rootkit

Avast has located a rootkit (c:\windows\system32\drivers\ftdisk.sys, and it can’t delete, and says it can only delete after restarting the computer. When I restart it can’t remove it and just does the same thing again. When I tried to move it to the chest, it says that that action is not available. help.

hey! calm down go to the avast! user interface go to scan computer select boot-time scan and click schedule now then restart ur pc then on the boot-time scan u tell avast! easily tomove it to the chest then everything will be ok…do tell me what happened when u did this…

regards,
com155

will do and thanks, com155

no problem dear…do tell me what happened at boot-time scan…

I ran the boot-time scan and it did not find the rootkit. Only detected by the full system scan.

go to google.com and download malwarebytes anti-malware,update it and run a full system scan also if u can run hitman pro and superantispyware dont worry everything will be alright!!!

*download aswMBR.exe and save to desktopp http://public.avast.com/~gmerek/aswMBR.exe
*double click aswMBR icon to run
*click “Scan” …when done click “Save log” and post it here in your next reply

Ran aswMBR and here is the log.

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-22 00:18:09

00:18:09.765 OS Version: Windows 5.1.2600 Service Pack 3
00:18:09.765 Number of processors: 2 586 0x303
00:18:09.765 ComputerName: YOUR-FSYLY0JTWN UserName: Owner
00:18:10.859 Initialize success
00:18:12.015 AVAST engine defs: 11062002
00:18:38.781 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
00:18:38.781 Disk 0 Vendor: ST3160021A 3.06 Size: 152627MB BusType: 3
00:18:40.796 Disk 0 MBR read successfully
00:18:40.796 Disk 0 MBR scan
00:18:40.796 Disk 0 unknown MBR code
00:18:42.796 Disk 0 scanning sectors +312560640
00:18:42.812 Disk 0 scanning C:\WINDOWS\system32\drivers
00:18:52.109 File: C:\WINDOWS\system32\drivers\ftdisk.sys INFECTED
00:19:02.953 Service scanning
00:19:04.687 Disk 0 trace - called modules:
00:19:04.687 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
00:19:04.687 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x82a539c0]
00:19:04.687 3 CLASSPNP.SYS[f849ffd7] → nt!IofCallDriver → \Device\0000006c[0x82a9cf18]
00:19:04.718 5 ACPI.sys[f8416620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x82a31d98]
00:19:05.281 AVAST engine scan C:\WINDOWS
00:43:03.265 File: C:\WINDOWS\system32\drivers\ftdisk.sys INFECTED
00:52:16.453 AVAST engine scan C:\Documents and Settings\Owner
01:07:33.500 AVAST engine scan C:\Documents and Settings\All Users
01:15:35.390 Scan finished successfully
07:15:22.000 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Owner\Desktop\MBR.dat”
07:15:22.062 The log file has been saved successfully to “C:\Documents and Settings\Owner\Desktop\aswMBR.txt”

00:18:52.109 File: C:\WINDOWS\system32\drivers\ftdisk.sys **INFECTED** 00:43:03.265 File: C:\WINDOWS\system32\drivers\ftdisk.sys **INFECTED**
OK try this

Kaspersky tdsskiller http://support.kaspersky.com/faq/?qid=208283363

Hi Pondus,
I ran tdsskiller and it found 1 suspicious file but when I hit continue it said that there was no infections. I downloaded the log.

Hi Pondus,
After I ran the tdsskiller I did a quick scan with Avast, and it still shows the same rootkit.
Stubborn aren’t they. I sure appreciate the help and your time and experience.

seem you need our expert remover on this

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI

Essexboy will look at the logs when he arrive here later today…

Avast will not delete that as it is a sytem file, we will need to determine the infection and then cure it

Once I have seen the OTS log we will proceed with the removal

Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6936

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/24/2011 12:05:09 AM
mbam-log-2011-06-24 (00-05-09).txt

