Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The application or DLL C:\WINDOWS\system32\ACTIVEDS.DLL is not a valid Windows image.


  • This topic is locked This topic is locked
94 replies to this topic

#1 Eric7859

Eric7859

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 27 November 2010 - 01:39 PM

Good morning,

I am not sure what kind of infection this is. I am getting some popups.

Quickset.exe – Bad Image
The application or DLL C:\WINDOWS\system32\ACTIVEDS.DLL is not a valid Windows image. Please check this against your installation diskette.

I get the message above when windows starts up. The computer won’t pull an IP and when I go to the command prompt and type any ipconfig command I get the same message. But the title bar says ipconfig.exe – Bad Image ( instead of quickset.exe – Bad Image) McAfee did not find anything but with no ip I could not be sure I had the most up-to-date definitions. I used a Jump drive to get the DDS and the gmer files and reports back and for the from that computer to one that I can be online with.

Could not turn on windows fire wall
I get a popup
windows firewall settings can not be displayed because the associated service is not running. do you want to start the windows firewall/internet connection sharing (ICS)services.
when I click yes i get a pop up that says
Windows cannot start the windows firewall/internet connection sharing (ICS)services
the speed of the computer has also been slowed significantly.

below and attached are the requested logs
Thanks for the help
Eric



DDS (Ver_10-11-27.01) - NTFSx86
Run by Kathleen Hobbs at 12:48:42.03 on Sat 11/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2533 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\OEM13Mon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\SvcTools\8.0.81.5\bin\lnchr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\SvcTools\8.0.81.5\bin\lnchr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\SvcTools\8.0.81.5\bin\upload.exe
c:\SvcTools\8.0.81.5\bin\hbeat.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\DOCUME~1\KATHLE~1\LOCALS~1\Temp\SSUPDATE.EXE
C:\Documents and Settings\Kathleen Hobbs\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\celebrity toolbar\tbhelper.dll
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\celebrity toolbar\tbcore3.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CMySite Class: {d62ec836-bf1e-4cac-81be-fb9179835d8e} - c:\program files\celebrity toolbar\mhxpcomi.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Celebrity Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\celebrity toolbar\tbcore3.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Aim6]
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [OEM13Mon.exe] c:\windows\OEM13Mon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SMA8.0.81.5] c:\svctools\8.0.81.5\bin\lnchr.exe --context=user --control-dir=c:\svctools\8.0.81.5\ctrl-user
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243613610687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\celebrity toolbar\mhxpcomi.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kathle~1\applic~1\mozilla\firefox\profiles\ospi4yaa.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\kathleen hobbs\application data\mozilla\firefox\profiles\ospi4yaa.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\kathleen hobbs\application data\mozilla\firefox\profiles\ospi4yaa.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox2\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox2\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox2\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Celebrity Toolbar: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - c:\program files\mozilla firefox2\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox2\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\kathle~1\applic~1\mozilla\firefox\profiles\ospi4yaa.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\docume~1\kathle~1\applic~1\mozilla\firefox\profiles\ospi4yaa.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-19 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 61440]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-17 88176]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-8-10 359952]
R2 SMA8.0.81.5;Software Management Agent 8.0.81.5;c:\svctools\8.0.81.5\bin\lnchr.exe --service --context=system --control-dir=c:\svctools\8.0.81.5\ctrl --> c:\svctools\8.0.81.5\bin\lnchr.exe --service --context=system --control-dir=c:\svctools\8.0.81.5\ctrl [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-4-30 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-8-10 606736]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-5-3 40552]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2009-4-19 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2009-4-19 43608]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [2009-4-19 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2009-4-19 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2009-4-19 235840]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-8-10 144704]
S3 MfeAVFK;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-19 79816]
S3 MfeBOPK;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-19 35272]
S3 MfeRKDK;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-19 34248]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]

=============== Created Last 30 ================

2010-11-22 12:02:10 -------- d-----w- c:\program files\Amazon

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 12:48:53.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:58 AM

Posted 04 December 2010 - 08:25 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#3 Eric7859

Eric7859
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 04 December 2010 - 04:50 PM

OTL logfile created on: 12/4/2010 2:52:24 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Kathleen Hobbs\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 84.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.85 Gb Total Space | 210.76 Gb Free Space | 90.52% Space Free | Partition Type: NTFS
Drive E: | 976.13 Mb Total Space | 122.94 Mb Free Space | 12.59% Space Free | Partition Type: FAT

