Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer all messed up


  • This topic is locked This topic is locked
12 replies to this topic

#1 bjsmith

bjsmith

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 08 June 2009 - 06:01 PM

My computer is all messed up. It started when I noticed weird files on my desktop. I would delete them and they'd just come back. I scanned with my Norton and it didn't find anything. I scanned with ccleaner and it found a bunch of stuff and I removed them but it didn't fix anything. A lot of windows open whenever I turn on my computer and sometimes they will just come up on their own. I get error messages all the time and sometimes it just turns off by itself. It says that windows needs a break.

DDS (Ver_09-05-14.01) - NTFSx86
Run by user at 15:54:23.53 on Mon 06/08/2009
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============


============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [RemoteControl] c:\windows\system32\rmctrl.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
dRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\setpro~1.lnk - c:\windows\system32\control.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\WINDOW~2.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\window~1.lnk - c:\windows\system32\wupdmgr.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} - hxxps://video.manheim.com/lib/LiveSound.dll
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://10.100.10.35/kxhcm10.ocx
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148408601045
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-06-08 15:44 <DIR> --d----- c:\docume~1\user\favori~1\Symantec
2009-06-08 15:36 <DIR> --d----- c:\windows\system32\NtmsData
2009-06-08 14:45 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-06-08 14:38 <DIR> --dsh--- c:\docume~1\user\IECompatCache
2009-06-08 14:38 <DIR> --dsh--- c:\docume~1\user\PrivacIE
2009-06-08 14:29 <DIR> --dsh--- c:\docume~1\user\IETldCache
2009-06-08 12:54 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-08 12:53 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-08 12:53 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-08 12:53 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-08 12:53 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-06-08 12:53 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-08 12:53 <DIR> --d----- C:\4c1fd406ebddca803076e9c9c8
2009-06-08 12:53 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-08 12:53 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-08 12:47 <DIR> --d----- c:\windows\ie8updates
2009-06-08 12:46 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-08 12:44 <DIR> -cd-h--- c:\windows\ie8
2009-06-08 12:23 <DIR> --d----- c:\progra~1\Microsoft
2009-06-08 12:20 <DIR> --d----- c:\progra~1\CCleaner
2009-06-08 12:19 <DIR> --d----- c:\progra~1\Windows Media Connect 2
2009-06-08 12:16 <DIR> --d----- c:\windows\system32\LogFiles
2009-06-08 11:27 <DIR> --d----- c:\windows\system32\scripting
2009-06-08 11:27 <DIR> --d----- c:\windows\l2schemas
2009-06-08 11:27 <DIR> --d----- c:\windows\system32\en
2009-06-08 10:32 <DIR> --d----- c:\docume~1\user\bob.smith

==================== Find3M ====================

2009-06-08 11:33 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 15:55:14.18 ===============

Attached Files


Edited by bjsmith, 08 June 2009 - 06:07 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:22 AM

Posted 09 June 2009 - 08:19 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 bjsmith

bjsmith
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 09 June 2009 - 11:12 AM

Malwarebytes' Anti-Malware 1.37
Database version: 2254
Windows 5.1.2600 Service Pack 3

6/9/2009 9:09:37 AM
mbam-log-2009-06-09 (09-09-37).txt

Scan type: Quick Scan
Objects scanned: 121712
Time elapsed: 37 minute(s), 43 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\WINDOWS\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\csrss.exe (Backdoor.Bot) -> Delete on reboot.
c:\WINDOWS\system32\2.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

It have to reboot. Also, twice while it was scanning, a bunch of windows just came up on their own. I'm going to let Malwarebytes reboot right now.

OTListIt2 link is saying its a broken link.

Edited by bjsmith, 09 June 2009 - 11:13 AM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:22 AM

Posted 09 June 2009 - 04:24 PM

Sorry about that link. Here is the updated link to download OTL.

http://oldtimer.geekstogo.com/OTL.exe
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 bjsmith

bjsmith
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 09 June 2009 - 06:39 PM

Right when it was almost done scanning, the huge amount of windows came up again. Then, once it brought up the log, a message came up saying my computer was shutting down because "Windows is tired and needs a break." It only gave me like 6 seconds so I quickly selected all of the log and copied it, then pasted it in here and posted it.

