txt 2010-07-16 18:39
ComboFix3.txt 2010-07-15 21:09

Pre-Run: 81,814,614,016 bytes free
Post-Run: 81,825,329,152 bytes free

- - End Of File - - 029D732D5C6FE65A2AB2554D76A10FDA

Hi,

Please download Profiles by noahdfear.

• Save it to your desktop.
• Double-click profiles.exe and post its log when you reply

======

Download GMER's MBR.exe to your desktop.
Double click on the MBR.exe file to run it. A log will be produced, MBR.log.
Please open this log in Notepad and post its contents in your next reply.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1026034599-3939155063-2809091464-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Owner

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1026034599-3939155063-2809091464-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 60 !

Perfect. One infection has been removed . Can i see a new combofix log please?

Any steps in the right direction makes me happy

ComboFix 10-07-19.04 - Owner 07/20/2010 7:14.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.205 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\commy.exe
.

((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-16 21:15 . 2010-07-16 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MemeoCommon
2010-07-16 21:14 . 2010-07-16 21:15 -------- d-----w- C:\backups
2010-07-16 21:09 . 2010-07-16 21:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-07-16 21:07 . 2010-07-16 21:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Memeo
2010-07-16 21:07 . 2010-07-16 21:07 -------- d-----w- c:\program files\Common Files\Memeo
2010-07-16 21:07 . 2010-07-16 21:08 -------- d-----w- c:\program files\Memeo
2010-07-16 11:41 . 2008-04-13 23:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-07-16 11:41 . 2008-04-13 23:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-07-14 19:20 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 15:54 . 2010-07-13 15:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Aim
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\windows\Sys3390 SettingsCollection.bin
2010-07-12 15:54 . 2010-07-12 15:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\MSBuild
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\Reference Assemblies
2010-07-12 15:49 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-12 15:45 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-12 15:45 . 2010-07-12 15:49 -------- d-----w- C:\6a1e773ff39b71f88bac16
2010-07-12 15:20 . 2010-07-12 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Windows Desktop Search
2010-07-12 15:19 . 2010-07-14 08:32 -------- d-----w- c:\program files\Windows Desktop Search
2010-07-12 15:19 . 2010-07-12 15:19 -------- d-----w- c:\windows\system32\GroupPolicy
2010-07-12 15:18 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-07-12 15:18 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-07-12 15:18 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-07-12 14:52 . 2010-07-12 14:52 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-12 14:52 . 2010-07-12 14:52 -------- d-----w- c:\program files\Java
2010-07-02 15:51 . 2010-07-02 15:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-02 15:50 . 2010-07-02 15:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-02 13:36 . 2010-07-02 16:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ppjtchyja
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 23:37 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 15:34 . 2010-02-11 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-13 15:18 . 2005-05-23 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\documents and settings\Owner\Application Data\Sys6925.Config Collection.sys
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\documents and settings\Owner\Application Data\Sys6925.Config Collection.sys
2010-07-13 13:22 . 2004-10-07 13:29 121216 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 17:49 . 2005-10-10 18:36 -------- d-----w- c:\program files\Microsoft.NET
2010-07-12 14:52 . 2010-07-12 14:52 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcp71.dll
2010-07-12 14:52 . 2010-07-12 14:52 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\jmc.dll
2010-07-12 14:52 . 2010-07-12 14:52 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcr71.dll
2010-07-12 14:52 . 2003-01-03 13:44 -------- d-----w- c:\program files\Common Files\Java
2010-07-12 14:52 . 2010-07-12 14:52 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-sse.dll
2010-07-12 14:52 . 2010-07-12 14:52 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-d3d.dll
2010-06-29 14:43 . 2008-06-17 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-14 14:31 . 2003-01-03 12:54 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-11 21:51 . 2010-06-11 21:51 3055600 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 21:36 . 2010-06-11 21:36 275952 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-23 22:50 . 2010-06-30 19:31 73216 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-05-06 10:41 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-01-03 11:42 1851264 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-13 23:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2003-03-31 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 68856]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-03-09 7561216]
"nwiz"="nwiz.exe" [2006-03-09 1519616]
"WD Button Manager"="WDBtnMgr.exe" [2005-07-01 331776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-03-09 86016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\brandon\Programs\quick\QTTask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"WinVNC"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODConnector"="c:\program files\iTivity\bin\connector_od.exe" [2006-11-13 299008]
"tridiavnc"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODController"="c:\program files\iTivity\bin\processor_od.exe" [2006-11-13 237568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Memeo Backup Pro"="c:\program files\Memeo\AutoBackupPro\MemeoLauncher2.exe" [2010-04-09 136416]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\brandon\Programs\Picasa\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-24 10872]
Cenlpdstatus.exe [2002-9-9 102400]
FTP Utility.lnk - c:\program files\KONICA MINOLTA\FTP Utility\KMFtp.exe [2004-10-27 102400]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cenlpdstatus.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe
backup=c:\windows\pss\Cenlpdstatus.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-05-18 02:30 543232 ----a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
2003-09-19 17:09 36864 ----a-w- c:\windows\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KONICA MINOLTA\\FTP Utility\\KMFtp.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\MSACCESS.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7303:UDP"= 7303:UDP:Control Center UDP Port