Computer Name: KATRICKSCHOOL | User Name: Kathleen Hobbs | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/04 14:46:42 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kathleen Hobbs\Desktop\OTL.exe
PRC - [2010/06/10 05:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2010/05/20 16:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2010/05/14 10:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2010/04/30 14:45:34 | 002,020,592 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2010/04/16 07:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2009/10/29 06:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/17 13:29:04 | 000,806,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2009/09/16 08:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/08/21 17:31:50 | 000,623,960 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2009/07/08 10:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/21 10:13:58 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/04/10 12:29:08 | 000,037,888 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2008/12/10 19:20:48 | 000,528,384 | ---- | M] (Dell Inc.) -- C:\SvcTools\8.0.81.5\bin\lnchr.exe
PRC - [2008/12/10 19:20:48 | 000,528,384 | ---- | M] (Dell Inc.) -- c:\SvcTools\8.0.81.5\bin\lnchr.exe
PRC - [2008/12/10 19:20:48 | 000,466,944 | ---- | M] (Dell Inc.) -- c:\SvcTools\8.0.81.5\bin\curlcfg.exe
PRC - [2008/12/10 19:20:48 | 000,299,008 | ---- | M] (Dell Inc.) -- c:\SvcTools\8.0.81.5\bin\upload.exe
PRC - [2008/12/10 19:20:48 | 000,299,008 | ---- | M] (Dell Inc.) -- c:\SvcTools\8.0.81.5\bin\hbeat.exe
PRC - [2008/11/04 22:04:06 | 000,071,512 | ---- | M] (O2Micro International) -- C:\WINDOWS\system32\drivers\o2flash.exe
PRC - [2008/10/24 08:14:36 | 000,206,112 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2008/10/24 08:14:34 | 001,000,736 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
PRC - [2008/08/13 23:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/07/16 16:32:06 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\OEM13Mon.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/26 10:57:28 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2008/02/21 16:25:06 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2008/02/21 16:24:56 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2008/02/21 16:24:54 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2008/02/21 16:24:54 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2007/07/27 16:43:34 | 000,118,784 | ---- | M] (Creative Technology Ltd.) -- C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe


========== Modules (SafeList) ==========

MOD - [2010/12/04 14:46:42 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kathleen Hobbs\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/06/10 05:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2010/05/20 16:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/05/14 10:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/04/16 07:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/16 10:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/08 10:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/12/10 19:20:48 | 000,528,384 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\SvcTools\8.0.81.5\bin\lnchr.exe -- (SMA8.0.81.5)
SRV - [2008/11/04 22:04:06 | 000,071,512 | ---- | M] (O2Micro International) [Auto | Running] -- C:\WINDOWS\system32\drivers\o2flash.exe -- (O2FLASH)
SRV - [2008/08/13 23:04:44 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008/04/14 07:00:00 | 000,126,976 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)


========== Driver Services (SafeList) ==========

DRV - [2010/07/15 14:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2010/04/30 14:45:34 | 000,061,440 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/04/30 14:45:34 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/04/30 14:45:34 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/09/16 09:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (MfeAVFK)
DRV - [2009/09/16 09:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (MfeBOPK)
DRV - [2009/09/16 09:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (MfeRKDK)
DRV - [2008/12/16 19:57:20 | 001,391,104 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/11/04 22:04:10 | 000,043,608 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\o2sd.sys -- (O2SDRDR)
DRV - [2008/11/04 22:04:08 | 000,051,288 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\o2media.sys -- (O2MDRDR)
DRV - [2008/07/16 16:32:12 | 000,235,840 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OEM13Vid.sys -- (OEM13Vid)
DRV - [2008/07/16 16:32:10 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OEM13Vfx.sys -- (OEM13Vfx)
DRV - [2008/07/16 16:32:00 | 000,141,376 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OEM13Afx.sys -- (OEM13Afx)
DRV - [2008/07/07 15:57:38 | 000,106,368 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/07/07 00:20:56 | 004,800,000 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/07/06 23:55:42 | 006,584,160 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/14 07:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 07:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/14 07:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/17 16:54:30 | 000,305,176 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2008/02/21 16:24:52 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/07/23 15:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 15:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 15:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 15:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 15:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 15:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 15:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 15:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 14:55:44 | 000,099,808 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2007/07/23 14:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 14:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2007/07/23 14:43:42 | 000,052,000 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/08/12 17:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2001/08/17 21:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 21:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 21:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 21:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 21:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 20:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 20:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 20:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 20:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 20:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 20:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 20:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 20:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 20:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 20:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.msn.com/sphome.aspx
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USSMB/1


