Sign in to follow this  
eminm3

anything suspicious here?

Recommended Posts

Hi, new member here, I have followed this link [url="http://www.lavasoftsupport.com/index.php?showtopic=13639"]http://www.lavasoftsupport.com/index.php?showtopic=13639[/url] and here are my results, is there anything suspicious here? Have been unable to update ad-aware and also when clicking on links to sites ect.. it sometimes takes me to other sites.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:58:02 PM, on 9/14/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\Sminst\Recguard.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://www.hp.com"]http://www.hp.com[/url]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url="http://www.hp.com/"]http://www.hp.com/[/url]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKCU\..\Run: [{01207D10-FE90-7969-7414-1EC11C8AFFC5}] "C:\Documents and Settings\Administrator\Application Data\Akan\hoity.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms35 Class) - [url="https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab"]https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{072035AE-B8C7-4BA2-BF2F-CBEE4214105F}: NameServer = 93.188.163.182,93.188.166.182
O17 - HKLM\System\CCS\Services\Tcpip\..\{980CFE38-C04D-4EA8-83DD-9FF677A32BB4}: NameServer = 93.188.163.182,93.188.166.182
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.182,93.188.166.182
O17 - HKLM\System\CS1\Services\Tcpip\..\{072035AE-B8C7-4BA2-BF2F-CBEE4214105F}: NameServer = 93.188.163.182,93.188.166.182
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.182,93.188.166.182
O17 - HKLM\System\CS2\Services\Tcpip\..\{072035AE-B8C7-4BA2-BF2F-CBEE4214105F}: NameServer = 93.188.163.182,93.188.166.182
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.182,93.188.166.182
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

--
End of file - 9298 bytes

Share this post


Link to post
Share on other sites
Download ComboFix here :

[url="http://download.bleepingcomputer.com/sUBs/ComboFix.exe"][b][color="blue"]Link 1[/color][/b][/url]
[url="http://www.forospyware.com/sUBs/ComboFix.exe"][b][color="blue"]Link 2[/color][/b][/url]


[color="purple"][b]* IMPORTANT !!! Save ComboFix.exe to your Desktop[/b][/color]

[list]
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

[url="http://www.bleepingcomputer.com/forums/topic114351.html"][b]Click me[/b][/url]


[*]Double click on ComboFix.exe & follow the prompts.


[*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
[/list]
[color="blue"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/color]


[center][img]http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif[/img][/center]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

[img]http://img.photobucket.com/albums/v706/ried7/whatnext.png[/img]


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the [b]C:\ComboFix.txt[/b] log in your next reply.

Share this post


Link to post
Share on other sites
hi, thanks for the reply, I have downloaded cobofix, but when i double click on it, i get the prompt run this program, and when i click on run, nothing happens?

Share this post


Link to post
Share on other sites
thanks, here is the report, its quite long!

ComboFix 10-09-14.05 - Administrator 09/15/2010 19:48:42.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1919.1518 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\vchost.com.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Akan
c:\documents and settings\Administrator\Application Data\Akan\hoity.exe
C:\tt.com

Infected copy of c:\windows\system32\drivers\intelide.sys was found and disinfected
Restored copy from - Kitty had a snack :o
.
((((((((((((((((((((((((( Files Created from 2010-08-15 to 2010-09-15 )))))))))))))))))))))))))))))))
.