OTL logfile created on: 6/9/2009 4:36:18 PM - Run 1
OTL by OldTimer - Version 2.1.1.0 Folder = C:\DOCUME~1\ALLUSE~1\desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.48 Mb Total Physical Memory | 157.27 Mb Available Physical Memory | 35.22% Memory free
1.03 Gb Paging File | 0.63 Gb Available in Paging File | 60.86% Paging File free
Paging file location(s): C:\pagefile.sys 2048 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\PROGRA~1
Drive C: | 37.26 Gb Total Space | 20.38 Gb Free Space | 54.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BOBSMITH1
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2005/08/30 22:36:10 | 00,376,832 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2004/02/29 16:44:54 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2004/02/29 16:44:48 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/08/30 22:36:10 | 00,376,832 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe
PRC - [2004/03/12 15:17:10 | 00,029,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2004/03/12 15:17:46 | 01,221,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2008/05/20 04:00:00 | 00,757,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2009/02/06 03:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2005/10/14 18:51:40 | 14,864,384 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2000/10/16 01:37:36 | 00,032,768 | ---- | M] () -- C:\WINDOWS\system32\rmctrl.exe
PRC - [2007/05/12 18:00:58 | 00,282,624 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\qttask.exe
PRC - [2004/02/29 16:44:46 | 00,066,680 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2004/03/12 15:18:32 | 00,124,128 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2007/06/21 09:25:42 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2009/02/06 03:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/04/13 17:12:31 | 00,017,920 | ---- | M] (Microsoft Corporation) -- c:\windows\lsass.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/06/09 16:35:23 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2005/08/30 22:36:10 | 00,376,832 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2005/08/30 21:05:00 | 00,516,096 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
SRV - [2004/02/29 16:44:48 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
SRV - [2008/05/20 04:00:00 | 00,757,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec [Auto | Running])
SRV - [2004/02/29 16:44:52 | 00,087,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
SRV - [2004/02/29 16:44:54 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2004/03/12 15:17:10 | 00,029,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/04/26 19:22:26 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - File not found -- -- (Pml Driver HPZ12 [On_Demand | Stopped])
SRV - [2004/03/12 15:18:06 | 00,169,192 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
SRV - [2008/05/20 04:00:00 | 00,249,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\TSManager.exe -- (smstsmgr [On_Demand | Stopped])
SRV - [2004/03/11 14:58:32 | 00,193,760 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2004/03/12 15:17:46 | 01,221,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2005/08/30 22:42:36 | 01,333,760 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2001/08/17 14:12:12 | 00,002,944 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\Brfilt.sys -- (brfilt [On_Demand | Stopped])
DRV - [2003/03/13 17:04:20 | 00,061,952 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrSerWdm.sys -- (BrSerWDM [On_Demand | Stopped])
DRV - [2001/08/17 14:12:20 | 00,011,008 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm [On_Demand | Stopped])
DRV - [2001/08/17 14:12:22 | 00,010,368 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrUsbScn.sys -- (BrUsbScn [On_Demand | Stopped])
DRV - [2001/08/17 12:11:06 | 00,066,591 | ---- | M] (3Com Corporation) -- C:\WINDOWS\system32\DRIVERS\el90xbc5.sys -- (EL90XBC [On_Demand | Stopped])
DRV - [2008/04/13 09:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/10/18 14:15:42 | 04,034,048 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2008/04/13 11:36:41 | 00,063,744 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\mf.sys -- (mf [On_Demand | Stopped])
DRV - [2009/06/08 01:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090608.007\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/06/08 01:00:00 | 00,876,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090608.007\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2008/05/20 04:00:00 | 00,023,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\prepdrv.sys -- (prepdrvr [On_Demand | Stopped])
DRV - [2001/08/23 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2009/03/25 06:29:52 | 00,130,432 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2004/08/03 22:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
DRV - [2004/02/09 15:43:56 | 00,301,200 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
DRV - [2004/02/09 15:43:56 | 00,037,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [Auto | Running])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/04/08 17:27:04 | 00,012,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\smsmdm.sys -- (smsmdd [On_Demand | Running])
DRV - [2004/03/04 23:46:46 | 00,082,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2004/03/11 14:58:08 | 00,016,288 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Running])
DRV - [2004/03/11 14:58:10 | 00,263,616 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 47 A2 F2 2D 87 E8 C9 01 [binary data]
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 47 A2 F2 2D 87 E8 C9 01 [binary data]
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C6 65 03 C9 8A E8 C9 01 [binary data]
IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\S-1-5-21-606747145-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/06/08 12:56:47 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-606747145-1390067357-839522115-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe ()
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon (Microsoft Corporation)
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe (Symantec Corporation)
O4 - HKU\.DEFAULT..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKU\S-1-5-21-606747145-1390067357-839522115-1003..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKU\S-1-5-21-606747145-1390067357-839522115-1003..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKU\S-1-5-21-606747145-1390067357-839522115-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\Administrator.BOBSMITH1\Start Menu\Programs [2009/06/05 19:23:29 | 00,000,000 | R--D | M]
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Adobe [2001/01/01 16:00:07 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Google [2001/01/01 16:01:04 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Macromedia [2001/01/01 16:00:08 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Microsoft [2009/06/08 15:41:30 | 00,000,000 | --SD | M]
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs [2009/06/08 14:51:49 | 00,000,000 | R--D | M]
O4 - Startup: C:\DOCUME~1\All Users\Start Menu\Set Program Access and Defaults.lnk = C:\WINDOWS\system32\control.exe (Microsoft Corporation)
O4 - Startup: C:\DOCUME~1\All Users\Start Menu\Windows Catalog.lnk = File not found
O4 - Startup: C:\DOCUME~1\All Users\Start Menu\Windows Update.lnk = C:\WINDOWS\system32\wupdmgr.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs [2006/05/23 10:53:11 | 00,000,000 | R--D | M]
O4 - Startup: C:\Documents and Settings\LocalService\Start Menu\microsoft [2009/06/08 15:19:22 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\LocalService\Start Menu\Programs [2009/06/08 15:21:13 | 00,000,000 | R--D | M]
O4 - Startup: C:\Documents and Settings\user\Start Menu\Adobe [2009/06/09 08:25:12 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\user\Start Menu\Google [2009/06/09 08:29:59 | 00,000,000 | ---D | M]
O4 - Startup: C:\DOCUME~1\user\Start Menu\IP Address.lnk = C:\WINDOWS\system32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\user\Start Menu\Macromedia [2009/06/09 08:25:18 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\user\Start Menu\Malwarebytes [2009/06/09 08:30:45 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\user\Start Menu\microsoft [2009/06/09 16:19:34 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\user\Start Menu\Programs [2009/06/09 16:24:41 | 00,000,000 | -HSD | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} https://video.manheim.com/lib/LiveSound.dll (lgbplay Class)
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} http://10.100.10.35/kxhcm10.ocx (KX-HCM10 Control)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1148408601045 (WUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe ()
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/23 10:53:06 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/06/09 16:35:22 | 00,000,000 | -HSD | M]