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USSMB/1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USSMB/1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1518909547-290427468-2218290895-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
IE - HKU\S-1-5-21-1518909547-290427468-2218290895-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
IE - HKU\S-1-5-21-1518909547-290427468-2218290895-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USSMB/1
IE - HKU\S-1-5-21-1518909547-290427468-2218290895-1006\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-1518909547-290427468-2218290895-1006\..\URLSearchHook: {1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48} - C:\Program Files\Celebrity Toolbar\tbhelper.dll ()
IE - HKU\S-1-5-21-1518909547-290427468-2218290895-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1518909547-290427468-2218290895-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB}:1.0.3
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.2
FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.5.8.6
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="

FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/11/04 10:45:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox2\components [2010/10/30 12:27:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox2\plugins [2010/10/30 12:27:18 | 000,000,000 | ---D | M]

[2009/04/28 20:03:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathleen Hobbs\Application Data\Mozilla\Extensions
[2010/11/27 09:16:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathleen Hobbs\Application Data\Mozilla\Firefox\Profiles\ospi4yaa.default\extensions
[2010/06/25 00:02:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Kathleen Hobbs\Application Data\Mozilla\Firefox\Profiles\ospi4yaa.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/27 07:21:55 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\Kathleen Hobbs\Application Data\Mozilla\Firefox\Profiles\ospi4yaa.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2009/08/17 20:45:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/08/17 20:45:19 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\browserhighlighter@ebay.com
[2009/12/06 07:59:08 | 000,192,512 | ---- | M] () -- C:\Program Files\Mozilla Firefox\components\mhxpcom.dll
[2008/09/15 10:52:06 | 000,376,832 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
[2007/04/16 12:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
[2010/01/30 20:41:32 | 000,003,803 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\MyHeritage.xml

O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (MHTBPos00 Class) - {0C37B053-FD68-456a-82E1-D788EE342E6F} - C:\Program Files\Celebrity Toolbar\tbcore3.dll ()
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (CMySite Class) - {D62EC836-BF1E-4CAC-81BE-FB9179835D8E} - C:\Program Files\Celebrity Toolbar\mhxpcomi.dll ()
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Celebrity Toolbar) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - C:\Program Files\Celebrity Toolbar\tbcore3.dll ()
O3 - HKU\S-1-5-21-1518909547-290427468-2218290895-1006\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1518909547-290427468-2218290895-1006\..\Toolbar\WebBrowser: (Celebrity Toolbar) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - C:\Program Files\Celebrity Toolbar\tbcore3.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [DELL Webcam Manager] C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OEM13Mon.exe] C:\WINDOWS\OEM13Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SMA8.0.81.5] c:\SvcTools\8.0.81.5\bin\lnchr.exe (Dell Inc.)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKU\S-1-5-21-1518909547-290427468-2218290895-1006..\Run: [Aim6] File not found
O4 - HKU\S-1-5-21-1518909547-290427468-2218290895-1006..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKU\S-1-5-21-1518909547-290427468-2218290895-1006..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKU\S-1-5-21-1518909547-290427468-2218290895-1006..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1518909547-290427468-2218290895-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243613610687 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} http://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab (Enlite 2.x Simulation Engine Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\mhtb {669A2A3A-F19C-452D-800D-1240299756C1} - C:\Program Files\Celebrity Toolbar\mhxpcomi.dll ()
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll ()
O24 - Desktop Components:1 () - C:\soberchk.htm
O24 - Desktop WallPaper: C:\Documents and Settings\Kathleen Hobbs\Application Data\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Kathleen Hobbs\Application Data\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll ()
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 16:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{7a47bc7a-3853-11de-aec5-0024e892e80d}\Shell\AutoRun\command - "" = E:\nmusbcfg.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: DHCP - C:\WINDOWS\system32\dhcpcsvc.dll ()
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