2010-09-15 17:38 . 2003-03-25 07:32 94208 ----a-w- c:\windows\system32\scapflex.dll
2010-09-15 17:38 . 2003-03-25 07:32 69632 ----a-w- c:\windows\system32\gpa.dll
2010-09-15 17:38 . 2003-03-25 07:32 65536 ----a-w- c:\windows\system32\scagplus.dll
2010-09-15 17:38 . 2003-03-25 07:32 65536 ----a-w- c:\windows\system32\scagpl8k.dll
2010-09-15 17:38 . 2003-03-25 07:32 57344 ----a-w- c:\windows\system32\gparm.dll
2010-09-15 17:38 . 2003-03-25 07:32 471040 ----a-w- c:\windows\system32\eppgplus.dll
2010-09-15 17:38 . 2003-03-25 07:32 471040 ----a-w- c:\windows\system32\eppgpl8k.dll
2010-09-15 17:38 . 2003-03-25 07:32 36864 ----a-w- c:\windows\system32\msgeppg1.dll
2010-09-15 17:38 . 2003-03-25 07:32 24576 ----a-w- c:\windows\system32\std201mt.dll
2010-09-15 17:38 . 2003-03-25 07:32 163840 ----a-w- c:\windows\system32\epppflex.dll
2010-09-15 17:38 . 2003-03-25 07:32 139264 ----a-w- c:\windows\system32\gpatools.dll
2010-09-15 17:38 . 2003-03-25 07:32 12288 ----a-w- c:\windows\system32\hp-common-msg.dll
2010-09-15 17:28 . 2005-07-05 07:18 32768 ------w- c:\windows\biwlandrvxpver.dll
2010-09-15 17:25 . 2006-02-07 09:33 9728 ------w- c:\windows\HPNICVersion.dll
2010-09-15 17:25 . 2010-09-15 17:28 -------- d-----w- c:\program files\Broadcom
2010-09-14 18:57 . 2010-09-14 18:57 -------- d-----w- c:\program files\Trend Micro
2010-09-05 13:54 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-05 13:54 . 2010-09-05 13:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-04 17:49 . 2010-09-04 17:49 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-03 13:29 . 2010-09-03 13:29 -------- d-----w- C:\spoolerlogs
2010-08-27 16:59 . 2010-08-27 16:59 -------- d-----w- c:\windows\Sun
2010-08-25 19:52 . 2010-08-25 19:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\PrimoPDF
2010-08-23 16:56 . 2010-08-23 16:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-22 21:05 . 2010-08-22 21:05 -------- d-----w- c:\windows\system32\XPSViewer
2010-08-22 21:05 . 2010-08-22 21:05 -------- d-----w- c:\program files\MSBuild
2010-08-22 21:04 . 2010-08-22 21:04 -------- d-----w- c:\program files\Reference Assemblies
2010-08-22 21:04 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-08-22 21:04 . 2010-08-22 21:04 -------- d-----w- C:\fefafe34f6af767acf1b5fd492b201
2010-08-22 21:04 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-08-22 21:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-08-22 21:04 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-08-22 21:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-08-22 21:04 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-08-22 21:04 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-08-22 21:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-08-22 21:04 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-08-22 21:00 . 2010-08-22 21:00 -------- d-----w- c:\program files\MSXML 6.0
2010-08-22 14:24 . 2010-08-22 14:24 -------- d-----w- c:\windows\ServicePackFiles
2010-08-22 14:23 . 2010-08-22 14:23 -------- d-----w- c:\program files\MSXML 4.0
2010-08-22 14:11 . 2010-08-22 14:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Trusteer
2010-08-22 14:11 . 2010-08-22 14:11 -------- d-----w- c:\program files\Trusteer
2010-08-22 14:10 . 2010-08-22 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-08-22 10:28 . 2009-10-15 17:21 82432 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-08-22 10:28 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2010-08-22 10:27 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-08-22 10:27 . 2008-05-08 12:28 202752 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-08-22 10:27 . 2008-05-01 14:30 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2010-08-22 10:26 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-08-22 10:26 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-22 10:18 . 2008-10-15 16:57 332800 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-08-21 16:39 . 2009-12-21 01:42 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2010-08-21 16:39 . 2010-08-21 16:39 -------- d-----w- c:\program files\Nitro PDF
2010-08-21 10:12 . 2010-09-03 19:34 -------- d-----w- c:\program files\lx_cats
2010-08-21 10:12 . 2006-03-23 02:33 40960 ----a-w- c:\windows\system32\lxcyvs.dll
2010-08-21 10:12 . 2006-11-27 01:50 117760 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxcypp5c.dll
2010-08-21 10:12 . 2006-11-07 10:30 344064 ----a-w- c:\windows\system32\lxcycoin.dll
2010-08-21 10:12 . 2004-08-03 21:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-08-21 10:12 . 2004-08-03 21:58 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-08-21 10:12 . 2001-08-17 21:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2010-08-21 10:12 . 2001-08-17 21:36 87040 ----a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-08-21 10:12 . 2006-08-14 15:07 65536 ----a-w- c:\windows\system32\lxcycaps.dll
2010-08-21 10:12 . 2006-08-08 13:58 692224 ----a-w- c:\windows\system32\lxcydrs.dll
2010-08-21 09:53 . 2010-08-21 09:53 -------- d-----w- C:\temp
2010-08-21 08:08 . 2010-08-21 08:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2010-08-21 07:28 . 2010-08-22 10:17 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-08-21 07:28 . 2009-12-14 07:35 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2010-08-21 07:26 . 2010-01-29 15:08 683520 ------w- c:\windows\system32\dllcache\inetcomm.dll
2010-08-21 07:25 . 2010-02-24 12:31 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-21 07:17 . 2010-05-02 05:56 1850880 ------w- c:\windows\system32\dllcache\win32k.sys
2010-08-20 20:51 . 2010-08-20 21:57 -------- d-----w- c:\program files\Win 32. Trojan PWS. Magania Removal Tool
2010-08-20 19:33 . 2010-08-20 19:33 -------- d-----w- c:\windows\system32\LogFiles
2010-08-20 19:16 . 2008-04-21 10:02 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-08-20 19:15 . 2010-01-13 14:10 85504 ------w- c:\windows\system32\dllcache\cabview.dll
2010-08-20 19:10 . 2010-08-20 19:10 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-20 18:56 . 2010-08-20 18:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sunbelt Software
2010-08-20 18:54 . 2010-09-05 13:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2010-08-20 18:54 . 2010-09-05 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-20 18:54 . 2010-08-20 18:54 -------- d-----w- c:\program files\Lavasoft
2010-08-20 18:34 . 2010-08-20 18:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2010-08-20 18:33 . 2010-08-20 18:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-08-20 14:56 . 2010-08-20 14:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\HPVirtualRooms
2010-08-20 14:50 . 2010-08-23 16:21 35152 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-20 13:51 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-08-20 13:51 . 2009-07-31 04:57 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-08-20 07:42 . 2010-08-21 08:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-08-20 07:42 . 2010-08-20 07:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2010-08-20 07:41 . 2010-08-20 07:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2010-08-20 07:41 . 2010-09-15 17:36 -------- d-----w- c:\program files\Google
2010-08-20 07:40 . 2010-08-20 07:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Infineon
2010-08-20 07:40 . 2010-08-20 07:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Infineon
2010-08-20 07:39 . 2010-08-20 07:39 -------- d-----w- c:\program files\ProtectTools
2010-08-20 07:37 . 2010-09-15 17:24 -------- d-----w- c:\windows\tiinst
2010-08-20 07:37 . 2002-11-21 17:57 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll
2010-08-20 07:37 . 2002-11-21 17:57 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll
2010-08-20 07:37 . 2002-11-21 17:57 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll
2010-08-20 07:37 . 2002-11-21 17:57 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll
2010-08-20 07:37 . 2002-11-21 17:57 188416 ----a-w- c:\windows\system32\IVIresizePX.dll
2010-08-20 07:37 . 2002-11-21 17:57 20480 ----a-w- c:\windows\system32\IVIresize.dll
2010-08-20 07:36 . 2010-09-15 17:41 -------- d-----w- c:\program files\InterVideo
2010-08-20 07:35 . 2010-08-20 07:35 -------- d-----w- c:\program files\AuthenTec
2010-08-20 07:34 . 2010-08-20 06:58 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2010-08-20 07:34 . 2010-08-20 06:58 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATI
2010-08-20 07:34 . 2006-07-11 06:35 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2010-08-20 07:33 . 2010-08-20 07:33 -------- d-----w- c:\program files\Program Shortcuts
2010-08-20 07:30 . 2004-08-04 13:00 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2010-08-20 07:30 . 2004-08-04 13:00 10752 ----a-w- c:\windows\system32\c_iscii.dll
2010-08-20 07:30 . 2004-08-04 13:00 5632 ----a-w- c:\windows\system32\kbdusa.dll
2010-08-20 07:30 . 2004-08-04 13:00 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2010-08-20 07:24 . 2010-08-20 07:24 -------- d-----w- c:\windows\i386
2010-08-20 07:06 . 2010-08-20 07:54 -------- d-----w- c:\windows\system32\NtmsData
2010-08-20 07:04 . 2010-09-04 17:49 -------- d--h--w- c:\windows\system32\78D80E
2010-08-20 07:04 . 2010-08-20 19:20 -------- d--h--w- c:\windows\system32\3958AB
2010-08-20 07:04 . 2010-08-20 07:20 -------- d--h--w- c:\windows\system32\6BD97A
2010-08-20 07:04 . 2010-08-20 07:20 -------- d--h--w- c:\windows\system32\53BB40