========== Files/Folders - Created Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/06/09 16:35:18 | 00,501,760 | ---- | C] (OldTimer Tools) -- C:\DOCUME~1\ALLUSE~1\desktop\OTL.exe
[2009/06/09 16:26:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\Macromedia
[2009/06/09 16:26:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\Adobe
[2009/06/09 16:23:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\Google
[2009/06/09 16:23:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google
[2009/06/09 16:22:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec
[2009/06/09 16:20:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft
[2009/06/09 16:20:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\Malwarebytes
[2009/06/09 16:20:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Malwarebytes
[2009/06/09 16:20:16 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\csrss.exe
[2009/06/09 16:20:16 | 00,017,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\lsass.exe
[2009/06/09 08:30:37 | 00,040,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/09 08:30:34 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/09 08:30:33 | 00,000,000 | ---D | C] -- C:\PROGRA~1\Malwarebytes' Anti-Malware
[2009/06/09 08:29:57 | 03,371,384 | ---- | C] () -- C:\Documents and Settings\user\Desktop\mbam-setup.exe
[2009/06/09 08:24:59 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\desktop\AntiPhishing
[2009/06/09 08:24:52 | 00,000,000 | ---D | C] -- C:\DOCUME~1\user\My Documents\microsoft
[2009/06/09 08:24:00 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\desktop\Sqm
[2009/06/09 08:23:58 | 00,000,145 | -HS- | C] () -- C:\Documents and Settings\user\Desktop\desktop.ini
[2009/06/09 08:23:58 | 00,000,067 | -HS- | C] () -- C:\DOCUME~1\ALLUSE~1\desktop\desktop.ini
[2009/06/09 08:23:58 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\user\Desktop\History.IE5
[2009/06/09 08:23:58 | 00,000,000 | -HSD | C] -- C:\DOCUME~1\ALLUSE~1\desktop\Content.IE5
[2009/06/08 15:45:30 | 00,000,000 | ---D | C] -- C:\DOCUME~1\user\Local Settings\Macromedia
[2009/06/08 15:45:26 | 00,000,000 | ---D | C] -- C:\DOCUME~1\user\Local Settings\Adobe
[2009/06/08 15:45:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\microsoft
[2009/06/08 15:44:48 | 00,000,000 | ---D | C] -- C:\DOCUME~1\user\Local Settings\Google
[2009/06/08 15:43:50 | 00,000,000 | --SD | C] -- C:\DOCUME~1\user\Local Settings\Microsoft
[2009/06/08 15:41:35 | 00,016,384 | -HS- | C] () -- C:\DOCUME~1\user\Templates\index.dat
[2009/06/08 15:36:12 | 00,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{92D5AC8B-5CF1-43A1-9B34-25A564BEB22C}.job
[2009/06/08 15:36:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/06/08 15:34:43 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\desktop\MSN6
[2009/06/08 15:32:13 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\desktop\Windows Genuine Advantage
[2009/06/08 15:22:09 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\desktop\Symantec
[2009/06/08 15:20:38 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\desktop\Microsoft
[2009/06/08 15:18:53 | 00,000,000 | ---D | C] -- C:\DOCUME~1\ALLUSE~1\desktop\Google
[2009/06/08 14:51:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2009/06/08 14:45:26 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/06/08 14:38:32 | 00,000,420 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{41B2E517-E6C7-4B17-BC15-F7015A48B2A9}.job
[2009/06/08 12:54:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/06/08 12:54:31 | 00,000,000 | ---D | C] -- C:\PROGRA~1\Reference Assemblies
[2009/06/08 12:53:44 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009/06/08 12:53:44 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009/06/08 12:53:44 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009/06/08 12:53:43 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009/06/08 12:53:43 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009/06/08 12:53:43 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2009/06/08 12:53:43 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009/06/08 12:53:43 | 00,000,000 | ---D | C] -- C:\4c1fd406ebddca803076e9c9c8
[2009/06/08 12:47:12 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/06/08 12:46:47 | 00,102,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/06/08 12:44:18 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/06/08 12:23:19 | 00,000,000 | ---D | C] -- C:\PROGRA~1\Microsoft Silverlight
[2009/06/08 12:23:11 | 00,000,000 | ---D | C] -- C:\PROGRA~1\Microsoft
[2009/06/08 12:20:53 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\user\Desktop\CCleaner.lnk
[2009/06/08 12:20:46 | 00,000,000 | ---D | C] -- C:\PROGRA~1\CCleaner
[2009/06/08 12:20:36 | 00,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2009/06/08 12:19:51 | 00,000,000 | ---D | C] -- C:\PROGRA~1\Windows Media Connect 2
[2009/06/08 12:16:48 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2009/06/08 12:16:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2009/06/08 12:16:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2009/06/08 11:47:11 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/06/08 11:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/06/08 11:27:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/06/08 11:27:14 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/06/08 10:34:47 | 00,000,000 | ---D | C] -- C:\DOCUME~1\user\My Documents\My eBooks
[2009/06/08 10:34:44 | 00,000,000 | ---D | C] -- C:\DOCUME~1\user\My Documents\Doc's
[2009/06/08 10:34:36 | 00,000,000 | ---D | C] -- C:\DOCUME~1\user\My Documents\Palm OS Desktop
[2009/04/10 15:13:17 | 00,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
[2009/04/10 15:11:22 | 00,000,395 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2009/03/03 12:18:04 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2008/03/10 15:38:34 | 00,000,020 | ---- | C] () -- C:\WINDOWS\System32\RPCS.ini
[2007/12/18 18:14:49 | 00,002,160 | ---- | C] () -- C:\WINDOWS\BrmfBidi.ini
[2007/07/26 09:49:29 | 00,000,317 | ---- | C] () -- C:\WINDOWS\SWWATER.INI
[2006/09/30 13:52:44 | 00,007,267 | ---- | C] () -- C:\WINDOWS\hplj1010.ini
[2006/06/24 11:32:17 | 00,000,104 | ---- | C] () -- C:\WINDOWS\hpw1100k.ini
[2006/06/24 11:31:12 | 00,007,078 | ---- | C] () -- C:\WINDOWS\hpbj1100.ini
[2006/05/24 15:48:24 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\ctrldll.dll
[2006/05/24 15:45:22 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\cutemon2k.dll
[2006/05/24 14:19:09 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/05/23 12:05:27 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2001/08/23 05:00:00 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\ntmarta.dll
[2001/08/23 05:00:00 | 00,000,680 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 05:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2001/07/31 11:17:12 | 00,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[1999/01/22 11:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/06/09 16:35:23 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\DOCUME~1\ALLUSE~1\desktop\OTL.exe
[2009/06/09 16:24:19 | 00,000,395 | ---- | M] () -- C:\WINDOWS\SMSCFG.ini
[2009/06/09 16:20:09 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/06/09 16:19:30 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/06/09 16:19:19 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/06/09 08:29:57 | 03,371,384 | ---- | M] () -- C:\Documents and Settings\user\Desktop\mbam-setup.exe
[2009/06/09 08:23:58 | 00,000,145 | -HS- | M] () -- C:\Documents and Settings\user\Desktop\desktop.ini
[2009/06/09 08:23:58 | 00,000,067 | -HS- | M] () -- C:\DOCUME~1\ALLUSE~1\desktop\desktop.ini
[2009/06/08 15:41:32 | 00,016,384 | -HS- | M] () -- C:\DOCUME~1\user\Templates\index.dat
[2009/06/08 15:36:30 | 00,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{92D5AC8B-5CF1-43A1-9B34-25A564BEB22C}.job
[2009/06/08 15:35:59 | 00,000,680 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/06/08 14:42:15 | 00,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{41B2E517-E6C7-4B17-BC15-F7015A48B2A9}.job
[2009/06/08 14:29:42 | 00,000,075 | -HS- | M] () -- C:\DOCUME~1\user\My Documents\desktop.ini
[2009/06/08 14:29:32 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2009/06/08 14:29:32 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2009/06/08 14:29:22 | 00,000,062 | -HS- | M] () -- C:\DOCUME~1\user\Local Settings\desktop.ini
[2009/06/08 14:29:05 | 00,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/06/08 13:01:51 | 00,533,908 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/06/08 13:01:51 | 00,463,580 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/06/08 13:01:51 | 00,080,232 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/06/08 12:20:53 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\user\Desktop\CCleaner.lnk
[2009/06/08 12:16:48 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2009/06/08 11:50:40 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009/06/08 11:29:34 | 00,001,563 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Start Menu\Set Program Access and Defaults.lnk
[2009/06/08 11:29:34 | 00,000,272 | -HS- | M] () -- C:\DOCUME~1\ALLUSE~1\Start Menu\desktop.ini
[2009/06/08 11:19:54 | 00,250,048 | RHS- | M] () -- C:\ntldr
[2009/06/08 10:21:51 | 00,001,507 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Start Menu\Windows Update.lnk
[2009/05/26 13:20:08 | 00,040,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/26 13:19:56 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/11 22:11:53 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
< End of report >

