Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/ matware... antivirus7, trojen.fakealert, others


  • This topic is locked This topic is locked
14 replies to this topic

#1 dever

dever

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:10:10 PM

Posted 25 March 2010 - 07:47 PM

Hello,

This computer belongs to my mother-in-law, so part of my understanding of the problem is based on second-hand knowledge. She informed me that she experienced a series of pop-ups telling her that the computer was infected, click here to clean, etc ... (you know the drill). She knew not to click on any of the buttons, but I believe that the malware was able to load itself nonetheless. This computer is a bit of a dinosaur, and it hasn't run optimally for some time, so it is hard for me to say whether or not it is running as it should. The only thing I did initially, was to load and run MalwareBytes Anti Malware. MBAM found 33 infected files including: winanuvirus, adware2020, trojen.fakealert, rogue.antivirus7, among others. I believe they were all successfully deleted... I can share that log with you as well if you think it would help.

For now, I will paste and attach the logs you requested.

Thank you sincerely for any assistance you can offer!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 19:19:18.60 on Thu 03/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.239 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = localhost;*.local
mCustomizeSearch =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
TB: {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No File
TB: Health and Fitness Toolbar: {4a20b7af-2835-47ef-bbbf-09caf8af2907}} -
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {FE6BC4EF-5676-484B-88AE-883323913256} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {90C61707-C8F8-43DB-A25C-C1F4B18EE41E} - No File
uRun: [EPSON Stylus CX4200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [VSOSplash] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" 103 mcvso.ui::splash.htm
mRun: [EPSON Stylus CX4200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
IE: c:\progra~1\common~1\btlink\btlink.dll//iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136688450875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = :\WINDOW scecli scecli scecli scecli scecli scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\p25ltiag.default\
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPOJI610.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-9-14 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-9-14 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-9-14 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-9-14 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-9-14 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-9-14 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-9-14 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-9-14 34248]

=============== Created Last 30 ================

2010-03-25 22:42:43 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-03-25 22:18:33 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-03-25 22:18:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-25 22:18:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-25 22:18:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 22:18:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-25 18:22:59 0 d-----w- c:\program files\AV7
2010-03-10 09:41:47 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-02-04 13:43:38 54924 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-10-14 10:17:00 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-08-31 19:30:47 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009083120090901\index.dat

============= FINISH: 19:21:36.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:10:10 AM

Posted 29 March 2010 - 09:03 PM

Hey dever,

Welcome to Bleepingcomputer! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. smile.gif
  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. ;)
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Bleepingcomputer and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#3 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:10:10 AM

Posted 30 March 2010 - 09:14 AM

Hey dever,

I don't see much in your logs, let's run some scans. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (McAfee) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following
      netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\*.*
      %ProgramFiles%\Movie Maker\*.dll
      %ALLUSERSAPPDATA%\*.dll
      %SYSTEMROOT%\*.tmp
      %PROGRAMFILES%\Internet Explorer\*.dll
      %DriveLetter%\RECYCLER\*S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d*.
      %systemroot%\system32\*.dll /lockedfiles
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
      CREATERESTOREPOINT
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post

2) Run RootRepeal

Download RootRepeal from one of the following locations and save it to your desktop:
  • Double click to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
    • Shadow SSDT
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
    Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post

Next reply (please include in your post):

OTS.txt (attached)
RootRepeal.txt (attached)

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#4 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:10:10 PM

Posted 31 March 2010 - 04:05 PM

Hi there Ltangelic

Thanks so much for helping me with this machine!

I have dowloaded and run OTS, and the OTS.txt file is pasted below.

I was unable to download Root Repeal from any of the three links you sent me. In every case, the download would complete, but when I try to run the .exe, a window opens which says: "initializing, please wait". hen I used link 1, the whole computer locks up (all applications not responding in task manager), and eventually a window appears: "The application failed to initialize". When I tried link 2 or 3, I again got the "initializing, please wait", and then another window immediately opens saying: "could not load driver".

Thanks again for your help,

dever

CODE
OTS logfile created on: 3/31/2010 3:53:36 PM - Run 2
OTS by OldTimer - Version 3.1.27.1     Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

504.00 Mb Total Physical Memory | 279.00 Mb Available Physical Memory | 55.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.81 Gb Total Space | 67.04 Gb Free Space | 62.76% Space Free | Partition Type: NTFS
Drive D: | 4.96 Gb Total Space | 0.91 Gb Free Space | 18.39% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RON
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days