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [10/27/2005 3:31 PM 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [10/27/2005 3:31 PM 5248]
R2 CenLPD;CenLPD;c:\program files\Century\TinyTERM\NetUtils\CenLPD.exe [10/7/2004 8:07 AM 102400]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackupPro\MemeoBackgroundService.exe [4/9/2010 4:19 PM 25824]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [11/17/2004 3:56 PM 23200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9d4c2231e140c;Google Update Service (gupdate1c9d4c2231e140c);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 1:30 PM 133104]
S3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\drivers\AON325.sys [2/21/2003 4:25 PM 46976]
S3 iTivityODConnector;iTivity Live Support Connector Direct;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODConnectToIASConnector;iTivity Live Support Connector To IAS;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODController;iTivity Live Support Controller;c:\program files\iTivity\bin\processor_od.exe [4/6/2010 12:34 PM 237568]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [11/17/2004 4:26 PM 15104]
S3 TridiaFTPServer;TridiaFTP Server;c:\program files\iTivity\bin\ftpd.exe [4/6/2010 12:34 PM 528448]
S3 tridiavnc;Tridia Screen Server;c:\program files\iTivity\bin\rfbd.exe [4/6/2010 12:34 PM 274432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 22:27]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{b234a570-7d2e-11d4-a4bd-0010a4c73bd0} - c:\program files\eBots\\eBzLjtPrn.exe
TCP: {4BD4F3EB-5658-4F24-A7A3-EF9FC566C4B1} = 151.164.11.201,151.164.1.8
TCP: {FF51B570-A98E-4D22-82B9-C9F63504606E} = 151.164.11.201,151.164.1.8
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwnb.ops.placeware.com/etc/place/NOVEMBER/SCNpws-b2/5.1.7.413/lib/quicksilver.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Content Uploader\npUpload.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Web Player\npdivx32.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa2.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin2.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin4.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin5.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin6.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin7.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.scr=AutoCADscriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 07:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84C69518]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf7416cb8
\Driver\atapi -> 0x84c69518
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: NVIDIA nForce MCP Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf72c2bb0
PacketIndicateHandler -> NDIS.sys @ 0xf72cfa21
SendHandler -> NDIS.sys @ 0xf72ad87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 60 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8AC0FFDC-D68A-4D5F-75BF0D842EDCB137}\{3647E330-7B13-5DC9-623E15C2DE512604}\{FDA52484-33A0-4DF1-40A7FB2F70E68E7D}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3692)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Memeo\AutoBackupPro\MemeoBackup.exe
.
**************************************************************************
.
Completion time: 2010-07-20 07:35:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-20 12:35
ComboFix2.txt 2010-07-19 15:07
ComboFix3.txt 2010-07-16 18:39
ComboFix4.txt 2010-07-15 21:09

Pre-Run: 81,889,955,840 bytes free
Post-Run: 81,879,310,336 bytes free

- - End Of File - - 86A218FFB0FF5CEA445F1181F3B2779A

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   MBR::
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

ComboFix 10-07-20.01 - Owner 07/20/2010 14:09:56.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.205 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\commy.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
.