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 17:38 . 2006-07-11 05:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-15 17:38 . 2006-07-11 05:40 -------- d-----w- c:\program files\Hewlett-Packard
2010-09-15 17:20 . 2010-09-15 17:20 848 ----a-w- c:\windows\system32\drivers\OCA_LOG.TXT
2010-09-14 18:57 . 2010-09-14 18:57 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-08 06:39 . 2009-04-08 21:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yqnae
2010-08-21 10:13 . 2010-08-21 10:11 -------- d-----w- c:\program files\Lexmark Toolbar
2010-08-21 10:11 . 2010-08-21 10:11 -------- d-----w- c:\program files\Lexmark 3400 Series
2010-08-20 19:13 . 2006-07-11 06:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-08-20 19:13 . 2006-07-11 06:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-08-20 07:29 . 2006-07-11 05:40 -------- d-----w- c:\program files\HPQ
2010-08-20 07:17 . 2006-07-11 06:12 -------- d-----w- c:\program files\Windows Media Connect
2010-08-20 07:16 . 2006-07-11 05:59 -------- d-----w- c:\program files\Sonic
2010-08-20 07:15 . 2006-07-11 05:30 -------- d-----w- c:\program files\microsoft frontpage
2010-08-20 07:15 . 2006-07-11 05:57 -------- d-----w- c:\program files\Hp
2010-08-20 07:15 . 2006-07-11 06:12 -------- d-----w- c:\program files\Fingerprint Sensor
2010-08-20 07:15 . 2006-07-11 05:41 -------- d-----w- c:\program files\DIFX
2010-08-20 07:15 . 2006-07-11 06:00 -------- d-----w- c:\program files\Common Files\TiVo Shared
2010-08-20 07:15 . 2006-07-11 05:42 -------- d-----w- c:\program files\CONEXANT
2010-08-20 07:14 . 2006-07-11 06:00 -------- d-----w- c:\program files\Common Files\SureThing Shared
2010-08-20 07:14 . 2006-07-11 05:59 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-08-20 07:14 . 2006-07-11 06:11 -------- d-----w- c:\program files\Common Files\LightScribe
2010-08-20 07:14 . 2006-07-11 05:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-20 07:14 . 2006-07-11 05:40 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-20 07:01 . 2006-07-11 05:42 -------- d-----w- c:\program files\Analog Devices
2010-08-20 06:58 . 2006-07-11 05:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SBSI
2010-08-20 06:58 . 2006-07-11 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-08-20 06:58 . 2006-07-11 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\hpqLog
2010-08-20 06:58 . 2006-07-11 06:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2010-08-20 06:34 . 2010-08-20 06:34 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Infineon
2010-08-20 00:16 . 2010-08-20 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-08-19 23:59 . 2010-08-19 23:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sonic
2010-08-19 23:58 . 2010-08-19 23:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Leadertech
2010-08-19 23:58 . 2006-07-11 05:47 -------- d-----w- c:\program files\Common Files\Java
2010-08-19 23:58 . 2010-08-19 23:58 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-10a51f24-n\msvcp71.dll
2010-08-19 23:58 . 2010-08-19 23:58 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-10a51f24-n\jmc.dll
2010-08-19 23:58 . 2010-08-19 23:58 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-10a51f24-n\msvcr71.dll
2010-08-19 23:58 . 2010-08-19 23:58 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6dc1cd11-n\decora-sse.dll
2010-08-19 23:58 . 2010-08-19 23:58 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6dc1cd11-n\decora-d3d.dll
2010-08-19 23:57 . 2010-08-19 23:57 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-19 23:57 . 2006-07-11 05:47 -------- d-----w- c:\program files\Java
2010-08-19 23:51 . 2010-08-19 23:51 0 ----a-w- c:\windows\nsreg.dat
2010-08-12 12:16 . 2010-09-05 13:54 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-05 18:29 . 2010-08-05 18:29 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\18481\RapportMS.dll
2010-08-05 18:29 . 2010-08-05 18:29 468200 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\18130\RapportCerberus.dll
2010-08-05 18:29 . 2010-08-05 18:29 34536 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\18130\RapportCerberus_18130.sys
2010-08-05 18:19 . 2010-08-05 18:19 58984 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-03-28 454656]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-23 131072]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-04-21 40960]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2007-01-11 291760]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2006-11-29 82864]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2010-8-20 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 15:08 434176 ----a-w- c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41 40960 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\WINDOWS\\system32\\lxcycoms.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\ToolBox\\LT\\ProcessWatch.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\threatwork.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/5/2010 2:54 PM 64288]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [8/5/2010 7:19 PM 58984]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [11/29/2005 5:56 PM 36768]
R1 RapportCerberus_18130;RapportCerberus_18130;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\18130\RapportCerberus_18130.sys [8/5/2010 7:29 PM 34536]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [8/5/2010 7:19 PM 168936]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 9:00 AM 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 1:15 PM 1355416]
R2 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [8/5/2010 7:19 PM 763112]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/21/2005 12:19 PM 36352]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 1:15 PM 15008]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 9:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 12:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7f6fp04q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en&source=iglk
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{01207D10-FE90-7969-7414-1EC11C8AFFC5} - c:\documents and settings\Administrator\Application Data\Akan\hoity.exe
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper_3004.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2010-09-15 23:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????,[email protected]? ????[[email protected]?????,[email protected]