Drivers32: aux - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.IYUV - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: VIDC.UYVY - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YUY2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVU9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVYU - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2012/03/31 14:08:12 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2010/12/04 14:50:51 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kathleen Hobbs\Desktop\OTL.exe
[2010/11/27 12:58:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kathleen Hobbs\Desktop\gmer
[2010/11/22 07:04:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kathleen Hobbs\Application Data\Amazon
[2010/11/22 07:02:10 | 000,000,000 | ---D | C] -- C:\Program Files\Amazon
[2010/11/17 13:18:37 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Server
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/04 14:49:30 | 000,043,382 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/12/04 14:46:42 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kathleen Hobbs\Desktop\OTL.exe
[2010/11/27 14:06:30 | 000,043,382 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/11/27 12:52:24 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\Kathleen Hobbs\Desktop\gmer.zip
[2010/11/27 12:47:53 | 000,466,982 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/27 12:47:53 | 000,080,032 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/27 12:45:15 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/27 12:40:59 | 000,189,259 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/11/27 12:40:56 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/11/27 12:40:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/27 12:40:51 | 3219,574,784 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/27 12:33:49 | 000,011,585 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/11/27 12:32:12 | 000,630,272 | ---- | M] () -- C:\Documents and Settings\Kathleen Hobbs\Desktop\dds.scr
[2010/11/21 10:26:07 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\null
[2010/11/15 09:26:11 | 000,000,358 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/11/13 06:20:03 | 000,075,404 | ---- | M] () -- C:\Documents and Settings\Kathleen Hobbs\My Documents\27357_102.pdf
[2010/11/11 23:27:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/11/07 18:14:13 | 002,135,552 | ---- | M] () -- C:\Documents and Settings\Kathleen Hobbs\Desktop\Ch. 8 Revised 1-09.ppt
[2010/11/07 18:14:05 | 003,190,272 | ---- | M] () -- C:\Documents and Settings\Kathleen Hobbs\Desktop\Ch. 7 revised 1-09.ppt
[2010/11/07 18:13:54 | 005,678,080 | ---- | M] () -- C:\Documents and Settings\Kathleen Hobbs\Desktop\Ch. 6 revised 1-09.ppt
[2010/11/07 18:13:36 | 010,846,720 | ---- | M] () -- C:\Documents and Settings\Kathleen Hobbs\Desktop\Ch. 5 revised 1-09.ppt
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/27 12:53:18 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\Kathleen Hobbs\Desktop\gmer.zip
[2010/11/27 12:45:46 | 000,630,272 | ---- | C] () -- C:\Documents and Settings\Kathleen Hobbs\Desktop\dds.scr
[2010/11/27 12:06:51 | 3219,574,784 | -HS- | C] () -- C:\hiberfil.sys
[2010/11/13 06:20:03 | 000,075,404 | ---- | C] () -- C:\Documents and Settings\Kathleen Hobbs\My Documents\27357_102.pdf
[2010/11/07 18:14:10 | 002,135,552 | ---- | C] () -- C:\Documents and Settings\Kathleen Hobbs\Desktop\Ch. 8 Revised 1-09.ppt
[2010/11/07 18:14:01 | 003,190,272 | ---- | C] () -- C:\Documents and Settings\Kathleen Hobbs\Desktop\Ch. 7 revised 1-09.ppt
[2010/11/07 18:13:45 | 005,678,080 | ---- | C] () -- C:\Documents and Settings\Kathleen Hobbs\Desktop\Ch. 6 revised 1-09.ppt
[2010/11/07 18:13:22 | 010,846,720 | ---- | C] () -- C:\Documents and Settings\Kathleen Hobbs\Desktop\Ch. 5 revised 1-09.ppt
[2010/03/12 21:56:19 | 008,673,792 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/01 14:21:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/03 21:30:37 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\Kathleen Hobbs\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/19 13:42:27 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/04/19 13:42:27 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/04/19 13:42:27 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/04/19 13:42:27 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/04/19 13:41:14 | 000,001,153 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/04/19 11:03:06 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/04/19 10:53:52 | 000,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/04/19 10:51:51 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2009/04/19 10:51:51 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2008/04/25 16:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 11:16:18 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\msapsspc.dll
[2008/04/25 11:16:14 | 001,082,368 | ---- | C] () -- C:\WINDOWS\System32\esent.dll
[2008/04/25 11:16:14 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\eappcfg.dll
[2008/04/25 11:16:14 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\eappprxy.dll
[2008/04/25 11:16:14 | 000,030,720 | ---- | C] () -- C:\WINDOWS\System32\eapolqec.dll
[2008/04/25 11:16:11 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\dhcpcsvc.dll
[2008/04/25 11:16:11 | 000,068,608 | ---- | C] () -- C:\WINDOWS\System32\digest.dll
[2008/04/25 11:16:11 | 000,026,112 | ---- | C] () -- C:\WINDOWS\System32\dot3api.dll
[2008/04/25 11:16:11 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\dimsntfy.dll
[2008/04/25 11:16:11 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\dot3dlg.dll
[2008/04/25 11:16:10 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\credui.dll
[2008/04/25 11:16:08 | 000,193,536 | ---- | C] () -- C:\WINDOWS\System32\activeds.dll
[2008/04/25 04:22:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