Scan type: Quick scan
Objects scanned: 175617
Time elapsed: 12 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTS logfile created on: 6/24/2011 2:31:42 PM - Run 1
OTS by OldTimer - Version 3.1.44.0     Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
503.00 Mb Total Physical Memory | 156.00 Mb Available Physical Memory | 31.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.53 Gb Total Space | 103.53 Gb Free Space | 72.14% Space Free | Partition Type: NTFS
Drive D: | 5.50 Gb Total Space | 1.15 Gb Free Space | 20.92% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: YOUR-FSYLY0JTWN
Current User Name: Owner
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2011/06/24 14:23:10 | 000,645,120 | ---- | M] (OldTimer Tools)
firefox.exe -> C:\Program Files\Mozilla Firefox\firefox.exe -> [2011/06/21 23:45:55 | 000,924,632 | ---- | M] (Mozilla Corporation)
avastui.exe -> C:\Program Files\Alwil Software\Avast5\AvastUI.exe -> [2011/05/10 05:10:58 | 003,459,712 | ---- | M] (AVAST Software)
avastsvc.exe -> C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -> [2011/05/10 05:10:57 | 000,042,184 | ---- | M] (AVAST Software)
afwserv.exe -> C:\Program Files\Alwil Software\Avast5\afwServ.exe -> [2011/05/10 05:10:56 | 000,121,000 | ---- | M] (AVAST Software)
soffice.bin -> C:\Program Files\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.symphony.brand.win32_3.0.0.20101015-2340\program\soffice.bin -> [2010/11/05 23:09:48 | 011,296,768 | ---- | M] (IBM)
ssscheduler.exe -> C:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe -> [2010/09/02 23:45:02 | 000,255,536 | ---- | M] (McAfee, Inc.)
backupnowezsvr.exe -> C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe -> [2010/02/22 11:44:14 | 000,045,312 | ---- | M] (NewTech Infosystems, Inc.)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
em_exec.exe -> C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE -> [2004/01/08 10:50:00 | 000,037,888 | ---- | M] (Logitech Inc.)
ltmsg.exe -> C:\WINDOWS\ltmsg.exe -> [2003/07/14 11:52:44 | 000,040,960 | ---- | M] (Agere Systems)
hphmon05.exe -> C:\WINDOWS\system32\hphmon05.exe -> [2003/05/23 02:55:38 | 000,483,328 | ---- | M] (Hewlett-Packard)
hpqcmon.exe -> C:\Program Files\HP\Digital Imaging\Unload\HpqCmon.exe -> [2002/10/07 07:23:20 | 000,090,112 | ---- | M] ()
 

[Modules - Safe List]
ots.exe → C:\Documents and Settings\Owner\Desktop\OTS.exe → [2011/06/24 14:23:10 | 000,645,120 | ---- | M] (OldTimer Tools)
comctl32.dll → C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll → [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation)
lgmsghk.dll → C:\Program Files\Common Files\Logitech\Scrolling\LGMSGHK.DLL → [2004/01/08 10:50:00 | 000,024,064 | ---- | M] (Logitech Inc.)
lgwndhk.dll → C:\Program Files\Logitech\MouseWare\system\LgWndHk.dll → [2004/01/08 10:50:00 | 000,006,144 | ---- | M] (Logitech Inc.)

[Win32 Services - Safe List]
(LMIRescue_0b512d60-9fcc-464d-af31-62612f0040f0) LogMeIn Rescue (0b512d60-9fcc-464d-af31-62612f0040f0) [Auto | Stopped] → → File not found
(HidServ) Human Interface Device Access [Disabled | Stopped] → → File not found
(AppMgmt) Application Management [On_Demand | Stopped] → → File not found
(AOLService) AOL Spyware Protection Service [Disabled | Stopped] → → File not found
(avast! Antivirus) avast! Antivirus [Auto | Running] → C:\Program Files\Alwil Software\Avast5\AvastSvc.exe → [2011/05/10 05:10:57 | 000,042,184 | ---- | M] (AVAST Software)
(avast! Firewall) avast! Firewall [Auto | Running] → C:\Program Files\Alwil Software\Avast5\afwServ.exe → [2011/05/10 05:10:56 | 000,121,000 | ---- | M] (AVAST Software)
(McComponentHostService) McAfee Security Scan Component Host Service [On_Demand | Stopped] → C:\Program Files\McAfee Security Scan\2.1.121\McCHSvc.exe → [2010/09/02 23:45:02 | 000,227,232 | ---- | M] (McAfee, Inc.)
(NTI BackupNowEZSvr) NTI BackupNowEZSvr [Auto | Running] → C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe → [2010/02/22 11:44:14 | 000,045,312 | ---- | M] (NewTech Infosystems, Inc.)
(sdCoreService) PC Tools Security Service [Disabled | Stopped] → C:\Program Files\Spyware Doctor\pctsSvc.exe → [2010/01/15 12:14:36 | 001,079,176 | ---- | M] (PC Tools)
(sdAuxService) PC Tools Auxiliary Service [Disabled | Stopped] → C:\Program Files\Spyware Doctor\pctsAuxs.exe → [2008/06/13 16:29:14 | 000,356,920 | ---- | M] (PC Tools)