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll
c:\program files\HPQ\IAM\Bin\ASChnl.dll
c:\program files\HPQ\IAM\Bin\ItMsg.dll

- - - - - - - > 'explorer.exe'(7032)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\windows\system32\browselc.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
c:\windows\System32\DLA\DLASHX_W.DLL
c:\windows\system32\DLAAPI_W.DLL
c:\windows\System32\DLA\DLACResW.dll
c:\program files\HPQ\IAM\Bin\ItIeAddIN.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lxcycoms.exe
c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\program files\HPQ\IAM\bin\asghost.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-09-15 23:28:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-15 22:28

Pre-Run: 22,789,206,016 bytes free
Post-Run: 25,933,336,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 00D0D20A745857CCDBE55269F4E0624A

Share this post


Link to post
Share on other sites
Please [b]download[/b] [url="http://oldtimer.geekstogo.com/OTM.exe"][b][color="red"]OTM[/color][/b][/url] [list]
[*] [b]Save[/b] it to your [b]desktop[/b].
[*] Please double-click [b]OTM[/b] to run it. ([b]Note:[/b] If you are running on Vista, right-click on the file and choose [b]Run As Administrator[/b]).
[*][b]Copy the lines in the codebox below to the clipboard[/b] by highlighting [b]ALL[/b] of them and [b]pressing CTRL + C[/b] (or, after highlighting, right-click and choose [b]Copy[/b]):

[code]:Processes

:Services

:Reg

:Files
ipconfig /flushdns /c
c:\documents and settings\All Users\Application Data\~0
c:\windows\system32\78D80E
c:\windows\system32\3958AB
c:\windows\system32\6BD97A
c:\windows\system32\53BB40
c:\documents and settings\Administrator\Application Data\Yqnae

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[EMPTYFLASH]
[Reboot][/code]

[*]Return to OTM, right click in the [b]"Paste Instructions for Items to be Moved"[/b] window (under the yellow bar) and choose [b]Paste[/b].