========== LOP Check ==========

[2009/04/19 10:51:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
[2009/04/30 22:58:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2010/06/01 22:15:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\myitlab
[2010/04/24 22:08:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2009/04/19 10:55:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2009/04/30 22:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/05/07 22:00:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/04/19 10:51:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Windows Desktop Search
[2009/04/30 22:59:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathleen Hobbs\Application Data\acccore
[2010/11/22 07:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathleen Hobbs\Application Data\Amazon
[2009/05/01 00:13:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathleen Hobbs\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/08/18 17:54:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathleen Hobbs\Application Data\MSNInstaller
[2010/04/24 22:11:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathleen Hobbs\Application Data\Research In Motion
[2009/05/04 06:57:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathleen Hobbs\Application Data\Snapfish
[2009/04/19 10:51:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathleen Hobbs\Application Data\Windows Desktop Search
[2009/04/28 19:32:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kathleen Hobbs\Application Data\Windows Search
[2009/08/18 04:55:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2010/11/15 09:26:11 | 000,000,358 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2010/07/01 01:45:32 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2010/11/27 12:40:56 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.sys /90 >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/04/25 04:21:09 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/04/25 04:21:09 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/04/25 04:21:09 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %SYSTEMDRIVE%\*.* >
[2008/04/25 16:29:32 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/04/28 19:25:03 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2008/04/25 16:29:32 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/04/19 13:43:27 | 000,004,188 | RH-- | M] () -- C:\dell.sdr
[2010/11/27 12:40:51 | 3219,574,784 | -HS- | M] () -- C:\hiberfil.sys
[2003/05/30 16:07:38 | 000,000,860 | ---- | M] () -- C:\instructions.txt
[2008/04/25 16:29:32 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2009/04/30 22:58:14 | 000,000,459 | -H-- | M] () -- C:\IPH.PH
[2008/04/25 16:29:32 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2008/04/14 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 07:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/11/27 12:40:49 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2002/11/11 18:19:52 | 000,000,036 | ---- | M] () -- C:\sober.bat
[1999/04/30 19:50:50 | 000,005,985 | ---- | M] () -- C:\soberchk.htm
[1999/04/30 18:39:04 | 000,000,447 | ---- | M] () -- C:\soberref.htm

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< End of report >





OTL Extras logfile created on: 12/4/2010 2:52:24 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Kathleen Hobbs\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 84.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.85 Gb Total Space | 210.76 Gb Free Space | 90.52% Space Free | Partition Type: NTFS
Drive E: | 976.13 Mb Total Space | 122.94 Mb Free Space | 12.59% Space Free | Partition Type: FAT