[Driver Services - Safe List]
(aswFW) avast! TDI Firewall driver [Kernel | System | Running] → C:\WINDOWS\System32\drivers\aswFW.sys → [2011/05/10 05:04:46 | 000,102,232 | ---- | M] (AVAST Software)
(aswSnx) aswSnx [File_System | System | Running] → C:\WINDOWS\System32\drivers\aswSnx.sys → [2011/05/10 05:03:54 | 000,441,176 | ---- | M] (AVAST Software)
(aswSP) aswSP [Kernel | System | Running] → C:\WINDOWS\System32\drivers\aswSP.sys → [2011/05/10 05:03:44 | 000,307,928 | ---- | M] (AVAST Software)
(aswNdis2) avast! Firewall Core Firewall Service [Kernel | Boot | Running] → C:\WINDOWS\System32\drivers\aswNdis2.sys → [2011/05/10 05:03:31 | 000,192,984 | ---- | M] (AVAST Software)
(aswTdi) avast! Network Shield Support [Kernel | System | Running] → C:\WINDOWS\System32\drivers\aswTdi.sys → [2011/05/10 05:02:37 | 000,049,240 | ---- | M] (AVAST Software)
(aswMon2) avast! Standard Shield Support [File_System | Auto | Running] → C:\WINDOWS\System32\drivers\aswmon2.sys → [2011/05/10 05:02:25 | 000,102,616 | ---- | M] (AVAST Software)
(aswRdr) aswRdr [Kernel | System | Running] → C:\WINDOWS\System32\drivers\aswRdr.sys → [2011/05/10 04:59:56 | 000,025,432 | ---- | M] (AVAST Software)
(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] → C:\WINDOWS\System32\drivers\aavmker4.sys → [2011/05/10 04:59:37 | 000,030,808 | ---- | M] (AVAST Software)
(aswFsBlk) aswFsBlk [File_System | Auto | Running] → C:\WINDOWS\System32\drivers\aswFsBlk.sys → [2011/05/10 04:59:35 | 000,019,544 | ---- | M] (AVAST Software)
(aswNdis) avast! Firewall NDIS Filter Service [Kernel | Boot | Running] → C:\WINDOWS\system32\DRIVERS\aswNdis.sys → [2010/09/07 08:24:46 | 000,012,112 | ---- | M] (ALWIL Software)
(BVRPMPR5) BVRPMPR5 NDIS Protocol Driver [Kernel | On_Demand | Stopped] → C:\WINDOWS\system32\drivers\BVRPMPR5.SYS → [2010/06/06 20:12:22 | 000,049,904 | R— | M] (Avanquest Software)
(IKSysSec) System Security Driver [Kernel | On_Demand | Stopped] → C:\WINDOWS\system32\drivers\iksyssec.sys → [2008/08/25 12:36:30 | 000,081,288 | ---- | M] (PCTools Research Pty Ltd.)
(IKSysFlt) System Filter Driver [Kernel | On_Demand | Stopped] → C:\WINDOWS\system32\drivers\iksysflt.sys → [2008/08/25 12:36:28 | 000,066,952 | ---- | M] (PCTools Research Pty Ltd.)
(IKFileSec) File Security Driver [File_System | On_Demand | Stopped] → C:\WINDOWS\system32\drivers\ikfilesec.sys → [2008/08/25 12:36:28 | 000,040,840 | ---- | M] (PCTools Research Pty Ltd.)
(RTL8023xp) Realtek 10/100/1000 PCI NIC Family NDIS XP Driver [Kernel | On_Demand | Running] → C:\WINDOWS\system32\drivers\Rtnicxp.sys → [2008/02/25 13:54:56 | 000,105,088 | ---- | M] (Realtek Semiconductor Corporation )
(MxlW2k) MxlW2k [Kernel | On_Demand | Running] → C:\WINDOWS\System32\drivers\MxlW2k.sys → [2006/08/16 07:49:59 | 000,028,256 | ---- | M] (MusicMatch, Inc.)
(Ps2) Ps2 [Kernel | On_Demand | Running] → C:\WINDOWS\system32\drivers\PS2.sys → [2005/12/12 17:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company)
(AFS2K) AFS2K [Kernel | System | Running] → C:\WINDOWS\System32\drivers\AFS2K.SYS → [2005/03/04 16:37:36 | 000,043,672 | ---- | M] (Oak Technology Inc.)
(ALCXWDM) Service for Realtek AC97 Audio (WDM) [Kernel | On_Demand | Running] → C:\WINDOWS\system32\drivers\ALCXWDM.SYS → [2004/10/01 11:24:02 | 002,279,424 | ---- | M] (Realtek Semiconductor Corp.)
(S3Psddr) S3Psddr [Kernel | On_Demand | Stopped] → C:\WINDOWS\system32\drivers\s3gnbm.sys → [2004/08/03 22:29:51 | 000,166,912 | ---- | M] (S3 Graphics, Inc.)