Edited by bjsmith, 09 June 2009 - 06:50 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:22 AM

Posted 10 June 2009 - 01:41 PM

Well done! :thumbup2:


Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    PRC - [2008/04/13 17:12:31 | 00,017,920 | ---- | M] (Microsoft Corporation) -- c:\windows\lsass.exe
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
    O4 - Startup: C:\Documents and Settings\Administrator.BOBSMITH1\Start Menu\Programs [2009/06/05 19:23:29 | 00,000,000 | R--D | M]
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Adobe [2001/01/01 16:00:07 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Google [2001/01/01 16:01:04 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Macromedia [2001/01/01 16:00:08 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Microsoft [2009/06/08 15:41:30 | 00,000,000 | --SD | M]
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs [2009/06/08 14:51:49 | 00,000,000 | R--D | M]
    O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs [2006/05/23 10:53:11 | 00,000,000 | R--D | M]
    O4 - Startup: C:\Documents and Settings\LocalService\Start Menu\microsoft [2009/06/08 15:19:22 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\LocalService\Start Menu\Programs [2009/06/08 15:21:13 | 00,000,000 | R--D | M]
    O4 - Startup: C:\Documents and Settings\user\Start Menu\Adobe [2009/06/09 08:25:12 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\user\Start Menu\Google [2009/06/09 08:29:59 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\user\Start Menu\Macromedia [2009/06/09 08:25:18 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\user\Start Menu\Malwarebytes [2009/06/09 08:30:45 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\user\Start Menu\microsoft [2009/06/09 16:19:34 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\user\Start Menu\Programs [2009/06/09 16:24:41 | 00,000,000 | -HSD | M]
    
    :Files
    C:\WINDOWS\csrss.exe
    C:\WINDOWS\lsass.exe
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

=================




Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 bjsmith

bjsmith
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 10 June 2009 - 04:02 PM

How long is it supposed to take to fix? I pasted it in there and did Run Fix and it scrolled really fast through a couple things and then just hung for a while. I closed it and opened it again and redid it. It hung on the same spot.
At the bottom it said "O4 - Startup: C:\Documents and Settings\Administrator.BOBSMITH1\Start Menu\Programs [2009/06/05 19:23:29 | 00,000,000 | R--D | M]"

I left it there for a good hour and came back and hundreds of windows were open in front of it, but when I finally closed them and got back to OTL, it was still stuck there.

Edited by bjsmith, 10 June 2009 - 04:03 PM.


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:22 AM

Posted 11 June 2009 - 09:55 AM

It shouldn't take anywhere near that long. Go ahead and reboot your computer and OTL will finish up what it can before it hung up.
Then proceed with the next set of steps.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 bjsmith

bjsmith
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 11 June 2009 - 01:17 PM

Here's the new OTL log:

OTL logfile created on: 6/11/2009 11:08:01 AM - Run 2
OTL by OldTimer - Version 2.1.1.0 Folder = C:\Documents and Settings\All Users\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.48 Mb Total Physical Memory | 156.61 Mb Available Physical Memory | 35.08% Memory free
2.37 Gb Paging File | 2.03 Gb Available in Paging File | 85.49% Paging File free
Paging file location(s): C:\pagefile.sys 2048 2048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 19.29 Gb Free Space | 51.77% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BOBSMITH1
Current User Name: user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2005/08/30 22:36:10 | 00,376,832 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2004/02/29 16:44:54 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2004/02/29 16:44:48 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/08/30 22:36:10 | 00,376,832 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\Ati2evxx.exe
PRC - [2004/03/12 15:17:10 | 00,029,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2004/03/12 15:17:46 | 01,221,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2008/05/20 04:00:00 | 00,757,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2009/02/06 03:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2005/10/14 18:51:40 | 14,864,384 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2000/10/16 01:37:36 | 00,032,768 | ---- | M] () -- C:\WINDOWS\system32\rmctrl.exe
PRC - [2007/05/12 18:00:58 | 00,282,624 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\qttask.exe
PRC - [2004/02/29 16:44:46 | 00,066,680 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2004/03/12 15:18:32 | 00,124,128 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2007/06/21 09:25:42 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2009/02/06 03:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/04/13 17:12:31 | 00,017,920 | ---- | M] (Microsoft Corporation) -- c:\windows\lsass.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2009/06/09 16:35:23 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2005/08/30 22:36:10 | 00,376,832 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2005/08/30 21:05:00 | 00,516,096 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
SRV - [2004/02/29 16:44:48 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
SRV - [2008/05/20 04:00:00 | 00,757,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec [Auto | Running])
SRV - [2004/02/29 16:44:52 | 00,087,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
SRV - [2004/02/29 16:44:54 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2004/03/12 15:17:10 | 00,029,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/04/26 19:22:26 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - File not found -- -- (Pml Driver HPZ12 [On_Demand | Stopped])
SRV - [2004/03/12 15:18:06 | 00,169,192 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
SRV - [2008/05/20 04:00:00 | 00,249,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\TSManager.exe -- (smstsmgr [On_Demand | Stopped])
SRV - [2004/03/11 14:58:32 | 00,193,760 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2004/03/12 15:17:46 | 01,221,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2005/08/30 22:42:36 | 01,333,760 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2001/08/17 14:12:12 | 00,002,944 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\Brfilt.sys -- (brfilt [On_Demand | Stopped])
DRV - [2003/03/13 17:04:20 | 00,061,952 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrSerWdm.sys -- (BrSerWDM [On_Demand | Stopped])
DRV - [2001/08/17 14:12:20 | 00,011,008 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm [On_Demand | Stopped])
DRV - [2001/08/17 14:12:22 | 00,010,368 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrUsbScn.sys -- (BrUsbScn [On_Demand | Stopped])
DRV - [2001/08/17 12:11:06 | 00,066,591 | ---- | M] (3Com Corporation) -- C:\WINDOWS\system32\DRIVERS\el90xbc5.sys -- (EL90XBC [On_Demand | Stopped])
DRV - [2008/04/13 09:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/10/18 14:15:42 | 04,034,048 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2008/04/13 11:36:41 | 00,063,744 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\mf.sys -- (mf [On_Demand | Stopped])
DRV - [2009/06/08 01:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090608.007\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/06/08 01:00:00 | 00,876,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090608.007\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2008/05/20 04:00:00 | 00,023,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\prepdrv.sys -- (prepdrvr [On_Demand | Stopped])
DRV - [2001/08/23 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2009/03/25 06:29:52 | 00,130,432 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2004/08/03 22:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
DRV - [2004/02/09 15:43:56 | 00,301,200 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
DRV - [2004/02/09 15:43:56 | 00,037,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [Auto | Running])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/04/08 17:27:04 | 00,012,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\smsmdm.sys -- (smsmdd [On_Demand | Running])
DRV - [2004/03/04 23:46:46 | 00,082,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2004/03/11 14:58:08 | 00,016,288 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV [On_Demand | Running])
DRV - [2004/03/11 14:58:10 | 00,263,616 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI [System | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 47 A2 F2 2D 87 E8 C9 01 [binary data]
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 47 A2 F2 2D 87 E8 C9 01 [binary data]
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C6 65 03 C9 8A E8 C9 01 [binary data]
IE - HKU\S-1-5-21-606747145-1390067357-839522115-1003\S-1-5-21-606747145-1390067357-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/06/08 12:56:47 | 00,000,000 | ---D | M]