[Processes - Safe List]
ots.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2010/03/31 15:49:55 | 000,637,440 | ---- | M] (OldTimer Tools)
applemobiledeviceservice.exe -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -> [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.)
firefox.exe -> C:\Program Files\Mozilla Firefox\firefox.exe -> [2010/03/08 14:40:40 | 000,307,672 | ---- | M] (Mozilla Corporation)
mcagent.exe -> C:\Program Files\McAfee.com\Agent\mcagent.exe -> [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.)
mpfsrv.exe -> C:\Program Files\McAfee\MPF\MpfSrv.exe -> [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.)
mcshield.exe -> C:\Program Files\McAfee\VirusScan\Mcshield.exe -> [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.)
mcsysmon.exe -> C:\Program Files\McAfee\VirusScan\mcsysmon.exe -> [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.)
mcmscsvc.exe -> C:\Program Files\McAfee\MSC\mcmscsvc.exe -> [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.)
mcproxy.exe -> c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -> [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.)
mcnasvc.exe -> c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -> [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.)
maxmenumgr.exe -> C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe -> [2008/07/21 17:16:06 | 000,169,312 | ---- | M] (Maxtor Corporation)
syncservices.exe -> C:\Program Files\Maxtor\Sync\SyncServices.exe -> [2008/07/21 17:15:14 | 000,193,888 | ---- | M] (Seagate Technology LLC)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
realsched.exe -> C:\Program Files\Common Files\Real\Update_OB\realsched.exe -> [2007/07/20 11:43:01 | 000,180,269 | ---- | M] (RealNetworks, Inc.)
ps2.exe -> C:\WINDOWS\system32\ps2.EXE -> [2002/07/31 23:28:38 | 000,081,920 | ---- | M] (Hewlett-Packard Company)

[Modules - Safe List]
ots.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2010/03/31 15:49:55 | 000,637,440 | ---- | M] (OldTimer Tools)

[Win32 Services - Safe List]
(Apple Mobile Device) Apple Mobile Device [Auto | Running] -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -> [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.)
(MpfService) McAfee Personal Firewall Service [Auto | Running] -> C:\Program Files\McAfee\MPF\MPFSrv.exe -> [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.)
(McODS) McAfee Scanner [On_Demand | Stopped] -> C:\Program Files\McAfee\VirusScan\mcods.exe -> [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.)
(McShield) McAfee Real-time Scanner [Unknown | Running] -> C:\Program Files\McAfee\VirusScan\Mcshield.exe -> [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.)
(McSysmon) McAfee SystemGuards [On_Demand | Running] -> C:\Program Files\McAfee\VirusScan\mcsysmon.exe -> [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.)
(mcmscsvc) McAfee Services [Auto | Running] -> C:\Program Files\McAfee\MSC\mcmscsvc.exe -> [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.)
(MBackMonitor) MBackMonitor [On_Demand | Stopped] -> C:\Program Files\McAfee\MBK\MBackMonitor.exe -> [2009/07/08 20:22:22 | 000,068,112 | ---- | M] (McAfee)
(McProxy) McAfee Proxy Service [Auto | Running] -> c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -> [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.)
(McNASvc) McAfee Network Agent [Auto | Running] -> c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -> [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.)
(Maxtor Sync Service) Maxtor Service [Auto | Running] -> C:\Program Files\Maxtor\Sync\SyncServices.exe -> [2008/07/21 17:15:14 | 000,193,888 | ---- | M] (Seagate Technology LLC)