[*]Click the red [b]Moveit![/b] button.
[*][b]Copy everything in the Results window (under the green bar) to the clipboard[/b] by highlighting [b]ALL[/b] of them and [b]pressing CTRL + C[/b] (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close [b]OTM[/b] and reboot your PC.
[/list][b]Note:[/b] If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose [b]Yes.[/b] In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter [b]*.log[/b] and press the Enter key, navigate to the [b]C:\_OTMoveIt\MovedFiles[/b] folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Download [url="http://oldtimer.geekstogo.com/TFC.exe"][color="#000000"][b]TFC[/b][/color][/url] to your desktop[list]
[*]Open the file and close any other windows.
[*]It [b][color="#FF0000"]will close all programs itself[/color][/b] when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should [b]reboot your machine[/b], if not, do this yourself to ensure a complete clean
[/list]



Please download Malwarebytes' Anti-Malware from [url="http://www.malwarebytes.org/mbam-download.php"][color="#2E8B57"][b]Here[/b][/color][/url]

Double Click mbam-setup.exe to install the application.[list]
[*]Make sure a checkmark is placed next to [b]Update Malwarebytes' Anti-Malware[/b] and [b]Launch Malwarebytes' Anti-Malware[/b], then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select "[b]Perform Quick Scan[/b]", then click [b]Scan[/b].
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that [b]everything is checked[/b], and click [b]Remove Selected[/b].
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
[/list]Extra Note:
[color="#2E8B57"][b]If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.[/b][/color]






Go to [url="http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html"][b][color="red"]Kaspersky website[/color][/b][/url] and perform an online antivirus scan.
[list=1]
[*]Read through the requirements and privacy statement and click on [b]Accept[/b] button.
[*]It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click [b]Run[/b].
[*]When the downloads have finished, click on [b]Settings[/b].
[*]Make sure these boxes are checked (ticked). If they are not, please tick them and click on the [b]Save[/b] button: [list][color="red"]Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases[/color]
[/list]
[*]Click on [b]My Computer[/b] under [b]Scan[/b].
[*]Once the scan is complete, it will display the results. Click on [b]View Scan Report[/b].
[*]You will see a list of infected items there. Click on [b]Save Report As...[/b].
[*]Save this report to a convenient place. Change the [b]Files of type[/b] to [b]Text file (.txt)[/b] before clicking on the [b]Save[/b] button. Then post it here.
[/list]

Share this post


Link to post
Share on other sites
hi, this is what i got from otm

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
[color="#A23BEC"]< ipconfig /flushdns /c >[/color]
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Administrator\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\cmd.txt deleted successfully.
c:\documents and settings\All Users\Application Data\~0 folder moved successfully.
c:\windows\system32\78D80E folder moved successfully.
c:\windows\system32\3958AB folder moved successfully.
c:\windows\system32\6BD97A folder moved successfully.
c:\windows\system32\53BB40 folder moved successfully.
c:\documents and settings\Administrator\Application Data\Yqnae folder moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 1798 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 9312 bytes
->FireFox cache emptied: 92894134 bytes
->Flash cache emptied: 14848 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49286 bytes
->FireFox cache emptied: 21970424 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 110.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.16.1 log created on 09162010_155838
All processes killed

OTM by OldTimer - Version 3.1.16.1 log created on 09162010_155838

Files moved on Reboot...

Registry entries deleted on Reboot...

just about to do the other bits now, thanks

Share this post


Link to post
Share on other sites
mbam report here

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4629

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

9/16/2010 4:25:01 PM
mbam-log-2010-09-16 (16-25-01).txt

Scan type: Quick scan
Objects scanned: 131247
Time elapsed: 7 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Desktop\MyFunCardsSetup2.3.50.24.ZUfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites
[quote name='Rorschach112' post='122644' date='Sep 16 2010, 06:52 PM']and kaspersky[/quote]


here you go, thanks

KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, September 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, September 16, 2010 11:52:17
Records in database: 4216890
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
E:\

Scan statistics:
Objects scanned: 89322
Threats found: 9
Infected objects found: 23
Suspicious objects found: 0
Scan duration: 04:24:49