O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKU\S-1-5-21-606747145-1390067357-839522115-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe ()
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon (Microsoft Corporation)
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe (Symantec Corporation)
O4 - HKU\.DEFAULT..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKU\S-1-5-21-606747145-1390067357-839522115-1003..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKU\S-1-5-21-606747145-1390067357-839522115-1003..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKU\S-1-5-21-606747145-1390067357-839522115-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\Administrator.BOBSMITH1\favorites\Links [2009/06/05 19:23:33 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\Administrator.BOBSMITH1\favorites\Microsoft Websites [2009/06/05 19:23:33 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\All Users\favorites\Adobe [2009/06/11 09:46:27 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\All Users\favorites\Google [2009/06/11 09:47:00 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\All Users\favorites\Macromedia [2009/06/11 09:46:29 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\All Users\favorites\Microsoft [2009/06/11 10:49:39 | 00,000,000 | --SD | M]
O4 - Startup: C:\Documents and Settings\LocalService\favorites\Google [2009/06/08 16:42:48 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\LocalService\favorites\Links [2009/06/08 15:36:25 | 00,000,000 | R--D | M]
O4 - Startup: C:\Documents and Settings\LocalService\favorites\Microsoft [2009/06/09 08:22:15 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\LocalService\favorites\Microsoft Websites [2009/06/08 15:21:18 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\LocalService\favorites\MSN6 [2009/06/08 16:42:54 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\LocalService\favorites\Symantec [2009/06/09 08:21:50 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\NetworkService\favorites\Links [2009/06/10 14:27:51 | 00,000,000 | R--D | M]
O4 - Startup: C:\Documents and Settings\user\favorites\2008 Yahoo! Sports Fantasy Baseball.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\ABC News What is ABC News Now.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\ADESA OnLine Auto Auction - Purchase Online.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\AOL.com - Welcome to AOL.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Automobiles by Chevrolet Chevy cars, Trucks, SUVs and more.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Brads Cottage Grove Chevrolet - Pontiac - GMC.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\CARFAX Dealer Account Login & Signup - Get CARFAX Reports!.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\craigslist eugene classifieds for jobs, apartments, personals, for sale, services, community, and events.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\CUDL Portal - Choose your CUDL Website -.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\DE - Please Enter Dealer Code.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\DE - Select a program from the left.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\DealerTrack, Inc. - Our innovation. Your edge..url ()
O4 - Startup: C:\Documents and Settings\user\favorites\espn The Worldwide Leader In Sports.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Eugene Auto Credit - Car loans for bad credit and messy credit in Eugene Springfield.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Fantasy Baseball Leagues on Yahoo! Sports.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\FF - Please Log In.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\General Motors Accessories.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\GM - Training Portal.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\GM Customer Enthusiasm.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\GM DealerPulse - a new level of CSI!.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\GM DealerPulse.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\GM Dealerworld.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\GM SFE.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\GM Training - Homepage.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\GM-DART.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\GMAC Dealer World.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\GMACDealer.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\GoDucks.com—The University of Oregon Official Athletics Web Site.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Google [2009/06/08 15:44:51 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\user\favorites\Gtools.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Home.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\HPnorthwest.com.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\http--www.highwayproducts.com-.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\KARPOWER Online - Login.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\KARPOWER.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Kendall Chevrolet Cadillac of Eugene, Oregon Chevrolet Cadillac Dealer 800-381-6175.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Laredo Conversions - the Horseman's Choice.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Links [2009/06/08 14:38:35 | 00,000,000 | R--D | M]
O4 - Startup: C:\Documents and Settings\user\favorites\Login - Ceridian Self-Service.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Manheim Online.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\mapquest.com Maps, Directions and More.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Media [2006/09/30 13:15:41 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\user\favorites\Microsoft [2009/06/08 15:42:51 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\user\favorites\Microsoft Websites [2009/06/08 14:29:58 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\user\favorites\MSN.com.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\My Account Self-serve, Customer Service, How To - Verizon Wireless.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\New Car Prices and Used Car Blue Book Values - Official Kelley Blue Book Site.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Online Account Access.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Oregon DMV Dealer Details.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Overview GM Family First.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\People's Credit - Dealer Portal.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\PW - Please Log in.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Radio Station Guide.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\SaferCar.gov.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\SpellCheck.net.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Symantec [2009/06/08 15:44:09 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\user\favorites\The Malibu - Show What You Know Challenge.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\The Official Site of Major League Baseball Subscriptions MLB.TV.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\thebaronsden.com.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Thumbs.db ()
O4 - Startup: C:\Documents and Settings\user\favorites\VSP Logon Form.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\WaMu Log In or Sign Up.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Wells Fargo Home Page.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Wells Fargo Sign On.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Windows Genuine Advantage [2009/06/09 08:22:10 | 00,000,000 | ---D | M]
O4 - Startup: C:\Documents and Settings\user\favorites\XM Radio - XM RADIO ONLINE.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Yahoo!.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Ziegler SuperSystems, Inc. - Automotive Sales Training & Consulting.url ()
O4 - Startup: C:\Documents and Settings\user\favorites\Ziegler, Jim - Ziegler Super Systems.url ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-606747145-1390067357-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-21-606747145-1390067357-839522115-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} https://video.manheim.com/lib/LiveSound.dll (lgbplay Class)
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} http://10.100.10.35/kxhcm10.ocx (KX-HCM10 Control)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1148408601045 (WUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe ()
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/05/23 10:53:06 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/06/10 12:32:52 | 00,000,000 | -HSD | M]