Computer Name: KATRICKSCHOOL | User Name: Kathleen Hobbs | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1518909547-290427468-2218290895-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox2\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call
"{0394CDC8-FABD-4ED8-B104-03393876DFDF}" = Roxio Creator Tools
"{06E6E30D-B498-442F-A943-07DE41D7F785}" = Microsoft Search Enhancement Pack
"{07159635-9DFE-4105-BFC0-2817DB540C68}" = Roxio Activation Module
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0D397393-9B50-4C52-84D5-77E344289F87}" = Roxio Creator Data
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar v1.0
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 17
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2B4C7E1E-E446-4740-ADB5-9842E742EE8A}" = Windows Live Toolbar
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes
"{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{83FFCFC7-88C6-41C6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}" = Sonic CinePlayer Decoder Pack
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_BASICR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_BASICR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_BASICR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_BASICR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_BASICR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0013-0000-0000-0000000FF1CE}" = Microsoft Office Basic 2007
"{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{913D0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard for Students and Teachers
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B98BE95C-E76F-4246-B8E6-BEB8EE791D06}" = Roxio Media Manager
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C34FAEF3-4241-4C4E-9CFF-7BBD8BCEABE7}" = WebEx Support Manager for Internet Explorer
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F5BDF2BB-C990-4351-A05B-B2243D4037D4}" = BlackBerry Desktop Software 5.0.1
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery
"{FB26A501-6BA6-459B-89AA-9736730752FB}" = VoiceOver Kit
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"AIM_6" = AIM 6
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.10
"BASICR" = Microsoft Office Basic 2007
"BlackBerry_{F5BDF2BB-C990-4351-A05B-B2243D4037D4}" = BlackBerry Desktop Software 5.0.1
"Broadcom 802.11 Application" = Dell Wireless WLAN Card Utility
"Celebrity Toolbar" = Celebrity Toolbar
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"Creative OEM013" = Laptop Integrated Webcam Driver (1.01.01.0529)
"Dell ServicesReady" = Dell ServicesReady
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"GenoPro" = GenoPro 2.0.1.6
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"MSC" = McAfee SecurityCenter
"NVIDIA Drivers" = NVIDIA Drivers
"SobrietyCheck_is1" = SobrietyCheck 2.1
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinLiveSuite_Wave3" = Windows Live Essentials
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/27/2010 1:59:30 PM | Computer Name = KATRICKSCHOOL | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 3236 (0xca4) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.435
/ 5400.1158 Object being scanned = \Device\HarddiskVolume2\Documents and Settings\Kathleen
Hobbs\Desktop\gmer\gmer.exe by C:\WINDOWS\Explorer.EXE 4(0)(0) 4(0)(0) 7200(0)(0)

7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 11/27/2010 4:52:27 PM | Computer Name = KATRICKSCHOOL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 11/27/2010 4:52:27 PM | Computer Name = KATRICKSCHOOL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 6318047

Error - 11/27/2010 4:52:27 PM | Computer Name = KATRICKSCHOOL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 6318047

Error - 11/27/2010 4:52:43 PM | Computer Name = KATRICKSCHOOL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 11/27/2010 4:52:43 PM | Computer Name = KATRICKSCHOOL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 6333688

Error - 11/27/2010 4:52:43 PM | Computer Name = KATRICKSCHOOL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 6333688

Error - 11/27/2010 4:52:58 PM | Computer Name = KATRICKSCHOOL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 11/27/2010 4:52:58 PM | Computer Name = KATRICKSCHOOL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 6349313

Error - 11/27/2010 4:52:58 PM | Computer Name = KATRICKSCHOOL | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 6349313

[ System Events ]
Error - 12/4/2010 3:54:57 PM | Computer Name = KATRICKSCHOOL | Source = Service Control Manager | ID = 7023
Description = The Telephony service terminated with the following error: %%193

Error - 12/4/2010 3:54:58 PM | Computer Name = KATRICKSCHOOL | Source = Service Control Manager | ID = 7023
Description = The Telephony service terminated with the following error: %%193

Error - 12/4/2010 3:54:59 PM | Computer Name = KATRICKSCHOOL | Source = Service Control Manager | ID = 7023
Description = The Telephony service terminated with the following error: %%193

Error - 12/4/2010 3:55:00 PM | Computer Name = KATRICKSCHOOL | Source = Service Control Manager | ID = 7023
Description = The Telephony service terminated with the following error: %%193

Error - 12/4/2010 3:55:01 PM | Computer Name = KATRICKSCHOOL | Source = Service Control Manager | ID = 7023
Description = The Telephony service terminated with the following error: %%193

Error - 12/4/2010 3:55:02 PM | Computer Name = KATRICKSCHOOL | Source = Service Control Manager | ID = 7023
Description = The Telephony service terminated with the following error: %%193

Error - 12/4/2010 3:55:03 PM | Computer Name = KATRICKSCHOOL | Source = Service Control Manager | ID = 7023
Description = The Telephony service terminated with the following error: %%193

Error - 12/4/2010 3:55:04 PM | Computer Name = KATRICKSCHOOL | Source = Service Control Manager | ID = 7023
Description = The Telephony service terminated with the following error: %%193

Error - 12/4/2010 3:55:05 PM | Computer Name = KATRICKSCHOOL | Source = Service Control Manager | ID = 7023
Description = The Telephony service terminated with the following error: %%193