((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-16 21:15 . 2010-07-16 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MemeoCommon
2010-07-16 21:14 . 2010-07-16 21:15 -------- d-----w- C:\backups
2010-07-16 21:09 . 2010-07-16 21:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-07-16 21:07 . 2010-07-16 21:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Memeo
2010-07-16 21:07 . 2010-07-16 21:07 -------- d-----w- c:\program files\Common Files\Memeo
2010-07-16 21:07 . 2010-07-16 21:08 -------- d-----w- c:\program files\Memeo
2010-07-16 16:41 . 2008-04-14 04:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-07-16 16:41 . 2008-04-14 04:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-07-14 19:20 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 15:54 . 2010-07-13 15:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Aim
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\windows\Sys3390 SettingsCollection.bin
2010-07-12 15:54 . 2010-07-12 15:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\MSBuild
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\Reference Assemblies
2010-07-12 15:49 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-12 15:45 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-12 15:45 . 2010-07-12 15:49 -------- d-----w- C:\6a1e773ff39b71f88bac16
2010-07-12 15:20 . 2010-07-12 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Windows Desktop Search
2010-07-12 15:19 . 2010-07-14 08:32 -------- d-----w- c:\program files\Windows Desktop Search
2010-07-12 15:19 . 2010-07-12 15:19 -------- d-----w- c:\windows\system32\GroupPolicy
2010-07-12 15:18 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-07-12 15:18 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-07-12 15:18 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-07-12 14:52 . 2010-07-12 14:52 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-12 14:52 . 2010-07-12 14:52 -------- d-----w- c:\program files\Java
2010-07-02 15:51 . 2010-07-02 15:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-02 15:50 . 2010-07-02 15:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-02 13:36 . 2010-07-02 16:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ppjtchyja
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 23:37 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-14 15:34 . 2010-02-11 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-13 15:18 . 2005-05-23 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\documents and settings\Owner\Application Data\Sys6925.Config Collection.sys
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\documents and settings\Owner\Application Data\Sys6925.Config Collection.sys
2010-07-13 13:22 . 2004-10-07 13:29 121216 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 17:49 . 2005-10-10 18:36 -------- d-----w- c:\program files\Microsoft.NET
2010-07-12 14:52 . 2010-07-12 14:52 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcp71.dll
2010-07-12 14:52 . 2010-07-12 14:52 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\jmc.dll
2010-07-12 14:52 . 2010-07-12 14:52 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcr71.dll
2010-07-12 14:52 . 2003-01-03 13:44 -------- d-----w- c:\program files\Common Files\Java
2010-07-12 14:52 . 2010-07-12 14:52 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-sse.dll
2010-07-12 14:52 . 2010-07-12 14:52 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-d3d.dll
2010-06-29 14:43 . 2008-06-17 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-14 14:31 . 2003-01-03 12:54 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-11 21:51 . 2010-06-11 21:51 3055600 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 21:36 . 2010-06-11 21:36 275952 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-23 22:50 . 2010-06-30 19:31 73216 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-05-06 10:41 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-01-03 11:42 1851264 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-14 04:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[-] 2003-03-31 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 68856]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-03-09 7561216]
"nwiz"="nwiz.exe" [2006-03-09 1519616]
"WD Button Manager"="WDBtnMgr.exe" [2005-07-01 331776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-03-09 86016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\brandon\Programs\quick\QTTask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"WinVNC"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODConnector"="c:\program files\iTivity\bin\connector_od.exe" [2006-11-13 299008]
"tridiavnc"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODController"="c:\program files\iTivity\bin\processor_od.exe" [2006-11-13 237568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Memeo Backup Pro"="c:\program files\Memeo\AutoBackupPro\MemeoLauncher2.exe" [2010-04-09 136416]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\brandon\Programs\Picasa\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-24 10872]
Cenlpdstatus.exe [2002-9-9 102400]
FTP Utility.lnk - c:\program files\KONICA MINOLTA\FTP Utility\KMFtp.exe [2004-10-27 102400]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cenlpdstatus.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe
backup=c:\windows\pss\Cenlpdstatus.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-05-18 02:30 543232 ----a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
2003-09-19 17:09 36864 ----a-w- c:\windows\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KONICA MINOLTA\\FTP Utility\\KMFtp.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\MSACCESS.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7303:UDP"= 7303:UDP:Control Center UDP Port

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [10/27/2005 3:31 PM 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [10/27/2005 3:31 PM 5248]
R2 CenLPD;CenLPD;c:\program files\Century\TinyTERM\NetUtils\CenLPD.exe [10/7/2004 8:07 AM 102400]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackupPro\MemeoBackgroundService.exe [4/9/2010 4:19 PM 25824]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [11/17/2004 3:56 PM 23200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9d4c2231e140c;Google Update Service (gupdate1c9d4c2231e140c);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 1:30 PM 133104]
S3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\drivers\AON325.sys [2/21/2003 4:25 PM 46976]
S3 iTivityODConnector;iTivity Live Support Connector Direct;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODConnectToIASConnector;iTivity Live Support Connector To IAS;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODController;iTivity Live Support Controller;c:\program files\iTivity\bin\processor_od.exe [4/6/2010 12:34 PM 237568]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [11/17/2004 4:26 PM 15104]
S3 TridiaFTPServer;TridiaFTP Server;c:\program files\iTivity\bin\ftpd.exe [4/6/2010 12:34 PM 528448]
S3 tridiavnc;Tridia Screen Server;c:\program files\iTivity\bin\rfbd.exe [4/6/2010 12:34 PM 274432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 22:27]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]