========== Files/Folders - Created Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/06/11 11:02:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\programs\Symantec
[2009/06/11 11:02:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\programs\Google
[2009/06/11 11:02:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\programs\Microsoft
[2009/06/11 11:01:50 | 00,017,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\lsass.exe
[2009/06/11 11:01:49 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\csrss.exe
[2009/06/11 11:01:06 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/06/11 10:34:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\programs\0EABT3M3
[2009/06/11 09:46:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\favorites\Macromedia
[2009/06/11 09:46:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\favorites\Adobe
[2009/06/11 09:46:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\programs\AntiPhishing
[2009/06/11 09:46:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\favorites\Google
[2009/06/11 09:28:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Apps
[2009/06/11 09:25:02 | 00,000,000 | --SD | C] -- C:\Documents and Settings\All Users\favorites\Microsoft
[2009/06/10 18:08:06 | 02,687,588 | -H-- | C] () -- C:\Documents and Settings\All Users\desktop\IconCache.db
[2009/06/10 12:39:29 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/06/09 16:35:18 | 00,501,760 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\All Users\desktop\OTL.exe
[2009/06/09 16:27:55 | 00,000,745 | ---- | C] () -- C:\Documents and Settings\user\application data\powerpnt.lnk
[2009/06/09 16:27:47 | 00,000,733 | ---- | C] () -- C:\Documents and Settings\user\application data\excel4.lnk
[2009/06/09 16:27:26 | 00,000,548 | ---- | C] () -- C:\Documents and Settings\user\application data\Templates.lnk
[2009/06/09 16:27:23 | 00,000,726 | ---- | C] () -- C:\Documents and Settings\user\application data\excel.lnk
[2009/06/09 08:30:37 | 00,040,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/06/09 08:30:34 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/06/09 08:30:33 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/06/09 08:24:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\desktop\AntiPhishing
[2009/06/09 08:24:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\desktop\Sqm
[2009/06/09 08:23:58 | 00,000,067 | -HS- | C] () -- C:\Documents and Settings\All Users\desktop\desktop.ini
[2009/06/09 08:23:58 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\desktop\Content.IE5
[2009/06/09 08:22:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Favorites\Windows Genuine Advantage
[2009/06/09 08:21:36 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\user\NetHood\desktop.ini
[2009/06/08 15:44:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Favorites\Google
[2009/06/08 15:44:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Favorites\Symantec
[2009/06/08 15:42:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\Favorites\Microsoft
[2009/06/08 15:41:35 | 00,016,384 | -HS- | C] () -- C:\Documents and Settings\user\Templates\index.dat
[2009/06/08 15:36:12 | 00,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{92D5AC8B-5CF1-43A1-9B34-25A564BEB22C}.job
[2009/06/08 15:36:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/06/08 15:34:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\desktop\MSN6
[2009/06/08 15:33:06 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\user\Recent
[2009/06/08 15:32:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\desktop\Windows Genuine Advantage
[2009/06/08 15:22:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\desktop\Symantec
[2009/06/08 15:20:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\desktop\Microsoft
[2009/06/08 15:18:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\desktop\Google
[2009/06/08 14:51:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\programs\Windows PowerShell 1.0
[2009/06/08 14:51:28 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2009/06/08 14:45:26 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/06/08 14:38:35 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\user\IECompatCache
[2009/06/08 14:38:32 | 00,000,420 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{41B2E517-E6C7-4B17-BC15-F7015A48B2A9}.job
[2009/06/08 14:38:22 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\user\PrivacIE
[2009/06/08 14:29:34 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\user\IETldCache
[2009/06/08 12:54:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/06/08 12:54:31 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/06/08 12:53:44 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009/06/08 12:53:44 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009/06/08 12:53:44 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009/06/08 12:53:43 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009/06/08 12:53:43 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009/06/08 12:53:43 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2009/06/08 12:53:43 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009/06/08 12:53:43 | 00,000,000 | ---D | C] -- C:\4c1fd406ebddca803076e9c9c8
[2009/06/08 12:47:12 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/06/08 12:46:47 | 00,102,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/06/08 12:44:18 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/06/08 12:23:19 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2009/06/08 12:23:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\programs\Microsoft Office Live Add-in
[2009/06/08 12:23:11 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/06/08 12:20:46 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/06/08 12:20:36 | 00,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2009/06/08 12:19:51 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2009/06/08 12:16:48 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2009/06/08 12:16:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2009/06/08 12:16:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2009/06/08 11:47:11 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/06/08 11:27:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/06/08 11:27:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/06/08 11:27:14 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/06/08 10:32:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\user\bob.smith
[2009/06/08 10:29:38 | 00,008,192 | -HS- | C] () -- C:\Documents and Settings\user\Favorites\Thumbs.db
[2009/04/10 15:13:17 | 00,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
[2009/04/10 15:11:22 | 00,000,395 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
[2009/03/03 12:18:04 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2008/03/10 15:38:34 | 00,000,020 | ---- | C] () -- C:\WINDOWS\System32\RPCS.ini