Error - 12/4/2010 3:55:06 PM | Computer Name = KATRICKSCHOOL | Source = Service Control Manager | ID = 7023
Description = The Telephony service terminated with the following error: %%193


< End of report >

Attached Files

  • Attached File  ark.txt   67.22KB   3 downloads


#4 Eric7859

Eric7859
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 04 December 2010 - 05:47 PM

I looked back in the Mcafee logs and found the following entries 11/17/2010 real time scan W32/bamital.b (virus) removed at 1:19:03PM and again at 1:56:32PM
11/21/10 schedualed scan exploit-byteverify (Trojan) quarantined at the same time Backdoor-dki!env.b (Trojan)was quarantined

#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:58 AM

Posted 05 December 2010 - 11:47 AM

Hello, Eric7859.
Bamital is a backdoor trojan.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.







Viewpoint (foistware) Warning"

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/clickz/news/1714488/viewpoint-plunge-into-adware

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.



Questionable Toolbars

You also have two toolbars installed that often come bundled with tracking capability. They are the Celebrity Toolbar, and the Zynga toolbar. I do suggest you uninstall them, but it is your choice.

To remove the Celebrity toolbar, uninstall it via Add/Remove programs.
To remove the Zynga tool bar, launch Firefox, selectTools --> Add Ons and it should be in that list. Click it then click uninstall to remove it.





Step 1



Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#6 Eric7859

Eric7859
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 10 December 2010 - 04:45 PM

is there a way to get the recovery console without having an internet connection?

#7 Eric7859

Eric7859
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 10 December 2010 - 07:18 PM

also combofix freezes when i run it. the 1st time it froze at a step that said deleting files ...severadmin.txt
then the 2nd time at stage 50

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:58 AM

Posted 11 December 2010 - 09:10 AM

Hi Eric7859,

Ok, let's evaluate where we are at this point.

First, we can download the recovery console from Microsoft, put it on a flash drive and manually install it. If you were not able to install it via Combofix automatically, let me know. This would be a highly recommended step.

Next, is there a log at C:\Combofix.txt? Or does C:\Qoobox\ComboFix-quarantined-files.txt exist? If yes to any of the two, please copy and paste the contents in your reply.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#9 Eric7859

Eric7859
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 11 December 2010 - 12:57 PM

C:\Combofix.txt is not there and C:\Qoobox\ComboFix-quarantined-files.txt does not exist either but the folder C:\Qoobox was created. I was not able to automatically install the recovery console from Microsoft. the infected laptop wont pull an ip so i need to transfer every ting by jump drive

thanks
Eric

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:58 AM

Posted 12 December 2010 - 09:05 AM

Hello, Eric7859.

Failing at Step 50 is generally due to McAfee interference. Before we move on, let's install the recovery console. You can download it on a working computer, then transfer it to install.

Please click on the following link to go to Microsoft's website.
http://support.microsoft.com/kb/310994

At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information.

  • Click on the Start button.
  • Click on the Run option.
  • type sysdm.cpl and then hit OK
  • A screen will appear showing information about your Windows installation. Under the System category you should see your Windows version and the installed service pack. Write this down and proceed to download the correct version as above.

Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go. This is shown in the following image.
Posted Image

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer, please select no to cancel the scan.



etavares

Edited by etavares, 12 December 2010 - 09:06 AM.
fix image tag


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#11 Eric7859

Eric7859
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 12 December 2010 - 12:29 PM

ok, i was able to install the recovery console and clicked no to continuing the scan. i also set McAfee real time protection to disabled and to the "never" turn setting instead of the 15 min option.

thanks again
Eric

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:58 AM

Posted 13 December 2010 - 06:14 PM

Perfect...please run Combofix as before. Please delete the copy on your desktop and download a fresh copy, naming it etavaresCF.exe as before.

You can reenable McAfee after it's done running. Please post the resulting log here.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#13 Eric7859

Eric7859
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 13 December 2010 - 08:46 PM

when running combo fix i get a message that say the recovery console is not installed or requires updating since i cant get an internet connection it cant download the file it wants. is there a way to fix this or should i just run the scan?

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:58 AM

Posted 14 December 2010 - 05:17 PM

It is up to you...if you have a Windows CD, we don't necessarily need the Recovery Console installed, but many people often don't have it. If you have a USB flash drive, we can undo anything using a clean computer and a flash drive as well. So, please continue if you either have the windows CD; or a spare flash drive we can use with a working computer.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#15 Eric7859

Eric7859
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 15 December 2010 - 06:58 PM

all symptoms seem to be the same after running combofix

ComboFix 10-12-09.04 - Kathleen Hobbs 12/14/2010 23:59:22.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2566 [GMT -5:00]
Running from: c:\documents and settings\Kathleen Hobbs\Desktop\etavaresCF.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.