(SunkFilt) Alcor Micro Corp - 9360 [Kernel | On_Demand | Stopped] → C:\WINDOWS\system32\drivers\Sunkfilt.sys → [2004/03/22 12:05:22 | 000,039,904 | ---- | M] (Alcor Micro Corp.)
(ALCXSENS) Service for WDM 3D Audio Driver [Kernel | On_Demand | Stopped] → C:\WINDOWS\system32\drivers\ALCXSENS.SYS → [2004/02/17 06:49:14 | 000,391,424 | ---- | M] (Sensaura Ltd)
(LMouFlt2) Logitech Mouse Class Filter Driver [Kernel | On_Demand | Running] → C:\WINDOWS\system32\drivers\LMouFlt2.Sys → [2003/12/17 10:50:00 | 000,070,801 | ---- | M] (Logitech, Inc.)
(L8042pr2) Logitech PS/2 Mouse Filter Driver [Kernel | On_Demand | Running] → C:\WINDOWS\system32\drivers\L8042pr2.Sys → [2003/12/17 10:50:00 | 000,051,729 | ---- | M] (Logitech, Inc.)
(ltmodem5) Agere Modem Driver [Kernel | On_Demand | Running] → C:\WINDOWS\system32\drivers\ltmdmnt.sys → [2003/12/12 20:03:10 | 000,652,689 | ---- | M] (Agere Systems)
(pfc) Padus ASPI Shell [Kernel | On_Demand | Running] → C:\WINDOWS\system32\drivers\pfc.sys → [2003/09/03 11:01:22 | 000,010,368 | ---- | M] (Padus, Inc.)
(nv_agp) NVIDIA nForce AGP Bus Filter [Kernel | Boot | Stopped] → C:\WINDOWS\System32\DRIVERS\nv_agp.sys → [2003/09/02 23:51:00 | 000,021,120 | ---- | M] (NVIDIA Corporation)
(SymEvent) SymEvent [Kernel | On_Demand | Stopped] → C:\Program Files\Symantec\SYMEVENT.SYS → [2003/08/15 17:22:12 | 000,082,136 | ---- | M] (Symantec Corporation)
(nvcap) nVidia WDM Video Capture (universal) [Kernel | Auto | Stopped] → C:\WINDOWS\system32\drivers\nvcap.sys → [2003/07/30 02:15:00 | 000,126,348 | ---- | M] ()
(NVXBAR) nVidia WDM A/V Crossbar [Kernel | Auto | Stopped] → C:\WINDOWS\system32\drivers\nvxbar.sys → [2003/07/30 02:15:00 | 000,013,006 | ---- | M] (NVIDIA Corporation)
(viaagp1) VIA AGP Filter [Kernel | Boot | Stopped] → C:\WINDOWS\System32\DRIVERS\viaagp1.sys → [2003/07/02 11:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.)
(fasttx2k) fasttx2k [Kernel | Boot | Stopped] → C:\WINDOWS\System32\DRIVERS\fasttx2k.sys → [2003/06/19 01:59:00 | 000,140,800 | ---- | M] (Promise Technology, Inc.)
(SiS315) SiS315 [Kernel | On_Demand | Stopped] → C:\WINDOWS\system32\drivers\sisgrp.sys → [2003/05/06 15:34:56 | 000,394,752 | ---- | M] (Silicon Integrated Systems Corporation)
(SiSkp) SiSkp [Kernel | System | Running] → C:\WINDOWS\system32\drivers\srvkp.sys → [2003/04/11 08:51:30 | 000,010,624 | ---- | M] (Silicon Integrated Systems Corporation)
(SISAGP) SiS AGP Filter [Kernel | Boot | Stopped] → C:\WINDOWS\System32\DRIVERS\SISAGPX.sys → [2003/02/20 16:18:36 | 000,036,608 | ---- | M] (Silicon Integrated Systems Corporation)
(rtl8139) Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver [Kernel | On_Demand | Stopped] → C:\WINDOWS\system32\drivers\R8139n51.sys → [2002/10/04 17:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation )
(Ftdisk) Volume Manager Driver [Kernel | Boot | Running] → C:\WINDOWS\System32\DRIVERS\ftdisk.sys → [2002/08/29 05:00:00 | 000,161,920 | ---- | M] ()
(PalmUSBD) PalmUSBD [Kernel | On_Demand | Stopped] → C:\WINDOWS\system32\drivers\PalmUSBD.sys → [2002/08/20 13:00:00 | 000,016,509 | ---- | M] (Palm, Inc.)
(NMUSB) NMUSB [Kernel | On_Demand | Stopped] → C:\WINDOWS\system32\drivers\Nmusb.sys → [2001/08/16 02:04:00 | 000,025,056 | ---- | M] (Creative Technology Ltd.)
(PfModNT) PfModNT [Kernel | Auto | Running] → C:\WINDOWS\system32\PfModNT.sys → [1999/12/17 02:00:00 | 000,006,752 | ---- | M] (Creative Technology Ltd.)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE] > → ->