File name / Threat / Threats count
C:\My Backup -- 19-08-10 2350\Documents and Settings\kerrie\Application Data\Ehyn\odyh.exe Infected: Trojan-Spy.Win32.Zbot.alxt 1
C:\My Backup -- 19-08-10 2350\WINDOWS\system32\3958AB\9C2A2F.EXE Infected: Trojan-Dropper.Win32.Flystud.yo 1
C:\My Backup -- 19-08-10 2350\WINDOWS\system32\3958AB\9C2A2F.EXE Infected: Trojan.Win32.FlyStudio.df 1
C:\My Backup -- 19-08-10 2350\WINDOWS\system32\78D80E\NV35F927.EXE Infected: Trojan.Win32.FlyStudio.uj 1
C:\My Backup -- 19-08-10 2350\WINDOWS\system32\78D80E\VC-G8.EXE Infected: Trojan.Win32.FlyStudio.uj 1
C:\Qoobox\Quarantine\C\tt.com.vir Infected: Trojan-GameThief.Win32.Magania.avym 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\intelide.sys.vir Infected: Virus.Win32.TDSS.b 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP14\A0007202.dll Infected: Backdoor.Win32.TDSS.adi 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP15\A0007324.exe Infected: Trojan-Spy.Win32.Zbot.alxt 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP15\A0007325.EXE Infected: Trojan-Dropper.Win32.Flystud.yo 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP15\A0007325.EXE Infected: Trojan.Win32.FlyStudio.df 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP15\A0007327.com Infected: Trojan-GameThief.Win32.Magania.avym 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP15\A0007328.EXE Infected: Trojan.Win32.FlyStudio.uj 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP15\A0007329.EXE Infected: Trojan.Win32.FlyStudio.uj 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP15\A0007330.EXE Infected: Trojan.Win32.FlyStudio.uj 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP15\A0007331.EXE Infected: Trojan.Win32.FlyStudio.uj 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP17\A0007383.exe Infected: Packed.Win32.Krap.hd 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP17\A0007416.dll Infected: Backdoor.Win32.TDSS.adi 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP47\A0013728.dll Infected: Trojan.Win32.TDSS.bktc 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP47\A0014022.sys Infected: Virus.Win32.TDSS.b 1
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP47\A0014190.com Infected: Trojan-GameThief.Win32.Magania.avym 1
C:\_OTM\MovedFiles9162010_155838\c_windows\system32\78D80E\NV35F927.EXE Infected: Trojan.Win32.FlyStudio.uj 1
C:\_OTM\MovedFiles9162010_155838\c_windows\system32\78D80E\VC-G8.EXE Infected: Trojan.Win32.FlyStudio.uj 1

Selected area has been scanned.

Share this post


Link to post
Share on other sites
Please [b]download[/b] [url="http://oldtimer.geekstogo.com/OTM.exe"][b][color="red"]OTM[/color][/b][/url] [list]
[*] [b]Save[/b] it to your [b]desktop[/b].
[*] Please double-click [b]OTM[/b] to run it. ([b]Note:[/b] If you are running on Vista, right-click on the file and choose [b]Run As Administrator[/b]).
[*][b]Copy the lines in the codebox below to the clipboard[/b] by highlighting [b]ALL[/b] of them and [b]pressing CTRL + C[/b] (or, after highlighting, right-click and choose [b]Copy[/b]):

[code]&#58;Processes

&#58;Services

&#58;Reg

&#58;Files
ipconfig /flushdns /c
C&#58;\My Backup -- 19-08-10 2350\Documents and Settings\kerrie\Application Data\Ehyn
C&#58;\My Backup -- 19-08-10 2350\WINDOWS\system32\3958AB
C&#58;\My Backup -- 19-08-10 2350\WINDOWS\system32\78D80E
&#58;Commands
&#91;purity&#93;
&#91;resethosts&#93;
&#91;emptytemp&#93;
&#91;CREATERESTOREPOINT&#93;
&#91;EMPTYFLASH&#93;
&#91;Reboot&#93;[/code]

[*]Return to OTM, right click in the [b]"Paste Instructions for Items to be Moved"[/b] window (under the yellow bar) and choose [b]Paste[/b].

[*]Click the red [b]Moveit![/b] button.
[*][b]Copy everything in the Results window (under the green bar) to the clipboard[/b] by highlighting [b]ALL[/b] of them and [b]pressing CTRL + C[/b] (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close [b]OTM[/b] and reboot your PC.
[/list][b]Note:[/b] If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose [b]Yes.[/b] In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter [b]*.log[/b] and press the Enter key, navigate to the [b]C:\_OTMoveIt\MovedFiles[/b] folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


also post a new HJT log

Share this post


Link to post
Share on other sites
new otm log

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
[color="#A23BEC"]< ipconfig /flushdns /c >[/color]
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Administrator\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\cmd.txt deleted successfully.
C:\My Backup -- 19-08-10 2350\Documents and Settings\kerrie\Application Data\Ehyn folder moved successfully.
C:\My Backup -- 19-08-10 2350\WINDOWS\system32\3958AB folder moved successfully.
C:\My Backup -- 19-08-10 2350\WINDOWS\system32\78D80E folder moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 108054954 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 128101 bytes
->FireFox cache emptied: 40064889 bytes
->Flash cache emptied: 3137 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 142.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.16.1 log created on 09172010_171034

Files moved on Reboot...