2010-12-04 22:19 . 2009-09-16 14:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-12-04 21:58 . 2010-12-04 21:58 -------- d-sh--w- c:\documents and settings\Kathleen Hobbs\IECompatCache
2010-11-22 12:04 . 2010-11-22 12:04 -------- d-----w- c:\documents and settings\Kathleen Hobbs\Application Data\Amazon
2010-11-22 12:02 . 2010-11-22 12:02 -------- d-----w- c:\program files\Amazon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2008-04-25 16:16 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-25 16:16 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-25 16:16 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-25 16:16 953856 ----a-w- c:\windows\system32\mfc40u.dll
2009-12-06 12:59 . 2010-01-31 01:41 192512 ----a-w- c:\program files\mozilla firefox\components\mhxpcom.dll
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1C4AB6A5-595F-4e86-B15F-F93CCE2BBD48}"= "c:\program files\Celebrity Toolbar\tbhelper.dll" [2009-05-07 355840]

[HKEY_CLASSES_ROOT\clsid\{1c4ab6a5-595f-4e86-b15f-f93cce2bbd48}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{1EA6B471-CAD2-419a-9539-0586EEFE2D09}]
[HKEY_CLASSES_ROOT\URLSearchHook.MHURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46 2642432 ----a-w- c:\program files\Celebrity Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D62EC836-BF1E-4CAC-81BE-FB9179835D8E}]
2009-12-06 12:59 217088 ----a-w- c:\program files\Celebrity Toolbar\mhxpcomi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Celebrity Toolbar\tbcore3.dll" [2009-05-07 2642432]

[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Celebrity Toolbar\tbcore3.dll" [2009-05-07 2642432]

[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-30 2020592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-21 159744]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-07 16862720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-07 13537280]
"nwiz"="nwiz.exe" [2008-07-07 1630208]
"NVHotkey"="nvHotkey.dll" [2008-07-07 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-07 86016]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2008-07-16 36864]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-17 2289664]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-05-07 1245184]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"SMA8.0.81.5"="c:\svctools\8.0.81.5\bin\lnchr.exe" [2008-12-11 528384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-21 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\soberchk.htm
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-01-15 04:49 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/5/2009 3:06 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 3:06 PM 61440]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/17/2009 8:02 PM 88176]
R2 SMA8.0.81.5;Software Management Agent 8.0.81.5;c:\svctools\8.0.81.5\bin\lnchr.exe --service --context=system --control-dir=c:\svctools\8.0.81.5\ctrl --> c:\svctools\8.0.81.5\bin\lnchr.exe --service --context=system --control-dir=c:\svctools\8.0.81.5\ctrl [?]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [4/19/2009 1:42 PM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [4/19/2009 1:42 PM 43608]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [4/19/2009 1:42 PM 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [4/19/2009 1:42 PM 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [4/19/2009 1:42 PM 235840]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/30/2009 10:58 PM 24652]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 3:06 PM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-10 16:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-10 16:22]

2010-12-14 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\Celebrity Toolbar\mhxpcomi.dll
FF - ProfilePath - c:\documents and settings\Kathleen Hobbs\Application Data\Mozilla\Firefox\Profiles\ospi4yaa.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\Kathleen Hobbs\Application Data\Mozilla\Firefox\Profiles\ospi4yaa.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Kathleen Hobbs\Application Data\Mozilla\Firefox\Profiles\ospi4yaa.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox2\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox2\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Celebrity Toolbar: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - c:\program files\Mozilla Firefox2\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox2\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Kathleen Hobbs\Application Data\Mozilla\Firefox\Profiles\ospi4yaa.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\documents and settings\Kathleen Hobbs\Application Data\Mozilla\Firefox\Profiles\ospi4yaa.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-15 01:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2010-12-15 18:47:02
ComboFix-quarantined-files.txt 2010-12-15 05:58

Pre-Run: 226,425,286,656 bytes free
Post-Run: 226,849,517,568 bytes free

- - End Of File - - 4D93E2D4D7BC103528F2FB6A2593F028




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users