HKEY_LOCAL_MACHINE: Search\“CustomSearch” → http://red.clientapps.yahoo.com/customize/ie/defaults/cs/sbcydsl/*http://www.yahoo.com/search/ie.html
< Internet Explorer Settings [HKEY_USERS.DEFAULT] > → ->
HKEY_USERS.DEFAULT: “ProxyEnable” → 0 →
< Internet Explorer Settings [HKEY_USERS__aswSnx private storage] > → ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-18] > → ->
HKEY_USERS\S-1-5-18: “ProxyEnable” → 0 →
< Internet Explorer Settings [HKEY_USERS\S-1-5-19] > → ->
HKEY_USERS\S-1-5-19: “ProxyEnable” → 0 →
< Internet Explorer Settings [HKEY_USERS\S-1-5-20] > → ->
HKEY_USERS\S-1-5-20: “ProxyEnable” → 0 →
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003] > → ->
HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003: Main\“SearchMigratedDefaultName” → Yahoo! Search →
HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003: Main\“SearchMigratedDefaultURL” → http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003: Main\“Start Page” → http://search.babylon.com/home?AF=17710
HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003: SearchURL\“” → http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003: “ProxyEnable” → 0 →
< FireFox Settings [Prefs.js] > → C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\9ux2ub59.default\prefs.js →
browser.search.selectedEngine → “Google” →
browser.startup.homepage → “http://msn.com” →
< FireFox Extensions [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions → →
HKLM\software\mozilla\Firefox\Extensions\smartwebprinting@hp.com → C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [C:\PROGRAM FILES\HP\DIGITAL IMAGING\SMART WEB PRINTING\MOZILLAADDON2] → [2009/11/25 18:28:38 | 000,000,000 | —D | M]
HKLM\software\mozilla\Firefox\Extensions\wrc@avast.com → C:\Program Files\Alwil Software\Avast5\WebRep\FF [C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST5\WEBREP\FF] → [2011/05/17 17:20:47 | 000,000,000 | —D | M]
HKLM\software\mozilla\Mozilla Firefox 5.0\extensions → →
HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\Components → C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] → [2011/06/21 23:45:57 | 000,000,000 | —D | M]
HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\Plugins → C:\Program Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] → [2011/06/23 12:04:32 | 000,000,000 | —D | M]
< FireFox Extensions [User Folders] > →
→ C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions → [2008/06/21 22:58:52 | 000,000,000 | —D | M]
→ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2915uf42.profile #1\extensions → [2011/05/07 21:48:36 | 000,000,000 | —D | M]
Microsoft .NET Framework Assistant → C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2915uf42.profile #1\extensions{20a82645-c095-46ed-80e3-08825760534b} → [2011/03/03 08:25:37 | 000,000,000 | —D | M]
Flashblock → C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2915uf42.profile #1\extensions{3d7eb24f-2740-49df-8937-200b1cc08f8a} → [2010/12/11 22:49:48 | 000,000,000 | —D | M]
Tabbrowser Preferences → C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2915uf42.profile #1\extensions{9b9d2aaa-ae26-4447-a7a1-633a32b19ddd} → [2011/03/03 08:25:38 | 000,000,000 | —D | M]
→ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2915uf42.profile #1\extensions\info@priceblink.com → [2010/12/11 22:49:45 | 000,000,000 | —D | M]
→ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9ux2ub59.default\extensions → [2005/05/10 15:36:55 | 000,000,000 | —D | M]