Registry entries deleted on Reboot...

Share this post


Link to post
Share on other sites
and new hjt log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:24:41 PM, on 9/17/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\Sminst\Recguard.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.hp.com"]http://www.hp.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url="http://www.hp.com/"]http://www.hp.com/[/url]
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms35 Class) - [url="https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab"]https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab[/url]
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

--
End of file - 8697 bytes

Share this post


Link to post
Share on other sites
means we are very nearly finished


Download [url="http://oldtimer.geekstogo.com/OTL.exe"][b][color="red"]OTL[/color][/b][/url] to your Desktop[list]
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Click on [b]Minimal Output[/b] at the top
[*]Click the none button at the top
[*]Paste this in the custom scan box

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring
c:\program files\Trend Micro\*. /s
C:\Qoobox\Quarantine\*.* /s
c:\documents and settings\All Users\Application Data\Lavasoft\*. /s
c:\program files\Lavasoft\*. /s
c:\documents and settings\LocalService\Application Data\McAfee\*. /s
c:\documents and settings\All Users\Application Data\McAfee\*. /s

[*]Click run scan. Post the log it gives
[/list]

Share this post


Link to post
Share on other sites
here you go

OTL logfile created on: 9/17/2010 9:14:08 PM - Run 1
OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.90 Gb Total Space | 24.10 Gb Free Space | 43.12% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KERRIE
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

[color="#E56717"]========== Custom Scans ==========[/color]


[color="#A23BEC"]< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring >[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[color="#A23BEC"]< c:\program files\Trend Micro\*. /s >[/color]
[2010/09/17 17:24:41 | 000,000,000 | ---D | M] -- c:\Program Files\Trend Micro\HiJackThis

[color="#A23BEC"]< C:\Qoobox\Quarantine\*.* /s >[/color]
[2010/09/15 19:47:11 | 000,000,102 | ---- | M] () -- C:\Qoobox\Quarantine\catchme.log
[2009/03/02 13:12:48 | 000,104,545 | ---- | M] () -- C:\Qoobox\Quarantine\C\tt.com.vir
[2010/04/07 06:43:12 | 000,116,224 | ---- | M] () -- C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\Akan\hoity.exe.vir
[2004/08/04 01:59:42 | 000,005,504 | ---- | M] () -- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\intelide.sys.vir
[2010/09/15 23:28:36 | 000,001,476 | ---- | M] () -- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7}.reg.dat
[2010/09/15 23:28:15 | 000,000,204 | ---- | M] () -- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-{01207D10-FE90-7969-7414-1EC11C8AFFC5}.reg.dat
[2010/09/15 19:55:22 | 000,006,982 | ---- | M] () -- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

[color="#A23BEC"]< c:\documents and settings\All Users\Application Data\Lavasoft\*. /s >[/color]
[2010/09/17 11:12:51 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware
[2010/08/20 20:11:12 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\Lavasoft\License
[2010/09/05 14:54:28 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Crashdumps
[2010/09/17 11:00:00 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs
[2010/09/17 11:09:51 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs
[2010/09/05 14:55:50 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\MiniMessage
[2010/09/05 14:54:47 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine
[2010/09/17 16:28:57 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Statistics
[2010/09/05 14:54:47 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\ThreatWork Alliance
[2010/09/17 11:05:46 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Update
[2010/09/17 11:09:52 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Defs\Extended
[2010/09/17 11:12:51 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\ThreatWork Alliance\Submit

[color="#A23BEC"]< c:\program files\Lavasoft\*. /s >[/color]
[2010/09/17 16:28:46 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware
[2010/09/05 14:53:53 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware\Drivers
[2010/09/05 14:53:46 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware\Languages
[2010/09/05 14:53:48 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware\Resources
[2010/09/05 14:53:46 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware\ToolBox
[2010/09/05 14:53:46 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware\Drivers\32
[2010/09/05 14:53:46 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware\Drivers\64
[2010/09/05 14:53:52 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware\Drivers\i386
[2010/09/05 14:53:55 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware\ToolBox\AutoStart Manager
[2010/09/05 14:53:55 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware\ToolBox\LT
[2010/09/05 14:53:46 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware\ToolBox\AutoStart Manager\Skins
[2010/09/05 14:53:55 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware\ToolBox\AutoStart Manager\Translations
[2010/09/05 14:53:54 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware\ToolBox\AutoStart Manager\Skins\grey
[2010/09/05 14:53:54 | 000,000,000 | ---D | M] -- c:\Program Files\Lavasoft\Ad-Aware\ToolBox\LT\Lang

[color="#A23BEC"]< c:\documents and settings\LocalService\Application Data\McAfee\*. /s >[/color]
[2010/08/20 19:33:23 | 000,000,000 | ---D | M] -- c:\Documents and Settings\LocalService\Application Data\McAfee\sacore