[2007/12/18 18:14:49 | 00,002,160 | ---- | C] () -- C:\WINDOWS\BrmfBidi.ini
[2007/07/26 09:49:29 | 00,000,317 | ---- | C] () -- C:\WINDOWS\SWWATER.INI
[2006/09/30 13:52:44 | 00,007,267 | ---- | C] () -- C:\WINDOWS\hplj1010.ini
[2006/06/24 11:32:17 | 00,000,104 | ---- | C] () -- C:\WINDOWS\hpw1100k.ini
[2006/06/24 11:31:12 | 00,007,078 | ---- | C] () -- C:\WINDOWS\hpbj1100.ini
[2006/05/24 15:48:24 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\ctrldll.dll
[2006/05/24 15:45:22 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\cutemon2k.dll
[2006/05/24 14:19:09 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/05/23 12:05:27 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2001/08/23 05:00:00 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\ntmarta.dll
[2001/08/23 05:00:00 | 00,000,680 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 05:00:00 | 00,000,435 | ---- | C] () -- C:\WINDOWS\system.ini
[2001/07/31 11:17:12 | 00,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[1999/01/22 11:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/06/11 10:40:11 | 03,670,016 | -H-- | M] () -- C:\Documents and Settings\user\NTUSER.DAT
[2009/06/11 10:39:59 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\user\ntuser.ini
[2009/06/10 18:44:50 | 02,687,588 | -H-- | M] () -- C:\Documents and Settings\All Users\desktop\IconCache.db
[2009/06/10 17:44:26 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/06/10 17:37:01 | 00,000,680 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/06/09 16:35:23 | 00,501,760 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users\desktop\OTL.exe
[2009/06/09 16:27:58 | 00,000,548 | ---- | M] () -- C:\Documents and Settings\user\application data\Templates.lnk
[2009/06/09 16:27:55 | 00,000,745 | ---- | M] () -- C:\Documents and Settings\user\application data\powerpnt.lnk
[2009/06/09 16:27:47 | 00,000,733 | ---- | M] () -- C:\Documents and Settings\user\application data\excel4.lnk
[2009/06/09 16:27:24 | 00,000,726 | ---- | M] () -- C:\Documents and Settings\user\application data\excel.lnk
[2009/06/09 08:59:10 | 00,008,192 | -HS- | M] () -- C:\Documents and Settings\user\Favorites\Thumbs.db
[2009/06/09 08:23:58 | 00,000,067 | -HS- | M] () -- C:\Documents and Settings\All Users\desktop\desktop.ini
[2009/06/09 08:21:36 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\user\NetHood\desktop.ini
[2009/06/08 15:41:32 | 00,016,384 | -HS- | M] () -- C:\Documents and Settings\user\Templates\index.dat
[2009/06/08 15:36:30 | 00,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{92D5AC8B-5CF1-43A1-9B34-25A564BEB22C}.job
[2009/06/08 14:42:15 | 00,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{41B2E517-E6C7-4B17-BC15-F7015A48B2A9}.job
[2009/05/26 13:20:08 | 00,040,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/26 13:19:56 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 894 bytes -> C:\Documents and Settings\user\favorites\HPnorthwest.com.url:favicon
@Alternate Data Stream - 894 bytes -> C:\Documents and Settings\user\favorites\General Motors Accessories.url:favicon
@Alternate Data Stream - 6598 bytes -> C:\Documents and Settings\user\favorites\Fantasy Baseball Leagues on Yahoo! Sports.url:favicon
@Alternate Data Stream - 6598 bytes -> C:\Documents and Settings\user\favorites\2008 Yahoo! Sports Fantasy Baseball.url:favicon
@Alternate Data Stream - 5430 bytes -> C:\Documents and Settings\user\favorites\Ziegler, Jim - Ziegler Super Systems.url:favicon
@Alternate Data Stream - 3638 bytes -> C:\Documents and Settings\user\favorites\The Malibu - Show What You Know Challenge.url:favicon
@Alternate Data Stream - 3574 bytes -> C:\Documents and Settings\user\favorites\GMAC Dealer World.url:favicon
@Alternate Data Stream - 3262 bytes -> C:\Documents and Settings\user\favorites\VSP Logon Form.url:favicon
@Alternate Data Stream - 3262 bytes -> C:\Documents and Settings\user\favorites\GM Dealerworld.url:favicon
@Alternate Data Stream - 318 bytes -> C:\Documents and Settings\user\favorites\WaMu Log In or Sign Up.url:favicon
@Alternate Data Stream - 318 bytes -> C:\Documents and Settings\user\favorites\The Official Site of Major League Baseball Subscriptions MLB.TV.url:favicon
@Alternate Data Stream - 318 bytes -> C:\Documents and Settings\user\favorites\Online Account Access.url:favicon
@Alternate Data Stream - 318 bytes -> C:\Documents and Settings\user\favorites\New Car Prices and Used Car Blue Book Values - Official Kelley Blue Book Site.url:favicon
@Alternate Data Stream - 3126 bytes -> C:\Documents and Settings\user\favorites\Eugene Auto Credit - Car loans for bad credit and messy credit in Eugene Springfield.url:favicon
@Alternate Data Stream - 2862 bytes -> C:\Documents and Settings\user\favorites\espn The Worldwide Leader In Sports.url:favicon
@Alternate Data Stream - 2862 bytes -> C:\Documents and Settings\user\favorites\AOL.com - Welcome to AOL.url:favicon
@Alternate Data Stream - 2550 bytes -> C:\Documents and Settings\user\favorites\ABC News What is ABC News Now.url:favicon
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\user\favorites\PW - Please Log in.url:favicon
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\user\favorites\Overview GM Family First.url:favicon
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\user\favorites\My Account Self-serve, Customer Service, How To - Verizon Wireless.url:favicon
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\user\favorites\MSN.com.url:favicon
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\user\favorites\GM-DART.url:favicon
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\user\favorites\GM Training - Homepage.url:favicon
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\user\favorites\GM - Training Portal.url:favicon
@Alternate Data Stream - 1406 bytes -> C:\Documents and Settings\user\favorites\Automobiles by Chevrolet Chevy cars, Trucks, SUVs and more.url:favicon
@Alternate Data Stream - 1150 bytes -> C:\Documents and Settings\user\favorites\Yahoo!.url:favicon
@Alternate Data Stream - 1150 bytes -> C:\Documents and Settings\user\favorites\mapquest.com Maps, Directions and More.url:favicon
@Alternate Data Stream - 1150 bytes -> C:\Documents and Settings\user\favorites\Manheim Online.url:favicon
@Alternate Data Stream - 1150 bytes -> C:\Documents and Settings\user\favorites\craigslist eugene classifieds for jobs, apartments, personals, for sale, services, community, and events.url:favicon
@Alternate Data Stream - 1078 bytes -> C:\Documents and Settings\user\favorites\Wells Fargo Sign On.url:favicon
@Alternate Data Stream - 1078 bytes -> C:\Documents and Settings\user\favorites\Wells Fargo Home Page.url:favicon
@Alternate Data Stream - 1078 bytes -> C:\Documents and Settings\user\favorites\GoDucks.com—The University of Oregon Official Athletics Web Site.url:favicon
< End of report >