Adblock → C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9ux2ub59.default\extensions{34274bf4-1d97-a289-e984-17e546307e4f} → [2005/01/02 14:00:04 | 000,000,000 | —D | M]
googlebar → C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9ux2ub59.default\extensions{6b6601f1-361e-4b9f-bb6d-f8305000e4f6} → [2005/05/10 16:19:47 | 000,000,000 | —D | M]
Firefox (default) → C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9ux2ub59.default\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd} → [2005/01/02 01:43:57 | 000,000,000 | —D | M]
No name found → C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9ux2ub59.default\extensions{d650973c-0444-4ac7-9d00-19e3613c83b9} → [2005/01/02 14:01:35 | 000,000,000 | —D | M]
→ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\9ux2ub59.default\extensions\temp → [2005/05/10 16:19:47 | 000,000,000 | —D | M]
< FireFox Extensions [Program Folders] > →
→ C:\Program Files\Mozilla Firefox\extensions → [2011/04/22 00:30:41 | 000,000,000 | —D | M]
Java Console → C:\Program Files\Mozilla Firefox\extensions{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} → [2010/09/16 06:28:09 | 000,000,000 | —D | M]
Java Console → C:\Program Files\Mozilla Firefox\extensions{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} → [2010/11/15 23:44:50 | 000,000,000 | —D | M]
Java Console → C:\Program Files\Mozilla Firefox\extensions{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} → [2010/12/20 13:35:10 | 000,000,000 | —D | M]
Java Console → C:\Program Files\Mozilla Firefox\extensions{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} → [2011/03/16 11:54:04 | 000,000,000 | —D | M]
→ C:\Program Files\Mozilla Firefox\extensions\ffxtlbr@babylon.com → [2011/04/22 00:23:47 | 000,000,000 | —D | M]
< HOSTS File > ([2002/01/01 02:44:22 | 000,000,027 | ---- | M] - 1 lines) → C:\WINDOWS\system32\drivers\etc\hosts →
Reset Hosts
127.0.0.1 localhost
< BHO’s [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ →
{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] → C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [&Yahoo! Toolbar Helper] → [2008/05/15 12:40:40 | 000,817,936 | ---- | M] (Yahoo! Inc.)
{52706EF7-D7A2-49AD-A615-E903858CF284} [HKLM] → [X1IEHook Class] → File not found
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] → C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] → [2008/09/15 15:25:44 | 001,562,960 | RHS- | M] (Safer Networking Limited)
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] → C:\Program Files\Yahoo!\common\yiesrvc.dll [Yahoo! IE Services Button] → [2006/10/31 16:33:54 | 000,198,136 | ---- | M] (Yahoo! Inc.)
{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} [HKLM] → C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll [avast! WebRep] → [2011/05/10 05:10:54 | 000,819,840 | ---- | M] (AVAST Software)
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] → C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [Google Toolbar Notifier BHO] → [2009/03/23 10:16:33 | 000,668,656 | ---- | M] (Google Inc.)
{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} [HKLM] → C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [SidebarAutoLaunch Class] → [2005/02/03 18:07:08 | 000,124,032 | ---- | M] (Yahoo! Inc.)
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC} [HKLM] → Reg Error: Key error. [Reg Error: Key error.] → File not found
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar →
“” [HKLM] → Reg Error: Key error. → File not found