2010-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{b234a570-7d2e-11d4-a4bd-0010a4c73bd0} - c:\program files\eBots\\eBzLjtPrn.exe
TCP: {4BD4F3EB-5658-4F24-A7A3-EF9FC566C4B1} = 151.164.11.201,151.164.1.8
TCP: {FF51B570-A98E-4D22-82B9-C9F63504606E} = 151.164.11.201,151.164.1.8
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwnb.ops.placeware.com/etc/place/NOVEMBER/SCNpws-b2/5.1.7.413/lib/quicksilver.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Content Uploader\npUpload.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Web Player\npdivx32.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa2.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin2.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin4.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin5.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin6.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin7.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 14:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84BC9208]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf7416cb8
\Driver\atapi -> 0x84bc9208
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: NVIDIA nForce MCP Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf72c2bb0
PacketIndicateHandler -> NDIS.sys @ 0xf72cfa21
SendHandler -> NDIS.sys @ 0xf72ad87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 60 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8AC0FFDC-D68A-4D5F-75BF0D842EDCB137}\{3647E330-7B13-5DC9-623E15C2DE512604}\{FDA52484-33A0-4DF1-40A7FB2F70E68E7D}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3296)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Memeo\AutoBackupPro\MemeoBackup.exe
.
**************************************************************************
.
Completion time: 2010-07-20 14:52:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-20 19:52
ComboFix2.txt 2010-07-20 12:35
ComboFix3.txt 2010-07-19 15:07
ComboFix4.txt 2010-07-16 18:39
ComboFix5.txt 2010-07-20 19:03

Pre-Run: 81,858,887,680 bytes free
Post-Run: 81,848,512,512 bytes free

- - End Of File - - F08CD41183DD6AF01F0AD410E2FC2B47

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   TDL::
   c:\windows\system32\drivers\atapi.sys
   
   DDS::
   uInternet Settings,ProxyOverride =
   uInternet Settings,ProxyServer = http=127.0.0.1:5577
   
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

I was not watching the progress of the scan. I came back to the computer and it had restarted and was waiting for me to log in. On login ComboFix did not start like it had before. I got an error message saying your system has recovered from a serious error.

Should I rerun ComboFix? I will wait for your reply.

Hi,

Can you navigate to C:\ and tell me if there are any logs there titled combofixX.txt where X is a number.

No log in C

Oh side note. Since we have started all this Outlook Express is wanting to compress files to save space all the time. This morning it even asked to do it when Express was not even open. Not sure if that helps but its not normal for me.

Please run combofix again with the instructions in post 22

Same result computer recover from serious error. I got the error log this time.

CF starts and get to the " scanning may take 10 minutes " part and no more progress on screen. Computer restarts and CF does not, no CF log on C.

Windows error report:

Files included in error report
C:\DOCUME~1\Owner\LOCALS~1\Temp\WER0cb3.dir00\Mini072210-01.dmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\WER0cb3.dir00\sysdata.xml


Error signature
BCCode : 1000008e BCP1 : C0000005 BCP2 : F7381AD4 BCP3 : B8832B10
BCP4 : 00000000 OSVer : 5_1_2600 SP : 3_0 Product : 768_1

Ok. Let's try this first and then follow up with CF.

RKill by Grinler
Version 1
Version 2

• Download Version 1.
  
• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  If you are using Vista please right click and run as Admin!
  
• A black screen will briefly flash indicating a successful run.
  
• If this does not occur please delete that application and download Version 2.
  
• Continue process until the tool runs.
  
• If the tool does not run from any of the links tell me about it.
  

This only kills the active infection, the actual infection will not be gone.

had to use version two. rkill log

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 07/22/2010 at 13:05:10.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe
C:\Documents and Settings\Owner\Desktop\rkill.com


Rkill completed on 07/22/2010 at 13:05:17.


Same results with CF

error message

C:\DOCUME~1\Owner\LOCALS~1\Temp\WER02a7.dir00\Mini072210-02.dmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\WER02a7.dir00\sysdata.xml


error sig
BCCode : 1000008e BCP1 : C0000005 BCP2 : F7381AD4 BCP3 : B8A58B10
BCP4 : 00000000 OSVer : 5_1_2600 SP : 3_0 Product : 768_1

Did you attempt renaming it to commy.exe and then running it?

It is already commy.exe

Should I try running it without dropping the script into it?

Just a heads up. I'm going on vacation starting tomorrow, saturday. I will be back on the 4th and we can pick this back up then. Thanks for the help so far.

Hi hellbndr,

Let's see if we can make some headway before you leave for vacation. After talking to a few colleagues, it seems I overlooked something.

First, I need you to grab a fresh copy of Combofix from here

When dowloading please be sure you save it as fixthis.bat to your Desktop and the Save As type is set to All Files
========

Once fixthis.bat resides on your desktop:

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   FCopy::
   c:\windows\$NtServicePackUninstall$\atapi.sys | c:\windows\system32\drivers\atapi.sys
   
   DDS::
   uInternet Settings,ProxyOverride =
   uInternet Settings,ProxyServer = http=127.0.0.1:5577
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into fixthis.bat
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

link no work

dangit i post that reply and now it does. sorry

That was my fault. The link I grabbed came out garbled. I edited the post. Should be fine now

ComboFix 10-07-22.06 - Owner 07/23/2010 14:00:55.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.204 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\fixthis.bat
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Desktop\fixthis.bat

Binary file c:\qoobox\lastrun\ndis_HDCntrl.old matches
Binary file c:\qoobox\lastrun\ndis_HDCntrl.old matches
Binary file c:\qoobox\lastrun\ndis_HDCntrl.old matches
Binary file c:\qoobox\lastrun\ndis_HDCntrl.old matches
Binary file c:\qoobox\lastrun\ndis_HDCntrl.old matches
.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-06-23 to 2010-07-23 )))))))))))))))))))))))))))))))
.