I started running combofix and it got to like stage 13 and then the mesage came up saying that windows was tired and needed a break and it shut down. I'll run combofix again.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:22 AM

Posted 11 June 2009 - 04:45 PM

Let's try a fix with OTL again and see where it gets us. It shouldn't take more than a couple minutes. If it hangs up then there's a problem and we'll have to use a different tool.

Before running this fix take a look at all the 04 lines listed below. Are these your legitimate favorites that you've bookmarked? If yes, we need to make a change so that these are not deleted. Go here: C:\Documents and Settings\user
Right click on the Favorites folder and rename it to Favorites-backup
Then proceed.


Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    PRC - [2008/04/13 17:12:31 | 00,017,920 | ---- | M] (Microsoft Corporation) -- c:\windows\lsass.exe
    O4 - Startup: C:\Documents and Settings\Administrator.BOBSMITH1\favorites\Links [2009/06/05 19:23:33 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\Administrator.BOBSMITH1\favorites\Microsoft Websites [2009/06/05 19:23:33 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\All Users\favorites\Adobe [2009/06/11 09:46:27 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\All Users\favorites\Google [2009/06/11 09:47:00 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\All Users\favorites\Macromedia [2009/06/11 09:46:29 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\All Users\favorites\Microsoft [2009/06/11 10:49:39 | 00,000,000 | --SD | M]
    O4 - Startup: C:\Documents and Settings\LocalService\favorites\Google [2009/06/08 16:42:48 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\LocalService\favorites\Links [2009/06/08 15:36:25 | 00,000,000 | R--D | M]
    O4 - Startup: C:\Documents and Settings\LocalService\favorites\Microsoft [2009/06/09 08:22:15 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\LocalService\favorites\Microsoft Websites [2009/06/08 15:21:18 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\LocalService\favorites\MSN6 [2009/06/08 16:42:54 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\LocalService\favorites\Symantec [2009/06/09 08:21:50 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\NetworkService\favorites\Links [2009/06/10 14:27:51 | 00,000,000 | R--D | M]
    O4 - Startup: C:\Documents and Settings\user\favorites\2008 Yahoo! Sports Fantasy Baseball.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\ABC News What is ABC News Now.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\ADESA OnLine Auto Auction - Purchase Online.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\AOL.com - Welcome to AOL.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Automobiles by Chevrolet Chevy cars, Trucks, SUVs and more.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Brads Cottage Grove Chevrolet - Pontiac - GMC.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\CARFAX Dealer Account Login & Signup - Get CARFAX Reports!.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\craigslist eugene classifieds for jobs, apartments, personals, for sale, services, community, and events.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\CUDL Portal - Choose your CUDL Website -.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\DE - Please Enter Dealer Code.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\DE - Select a program from the left.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\DealerTrack, Inc. - Our innovation. Your edge..url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\espn The Worldwide Leader In Sports.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Eugene Auto Credit - Car loans for bad credit and messy credit in Eugene Springfield.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Fantasy Baseball Leagues on Yahoo! Sports.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\FF - Please Log In.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\General Motors Accessories.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\GM - Training Portal.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\GM Customer Enthusiasm.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\GM DealerPulse - a new level of CSI!.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\GM DealerPulse.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\GM Dealerworld.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\GM SFE.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\GM Training - Homepage.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\GM-DART.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\GMAC Dealer World.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\GMACDealer.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\GoDucks.com—The University of Oregon Official Athletics Web Site.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Google [2009/06/08 15:44:51 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\user\favorites\Gtools.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Home.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\HPnorthwest.com.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\http--www.highwayproducts.com-.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\KARPOWER Online - Login.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\KARPOWER.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Kendall Chevrolet Cadillac of Eugene, Oregon Chevrolet Cadillac Dealer 800-381-6175.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Laredo Conversions - the Horseman's Choice.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Links [2009/06/08 14:38:35 | 00,000,000 | R--D | M]
    O4 - Startup: C:\Documents and Settings\user\favorites\Login - Ceridian Self-Service.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Manheim Online.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\mapquest.com Maps, Directions and More.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Media [2006/09/30 13:15:41 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\user\favorites\Microsoft [2009/06/08 15:42:51 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\user\favorites\Microsoft Websites [2009/06/08 14:29:58 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\user\favorites\MSN.com.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\My Account Self-serve, Customer Service, How To - Verizon Wireless.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\New Car Prices and Used Car Blue Book Values - Official Kelley Blue Book Site.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Online Account Access.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Oregon DMV Dealer Details.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Overview GM Family First.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\People's Credit - Dealer Portal.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\PW - Please Log in.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Radio Station Guide.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\SaferCar.gov.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\SpellCheck.net.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Symantec [2009/06/08 15:44:09 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\user\favorites\The Malibu - Show What You Know Challenge.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\The Official Site of Major League Baseball Subscriptions MLB.TV.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\thebaronsden.com.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Thumbs.db ()
    O4 - Startup: C:\Documents and Settings\user\favorites\VSP Logon Form.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\WaMu Log In or Sign Up.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Wells Fargo Home Page.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Wells Fargo Sign On.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Windows Genuine Advantage [2009/06/09 08:22:10 | 00,000,000 | ---D | M]
    O4 - Startup: C:\Documents and Settings\user\favorites\XM Radio - XM RADIO ONLINE.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Yahoo!.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Ziegler SuperSystems, Inc. - Automotive Sales Training & Consulting.url ()
    O4 - Startup: C:\Documents and Settings\user\favorites\Ziegler, Jim - Ziegler Super Systems.url ()
    O7 - HKU\S-1-5-21-606747145-1390067357-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
    
    :Files
    C:\WINDOWS\lsass.exe
    C:\WINDOWS\csrss.exe
    C:\Documents and Settings\All Users\Start Menu\programs\Symantec
    C:\Documents and Settings\All Users\Start Menu\programs\Google
    C:\Documents and Settings\All Users\Start Menu\programs\Microsoft
    C:\Documents and Settings\All Users\Start Menu\programs\0EABT3M3
    C:\Documents and Settings\user\application data\powerpnt.lnk
    C:\Documents and Settings\user\application data\excel4.lnk
    C:\Documents and Settings\user\application data\Templates.lnk
    C:\Documents and Settings\user\application data\excel.lnk
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

===============


Regardless of how OTL turns out, try running Combofix again immediately after a reboot.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 bjsmith

bjsmith
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 11 June 2009 - 05:40 PM

A lot of those are favorites that I've saved over time, but I was unable to rename the folder. It said it was a windows system folder and I couldn't rename it or delete it. I made a copy of it instead and called it favorites-backup. I then tried to find OTL but couldn't, as it was no longer on my desktop (my desktop icons seem to be different each time I restart) so I downloaded it to my desktop again and ran it. I pasted that in there and it went really fast through a few and the just hung again. The hundreds of windows came up again during the scan and I closed out of all of them and it was still hung up. The bottom of the window where it says what item it is currently fixing says:

Processing 04 - Startup: C:\Documents and Settings\Administrator.BOBSMITH1\favorites\Links [2009/06/05 19:23:33 | 00

I closed out of it and am rebooting right now. I'll do combofix as soon as it comes back up.

Edited by bjsmith, 11 June 2009 - 05:42 PM.


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:22 AM

Posted 12 June 2009 - 10:01 AM

It doesn't look like OTL is going to do it for us. Just post the log from Combofix when you can.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:22 AM

Posted 26 June 2009 - 01:25 PM

Unfortunately there has been no response. :thumbup2:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users