It would be better and easier for all just to attach the the ots log file. In the Reply window, Additional Options and that expands to allow you to attach image and .txt or .log files.

< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< CurrentVersion Policy Settings [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer →
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\“NoDriveTypeAutoRun” → [323] → File not found
\“NoDriveAutoRun” → [67108863] → File not found
< CurrentVersion Policy Settings [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System →
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer →
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\“NoDriveTypeAutoRun” → [323] → File not found
\“NoDriveAutoRun” → [67108863] → File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System →
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > → HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer →
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\“NoDriveTypeAutoRun” → [145] → File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > → HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer →
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\“NoDriveTypeAutoRun” → [145] → File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003] > → HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer →
HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\“NoDriveTypeAutoRun” → [323] → File not found
\“” → → File not found
\“NoDriveAutoRun” → [67108863] → File not found
\“NoDrives” → [0] → File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003] > → HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System →
< Internet Explorer Menu Extensions [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\ →
E&xport to Microsoft Excel → [res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000] → File not found
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\ →
E&xport to Microsoft Excel → [res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000] → File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ →
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}:{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] → C:\Program Files\Yahoo!\common\yiesrvc.dll [Button: AT&T Yahoo! Services] → [2006/10/31 16:33:54 | 000,198,136 | ---- | M] (Yahoo! Inc.)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] → C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Menu: Spybot - Search & Destroy Configuration] → [2008/09/15 15:25:44 | 001,562,960 | RHS- | M] (Safer Networking Limited)
< Internet Explorer Extensions [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ →
CmdMapping\“{92780B25-18CC-41C8-B9BE-3C9C571A8263}” [HKLM] → [Reg Error: Key error.] → File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ →
CmdMapping\“{92780B25-18CC-41C8-B9BE-3C9C571A8263}” [HKLM] → [Reg Error: Key error.] → File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003] > → HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003\Software\Microsoft\Internet Explorer\Extensions\ →
CmdMapping\“{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}” [HKLM] → C:\Program Files\Yahoo!\common\yiesrvc.dll [Yahoo! IE Services Button] → [2006/10/31 16:33:54 | 000,198,136 | ---- | M] (Yahoo! Inc.)
CmdMapping\“{92780B25-18CC-41C8-B9BE-3C9C571A8263}” [HKLM] → [Reg Error: Key error.] → File not found
< Default Prefix > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
“” → http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 0 domain(s) found. →
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE] > → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 0 range(s) found. →
< Trusted Sites Domains [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 5576 domain(s) found. →
< Trusted Sites Ranges [HKEY_USERS.DEFAULT] > → HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 36 range(s) found. →
< Trusted Sites Domains [HKEY_USERS__aswSnx private storage] > → HKEY_USERS__aswSnx private storage\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS__aswSnx private storage\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 0 domain(s) found. →
< Trusted Sites Ranges [HKEY_USERS__aswSnx private storage] > → HKEY_USERS__aswSnx private storage\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS__aswSnx private storage\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 0 range(s) found. →
< Trusted Sites Domains [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 5576 domain(s) found. →
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18] > → HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 36 range(s) found. →
< Trusted Sites Domains [HKEY_USERS\S-1-5-19] > → HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 0 domain(s) found. →
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19] > → HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 0 range(s) found. →
< Trusted Sites Domains [HKEY_USERS\S-1-5-20] > → HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Key] 0 domain(s) found. →
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20] > → HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ →
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ → [Key] 0 range(s) found. →
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003] > → HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ →
HKEY_USERS\S-1-5-21-3423375189-4244327808-2501610088-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ → [Ke

David when I tried to attach the whole log it just kept saying the attachment was too big, how do I attach the ots log as it is huge?