2010-07-22 23:12 . 2004-08-04 05:59 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-07-22 23:12 . 2004-08-04 05:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-07-21 16:03 . 2010-07-21 16:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Windows Search
2010-07-16 21:15 . 2010-07-16 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MemeoCommon
2010-07-16 21:14 . 2010-07-16 21:15 -------- d-----w- C:\backups
2010-07-16 21:09 . 2010-07-16 21:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-07-16 21:07 . 2010-07-16 21:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Memeo
2010-07-16 21:07 . 2010-07-16 21:07 -------- d-----w- c:\program files\Common Files\Memeo
2010-07-16 21:07 . 2010-07-16 21:08 -------- d-----w- c:\program files\Memeo
2010-07-14 19:20 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 15:54 . 2010-07-13 15:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Aim
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\windows\Sys3390 SettingsCollection.bin
2010-07-12 15:54 . 2010-07-12 15:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\MSBuild
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\Reference Assemblies
2010-07-12 15:49 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-12 15:45 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-12 15:45 . 2010-07-12 15:49 -------- d-----w- C:\6a1e773ff39b71f88bac16
2010-07-12 15:20 . 2010-07-12 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Windows Desktop Search
2010-07-12 15:19 . 2010-07-14 08:32 -------- d-----w- c:\program files\Windows Desktop Search
2010-07-12 15:19 . 2010-07-12 15:19 -------- d-----w- c:\windows\system32\GroupPolicy
2010-07-12 15:18 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-07-12 15:18 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-07-12 15:18 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-07-12 14:52 . 2010-07-12 14:52 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-12 14:52 . 2010-07-12 14:52 -------- d-----w- c:\program files\Java
2010-07-02 15:51 . 2010-07-02 15:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-02 15:50 . 2010-07-02 15:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-02 13:36 . 2010-07-02 16:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ppjtchyja
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 23:37 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 19:09 . 2003-01-03 13:49 -------- d-----w- c:\program files\Ahead
2010-07-14 15:34 . 2010-02-11 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-13 15:18 . 2005-05-23 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\documents and settings\Owner\Application Data\Sys6925.Config Collection.sys
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\documents and settings\Owner\Application Data\Sys6925.Config Collection.sys
2010-07-13 13:22 . 2004-10-07 13:29 121216 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 17:49 . 2005-10-10 18:36 -------- d-----w- c:\program files\Microsoft.NET
2010-07-12 14:52 . 2010-07-12 14:52 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcp71.dll
2010-07-12 14:52 . 2010-07-12 14:52 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\jmc.dll
2010-07-12 14:52 . 2010-07-12 14:52 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcr71.dll
2010-07-12 14:52 . 2003-01-03 13:44 -------- d-----w- c:\program files\Common Files\Java
2010-07-12 14:52 . 2010-07-12 14:52 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-sse.dll
2010-07-12 14:52 . 2010-07-12 14:52 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-d3d.dll
2010-06-29 14:43 . 2008-06-17 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-14 14:31 . 2003-01-03 12:54 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-11 21:51 . 2010-06-11 21:51 3055600 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 21:36 . 2010-06-11 21:36 275952 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-23 22:50 . 2010-06-30 19:31 73216 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-05-06 10:41 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-01-03 11:42 1851264 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-04 05:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2003-03-31 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 68856]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-03-09 7561216]
"nwiz"="nwiz.exe" [2006-03-09 1519616]
"WD Button Manager"="WDBtnMgr.exe" [2005-07-01 331776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-03-09 86016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\brandon\Programs\quick\QTTask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"WinVNC"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODConnector"="c:\program files\iTivity\bin\connector_od.exe" [2006-11-13 299008]
"tridiavnc"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODController"="c:\program files\iTivity\bin\processor_od.exe" [2006-11-13 237568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Memeo Backup Pro"="c:\program files\Memeo\AutoBackupPro\MemeoLauncher2.exe" [2010-04-09 136416]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\brandon\Programs\Picasa\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-24 10872]
Cenlpdstatus.exe [2002-9-9 102400]
FTP Utility.lnk - c:\program files\KONICA MINOLTA\FTP Utility\KMFtp.exe [2004-10-27 102400]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cenlpdstatus.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe
backup=c:\windows\pss\Cenlpdstatus.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-05-18 02:30 543232 ----a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
2003-09-19 17:09 36864 ----a-w- c:\windows\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KONICA MINOLTA\\FTP Utility\\KMFtp.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\MSACCESS.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7303:UDP"= 7303:UDP:Control Center UDP Port