[color="#A23BEC"]< c:\documents and settings\All Users\Application Data\McAfee\*. /s >[/color]
[2010/08/20 19:31:40 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS
[2010/08/20 19:31:40 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\Common
[2010/08/20 19:31:08 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\McUICnt
[2010/08/20 19:31:25 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\PartnerCustom
[2010/08/20 19:31:15 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\SecurityScanner
[2010/08/20 19:31:40 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\Common\McCHSvc
[2010/08/20 19:31:08 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\McUICnt\McUICnt
[2010/08/20 19:31:25 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\PartnerCustom\McCHSvc
[2010/08/20 19:31:07 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\PartnerCustom\McUICnt
[2010/08/20 01:16:10 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\PartnerCustom\SSScheduler
[2010/08/20 19:31:15 | 000,000,000 | ---D | M] -- c:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\SecurityScanner\McUICnt
< End of report >

Share this post


Link to post
Share on other sites
open OTL click the none button paste this in the custom scan box



c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\*.*
c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\*.*
c:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\*.*


click run scan post that log

Share this post


Link to post
Share on other sites
there you go

OTL logfile created on: 9/18/2010 8:46:15 AM - Run 2
OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.90 Gb Total Space | 24.10 Gb Free Space | 43.11% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KERRIE
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

[color="#E56717"]========== Custom Scans ==========[/color]


[color="#A23BEC"]< c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\*.* >[/color]
[2010/09/17 11:05:58 | 000,023,404 | ---- | M] () -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\aawadmin.log
[2010/09/05 14:54:45 | 000,000,172 | ---- | M] () -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\DriverTool.log
[2010/09/17 11:12:49 | 000,000,178 | ---- | M] () -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\runningScanLog.log
[2010/09/14 18:10:12 | 000,045,938 | ---- | M] () -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_2010-09-14-17-04-33.log
[2010/09/17 11:18:57 | 000,045,364 | ---- | M] () -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_2010-09-17-11-05-58.log
[2010/09/05 14:55:52 | 000,000,316 | ---- | M] () -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Service_2010-09-05-14-54-47.log
[2010/09/17 11:05:58 | 000,033,902 | ---- | M] () -- c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Update.log

[color="#A23BEC"]< c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine\*.* >[/color]

[color="#A23BEC"]< c:\Documents and Settings\All Users\Application Data\McAfee\MCLOGS\*.* >[/color]
< End of report >

Share this post


Link to post
Share on other sites
open OTL click the none button paste this in the custom scan box



type c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_2010-09-14-17-04-33.log /c
type c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_2010-09-17-11-05-58.log /c
type c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Service_2010-09-05-14-54-47.log /c




click run scan post that log

Share this post


Link to post
Share on other sites
next log

OTL logfile created on: 9/18/2010 10:21:04 PM - Run 3
OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.90 Gb Total Space | 24.12 Gb Free Space | 43.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KERRIE
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

[color="#E56717"]========== Custom Scans ==========[/color]


[color="#A23BEC"]< >[/color]

[color="#A23BEC"]< >[/color]

[color="#A23BEC"]< type c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_2010-09-14-17-04-33.log /c >[/color]

[color="#A23BEC"]< type c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Scan_2010-09-17-11-05-58.log /c >[/color]

[color="#A23BEC"]< type c:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Logs\Service_2010-09-05-14-54-47.log /c >[/color]
< End of report >

Share this post


Link to post
Share on other sites
Your logs are clean


[b]Follow these steps to uninstall Combofix and tools used in the removal of malware[/b]

[color="darkblue"][b][u]Uninstall ComboFix[/u][/b][/color]

Remove Combofix now that we're done with it.[list]
[*]Please press the [b]Windows Key[/b] and [b]R[/b] on your keyboard. This will bring up the Run... command.
[*]Now type in [color="blue"][b]Combofix /Uninstall[/b][/color] in the runbox and click [b]OK[/b]. [color="green"](Notice the space between the "x" and "/")[/color]
[img]http://i517.photobucket.com/albums/u338/Eextremeboy/CF_Uninstall-1.jpg[/img]
[*]Please follow the prompts to uninstall Combofix.
[*]You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
[/list]

[list]
[*]Open [b]OTL[/b]
[*]Under the [color="#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste the following:
[code]&#58;Commands
&#91;clearallrestorepoints&#93;[/code]
[*]Click the [b]Run Fix[/b] button at the top
[*]It might ask you to reboot, if so click [b]YES[/b]
[/list]

[list]
[*]Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
[*]Click on the CleanUp button.
[*]Click Yes to begin the cleanup process and remove tools, including this application
[*]You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes
[/list]

[list]
[*]Please read my guide on how to [b]prevent malware[/b] and about [b]safe computing[/b] [url="http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/"][color="#FF0000"][b]here[/b][/color][/url]
[/list]Thank you for your patience, and performing all of the procedures requested.

Share this post


Link to post
Share on other sites
Sign in to follow this