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [10/27/2005 3:31 PM 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [10/27/2005 3:31 PM 5248]
R2 CenLPD;CenLPD;c:\program files\Century\TinyTERM\NetUtils\CenLPD.exe [10/7/2004 8:07 AM 102400]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackupPro\MemeoBackgroundService.exe [4/9/2010 4:19 PM 25824]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [11/17/2004 3:56 PM 23200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9d4c2231e140c;Google Update Service (gupdate1c9d4c2231e140c);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 1:30 PM 133104]
S3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\drivers\AON325.sys [2/21/2003 4:25 PM 46976]
S3 iTivityODConnector;iTivity Live Support Connector Direct;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODConnectToIASConnector;iTivity Live Support Connector To IAS;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODController;iTivity Live Support Controller;c:\program files\iTivity\bin\processor_od.exe [4/6/2010 12:34 PM 237568]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [11/17/2004 4:26 PM 15104]
S3 TridiaFTPServer;TridiaFTP Server;c:\program files\iTivity\bin\ftpd.exe [4/6/2010 12:34 PM 528448]
S3 tridiavnc;Tridia Screen Server;c:\program files\iTivity\bin\rfbd.exe [4/6/2010 12:34 PM 274432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 22:27]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{b234a570-7d2e-11d4-a4bd-0010a4c73bd0} - c:\program files\eBots\\eBzLjtPrn.exe
TCP: {4BD4F3EB-5658-4F24-A7A3-EF9FC566C4B1} = 151.164.11.201,151.164.1.8
TCP: {FF51B570-A98E-4D22-82B9-C9F63504606E} = 151.164.11.201,151.164.1.8
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwnb.ops.placeware.com/etc/place/NOVEMBER/SCNpws-b2/5.1.7.413/lib/quicksilver.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Content Uploader\npUpload.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Web Player\npdivx32.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa2.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin2.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin4.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin5.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin6.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin7.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-23 14:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84BD1230]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf7416cb8
\Driver\atapi -> 0x84bd1230
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: NVIDIA nForce MCP Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf72c2bb0
PacketIndicateHandler -> NDIS.sys @ 0xf72cfa21
SendHandler -> NDIS.sys @ 0xf72ad87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 60 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8AC0FFDC-D68A-4D5F-75BF0D842EDCB137}\{3647E330-7B13-5DC9-623E15C2DE512604}\{FDA52484-33A0-4DF1-40A7FB2F70E68E7D}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1864)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Memeo\AutoBackupPro\MemeoBackup.exe
.
**************************************************************************
.
Completion time: 2010-07-23 14:22:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-23 19:22
ComboFix2.txt 2010-07-20 19:52
ComboFix3.txt 2010-07-20 12:35
ComboFix4.txt 2010-07-19 15:07
ComboFix5.txt 2010-07-21 13:58

Pre-Run: 83,140,280,320 bytes free
Post-Run: 83,180,904,448 bytes free

- - End Of File - - 28F1078384D33DD776B93355E9D6F4FC

Hi,

Looks like a really nasty infection here.

Please download Bootkit Remover by eSage Lab from here.

NOTE: This is a file compressed with Winrar. If you do not have the means to unpack it, you can download and install 7-zip from here.

• Unpack remover.exe from the bootkit_remover.rar archive and save it to your Desktop
  
• Doubleclick remover.exe to run the tool
  
• A DOS window will open with the results of the scan
  
• Rightclick that window and choose Select all
  
• Simultaneously press [CTRL] + C (copy) and paste the text in your next reply.
  

ComboFix 10-07-22.06 - Owner 07/23/2010 14:00:55.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.204 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\fixthis.bat
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Desktop\fixthis.bat

Binary file c:\qoobox\lastrun\ndis_HDCntrl.old matches
Binary file c:\qoobox\lastrun\ndis_HDCntrl.old matches
Binary file c:\qoobox\lastrun\ndis_HDCntrl.old matches
Binary file c:\qoobox\lastrun\ndis_HDCntrl.old matches
Binary file c:\qoobox\lastrun\ndis_HDCntrl.old matches
.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-06-23 to 2010-07-23 )))))))))))))))))))))))))))))))
.

2010-07-22 23:12 . 2004-08-04 05:59 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-07-22 23:12 . 2004-08-04 05:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-07-21 16:03 . 2010-07-21 16:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Windows Search
2010-07-16 21:15 . 2010-07-16 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MemeoCommon
2010-07-16 21:14 . 2010-07-16 21:15 -------- d-----w- C:\backups
2010-07-16 21:09 . 2010-07-16 21:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-07-16 21:07 . 2010-07-16 21:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Memeo
2010-07-16 21:07 . 2010-07-16 21:07 -------- d-----w- c:\program files\Common Files\Memeo
2010-07-16 21:07 . 2010-07-16 21:08 -------- d-----w- c:\program files\Memeo
2010-07-14 19:20 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 15:54 . 2010-07-13 15:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Aim
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\windows\Sys3390 SettingsCollection.bin
2010-07-12 15:54 . 2010-07-12 15:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\MSBuild
2010-07-12 15:51 . 2010-07-12 15:51 -------- d-----w- c:\program files\Reference Assemblies
2010-07-12 15:49 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-12 15:45 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-12 15:45 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-12 15:45 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-12 15:45 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-12 15:45 . 2010-07-12 15:49 -------- d-----w- C:\6a1e773ff39b71f88bac16
2010-07-12 15:20 . 2010-07-12 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Windows Desktop Search
2010-07-12 15:19 . 2010-07-14 08:32 -------- d-----w- c:\program files\Windows Desktop Search
2010-07-12 15:19 . 2010-07-12 15:19 -------- d-----w- c:\windows\system32\GroupPolicy
2010-07-12 15:18 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-07-12 15:18 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-07-12 15:18 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-07-12 14:52 . 2010-07-12 14:52 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-12 14:52 . 2010-07-12 14:52 -------- d-----w- c:\program files\Java
2010-07-02 15:51 . 2010-07-02 15:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-02 15:50 . 2010-07-02 15:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-02 13:36 . 2010-07-02 16:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ppjtchyja
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 18:57 . 2010-07-01 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-01 18:57 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 23:37 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-22 19:09 . 2003-01-03 13:49 -------- d-----w- c:\program files\Ahead
2010-07-14 15:34 . 2010-02-11 15:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-13 15:18 . 2005-05-23 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\documents and settings\Owner\Application Data\Sys6925.Config Collection.sys
2010-07-13 15:00 . 2010-07-13 15:00 22 --sha-w- c:\documents and settings\Owner\Application Data\Sys6925.Config Collection.sys
2010-07-13 13:22 . 2004-10-07 13:29 121216 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-12 17:49 . 2005-10-10 18:36 -------- d-----w- c:\program files\Microsoft.NET
2010-07-12 14:52 . 2010-07-12 14:52 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcp71.dll
2010-07-12 14:52 . 2010-07-12 14:52 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\jmc.dll
2010-07-12 14:52 . 2010-07-12 14:52 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17336408-n\msvcr71.dll
2010-07-12 14:52 . 2003-01-03 13:44 -------- d-----w- c:\program files\Common Files\Java
2010-07-12 14:52 . 2010-07-12 14:52 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-sse.dll
2010-07-12 14:52 . 2010-07-12 14:52 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-29f31e9f-n\decora-d3d.dll
2010-06-29 14:43 . 2008-06-17 19:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-14 14:31 . 2003-01-03 12:54 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-11 21:51 . 2010-06-11 21:51 3055600 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 21:36 . 2010-06-11 21:36 275952 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-23 22:50 . 2010-06-30 19:31 73216 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-05-06 10:41 . 2006-06-23 17:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2003-01-03 11:42 1851264 ----a-w- c:\windows\system32\win32k.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\atapi.sys
[-] 2004-08-04 05:59 . !HASH: COULD NOT OPEN FILE !!!!! . 95360 . . [------] . . c:\windows\system32\drivers\atapi.sys
[-] 2003-03-31 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 68856]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-17 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-03-09 7561216]
"nwiz"="nwiz.exe" [2006-03-09 1519616]
"WD Button Manager"="WDBtnMgr.exe" [2005-07-01 331776]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-03-09 86016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"QuickTime Task"="c:\brandon\Programs\quick\QTTask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"WinVNC"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODConnector"="c:\program files\iTivity\bin\connector_od.exe" [2006-11-13 299008]
"tridiavnc"="c:\program files\iTivity\bin\rfbd.exe" [2005-03-25 274432]
"iTivityODController"="c:\program files\iTivity\bin\processor_od.exe" [2006-11-13 237568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Memeo Backup Pro"="c:\program files\Memeo\AutoBackupPro\MemeoLauncher2.exe" [2010-04-09 136416]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\brandon\Programs\Picasa\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2004-2-24 10872]
Cenlpdstatus.exe [2002-9-9 102400]
FTP Utility.lnk - c:\program files\KONICA MINOLTA\FTP Utility\KMFtp.exe [2004-10-27 102400]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cenlpdstatus.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe
backup=c:\windows\pss\Cenlpdstatus.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-05-18 02:30 543232 ----a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
2003-09-19 17:09 36864 ----a-w- c:\windows\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KONICA MINOLTA\\FTP Utility\\KMFtp.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\MSACCESS.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7303:UDP"= 7303:UDP:Control Center UDP Port

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [10/27/2005 3:31 PM 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [10/27/2005 3:31 PM 5248]
R2 CenLPD;CenLPD;c:\program files\Century\TinyTERM\NetUtils\CenLPD.exe [10/7/2004 8:07 AM 102400]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackupPro\MemeoBackgroundService.exe [4/9/2010 4:19 PM 25824]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [11/17/2004 3:56 PM 23200]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate1c9d4c2231e140c;Google Update Service (gupdate1c9d4c2231e140c);c:\program files\Google\Update\GoogleUpdate.exe [5/14/2009 1:30 PM 133104]
S3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\drivers\AON325.sys [2/21/2003 4:25 PM 46976]
S3 iTivityODConnector;iTivity Live Support Connector Direct;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODConnectToIASConnector;iTivity Live Support Connector To IAS;c:\program files\iTivity\bin\connector_od.exe [4/6/2010 12:34 PM 299008]
S3 iTivityODController;iTivity Live Support Controller;c:\program files\iTivity\bin\processor_od.exe [4/6/2010 12:34 PM 237568]
S3 pmxscan;Visioneer USB Kernel;c:\windows\system32\drivers\usbscan.sys [11/17/2004 4:26 PM 15104]
S3 TridiaFTPServer;TridiaFTP Server;c:\program files\iTivity\bin\ftpd.exe [4/6/2010 12:34 PM 528448]
S3 tridiavnc;Tridia Screen Server;c:\program files\iTivity\bin\rfbd.exe [4/6/2010 12:34 PM 274432]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-29 22:27]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-14 18:30]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1026034599-3939155063-2809091464-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 14:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{b234a570-7d2e-11d4-a4bd-0010a4c73bd0} - c:\program files\eBots\\eBzLjtPrn.exe
TCP: {4BD4F3EB-5658-4F24-A7A3-EF9FC566C4B1} = 151.164.11.201,151.164.1.8
TCP: {FF51B570-A98E-4D22-82B9-C9F63504606E} = 151.164.11.201,151.164.1.8
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwnb.ops.placeware.com/etc/place/NOVEMBER/SCNpws-b2/5.1.7.413/lib/quicksilver.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.yahoo.com/config/login?.page=p1&.partner=&.intl=us&.done=http%3a%2f%2fmy.yahoo.com%2findex.html&.src=my
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\e4yu3lx9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Content Uploader\npUpload.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\brandon\Programs\Divx\DivX Web Player\npdivx32.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa2.dll
FF - plugin: c:\brandon\Programs\Picasa\Picasa2\npPicasa3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin2.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin3.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin4.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin5.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin6.dll
FF - plugin: c:\brandon\Programs\quick\Plugins\npqtplugin7.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-23 14:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84BD1230]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf7416cb8
\Driver\atapi -> 0x84bd1230
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: NVIDIA nForce MCP Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf72c2bb0
PacketIndicateHandler -> NDIS.sys @ 0xf72cfa21
SendHandler -> NDIS.sys @ 0xf72ad87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 60 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8AC0FFDC-D68A-4D5F-75BF0D842EDCB137}\{3647E330-7B13-5DC9-623E15C2DE512604}\{FDA52484-33A0-4DF1-40A7FB2F70E68E7D}*]
"SE4K5INHHR1EDZYY15BVZC6TKG1"=hex:01,00,01,00,00,00,00,00,7e,c3,c3,8e,86,b4,21,
5e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1864)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Memeo\AutoBackupPro\MemeoBackup.exe
.
**************************************************************************
.
Completion time: 2010-07-23 14:22:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-23 19:22
ComboFix2.txt 2010-07-20 19:52
ComboFix3.txt 2010-07-20 12:35
ComboFix4.txt 2010-07-19 15:07
ComboFix5.txt 2010-07-21 13:58

Pre-Run: 83,140,280,320 bytes free
Post-Run: 83,180,904,448 bytes free

- - End Of File - - 28F1078384D33DD776B93355E9D6F4FC

crap sorry wrong thing pasted

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

Whew! No Bootkit.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
  
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  
• It may ask you to reboot the computer to complete the process. Allow it to do so.
  
• When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
  

I get an error. Valid line command

When copying this command? %userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

Is tdsskiller on your desktop?

yes it is. i copied what you just typed and tried again. now i get a different error. says Windows cant find C:\Documents

Hi again,

Please ensure you've got the command copied correctly. Since tdsskiller is saved in the right spot it should go off fine

Ah you missed the front " in what you typed in your last message. thats why there was a different error message.

yea copied from your post. same error

Are you copying with or without quotes?