[Driver Services - Safe List]
(mfehidk) McAfee Inc. mfehidk [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\mfehidk.sys -> [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.)
(mfeavfk) McAfee Inc. mfeavfk [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\mfeavfk.sys -> [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.)
(mfesmfk) McAfee Inc. mfesmfk [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\mfesmfk.sys -> [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.)
(mfebopk) McAfee Inc. mfebopk [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\mfebopk.sys -> [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.)
(mferkdk) McAfee Inc. mferkdk [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\mferkdk.sys -> [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.)
(MPFP) MPFP [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\Mpfp.sys -> [2009/07/16 12:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.)
(MXOPSWD) Maxtor OneTouch Security Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\mxopswd.sys -> [2007/05/03 13:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.)
(MxlW2k) MxlW2k [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\MxlW2k.sys -> [2004/12/27 10:44:42 | 000,028,352 | ---- | M] (MusicMatch, Inc.)
(ALCXWDM) Service for Realtek AC97 Audio (WDM) [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\ALCXWDM.SYS -> [2004/10/01 11:24:02 | 002,279,424 | ---- | M] (Realtek Semiconductor Corp.)
(nv) nv [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\nv4_mini.sys -> [2004/08/04 01:29:54 | 001,897,408 | ---- | M] (NVIDIA Corporation)
(S3Psddr) S3Psddr [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\s3gnbm.sys -> [2004/08/04 01:29:51 | 000,166,912 | ---- | M] (S3 Graphics, Inc.)
(ALCXSENS) Service for WDM 3D Audio Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\ALCXSENS.SYS -> [2004/02/17 06:49:14 | 000,391,424 | ---- | M] (Sensaura Ltd)
(fasttx2k) fasttx2k [Kernel | Boot | Running] -> C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -> [2003/06/19 04:59:00 | 000,140,800 | ---- | M] (Promise Technology, Inc.)
(SiS315) SiS315 [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\sisgrp.sys -> [2003/05/06 18:34:56 | 000,394,752 | ---- | M] (Silicon Integrated Systems Corporation)
(SiSkp) SiSkp [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\srvkp.sys -> [2003/04/11 11:51:30 | 000,010,624 | ---- | M] (Silicon Integrated Systems Corporation)
(ltmodem5) Lucent Modem Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\ltmdmnt.sys -> [2003/04/01 00:29:42 | 000,625,537 | ---- | M] (LT)
(nv_agp) NVIDIA nForce AGP Bus Filter [Kernel | Boot | Running] -> C:\WINDOWS\System32\DRIVERS\nv_agp.sys -> [2003/03/20 01:51:00 | 000,018,688 | ---- | M] (NVIDIA Corporation)
(SISAGP) SiS AGP Filter [Kernel | Boot | Running] -> C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -> [2003/02/20 19:18:36 | 000,036,608 | ---- | M] (Silicon Integrated Systems Corporation)
(viaagp1) VIA AGP Filter [Kernel | Boot | Running] -> C:\WINDOWS\System32\DRIVERS\viaagp1.sys -> [2002/12/27 14:41:00 | 000,026,880 | ---- | M] (VIA Technologies, Inc.)
(rtl8139) Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\R8139n51.sys -> [2002/10/04 20:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation       )
(Ps2) Ps2 [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\PS2.sys -> [2002/07/30 01:43:50 | 000,023,808 | ---- | M] (Hewlett-Packard Company)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" ->  ->
HKEY_LOCAL_MACHINE\: SearchURL\\"" -> http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR ->
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> ->
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 ->
HKEY_USERS\.DEFAULT\: "ProxyOverride" -> localhost;*.local ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> ->
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 ->
HKEY_USERS\S-1-5-18\: "ProxyOverride" -> localhost;*.local ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> ->
HKEY_USERS\S-1-5-19\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> ->
HKEY_USERS\S-1-5-20\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\] > -> ->
HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\: Main\\"Default_Search_URL" -> http://home.microsoft.com/search/search.asp ->
HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\: Main\\"Search Page" -> http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR ->
HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\: Main\\"SearchMigratedDefaultName" -> Live Search ->
HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\: Main\\"SearchMigratedDefaultURL" -> http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} ->
HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\: Main\\"Start Page" -> http://www.msn.com/ ->
HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\: SearchURL\\"" -> http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR ->
HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\: "ProxyEnable" -> 0 ->
HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\: "ProxyOverride" -> localhost;*.local ->
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\p25ltiag.default\prefs.js ->
browser.startup.homepage -> "www.msn.com" ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  ->
HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c} -> C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MOZILLA\FIREFOX EXTENSIONS\{3112CA9C-DE6D-4884-A869-9855DE68056C}] -> [2007/07/20 09:28:23 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions ->  ->
HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Components -> C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2010/03/30 21:21:16 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Plugins -> C:\Program Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2010/03/30 21:21:16 | 000,000,000 | ---D | M]
< FireFox Extensions [User Folders] > ->
  -> C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions -> [2008/12/28 21:43:43 | 000,000,000 | ---D | M]
  -> C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p25ltiag.default\extensions -> [2010/03/25 18:26:16 | 000,000,000 | ---D | M]
Microsoft .NET Framework Assistant   -> C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p25ltiag.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} -> [2009/09/21 07:55:19 | 000,000,000 | ---D | M]
< FireFox Extensions [Program Folders] > ->
  -> C:\Program Files\Mozilla Firefox\extensions -> [2008/12/28 21:42:23 | 000,000,000 | ---D | M]
< HOSTS File > ([2002/08/29 15:00:00 | 000,000,734 | ---- | M] - 19 lines) -> C:\WINDOWS\system32\drivers\etc\hosts ->
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/10/23 00:08:42 | 000,062,080 | ---- | M] (Adobe Systems Incorporated)
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} [HKLM] -> C:\Program Files\McAfee\VirusScan\scriptsn.dll [scriptproxy] -> [2009/09/16 10:22:16 | 000,062,784 | ---- | M] (McAfee, Inc.)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{4A20B7AF-2835-47EF-BBBF-09CAF8AF2907}}" [HKLM] -> Reg Error: Key error. [Health and Fitness Toolbar] -> File not found
"{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\] > -> HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{FE6BC4EF-5676-484B-88AE-883323913256}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"AppleSyncNotifier" -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe] -> [2010/03/16 21:58:34 | 000,047,392 | ---- | M] (Apple Inc.)
"CanonMyPrinter" -> C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon] -> [2007/04/03 21:50:00 | 001,603,152 | ---- | M] (CANON INC.)
"CanonSolutionMenu" -> C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon] -> [2007/05/14 21:01:00 | 000,644,696 | ---- | M] (CANON INC.)
"EPSON Stylus CX4200 Series" -> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"] -> [2005/03/07 23:00:00 | 000,098,304 | ---- | M] (SEIKO EPSON CORPORATION)
"KernelFaultCheck" ->  [%systemroot%\system32\dumprep 0 -k] -> File not found
"mcagent_exe" -> C:\Program Files\McAfee.com\Agent\mcagent.exe ["C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey] -> [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.)
"mxomssmenu" -> C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe ["C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"] -> [2008/07/21 17:16:06 | 000,169,312 | ---- | M] (Maxtor Corporation)
"nwiz" -> C:\WINDOWS\System32\nwiz.exe [nwiz.exe /installquiet /keeploaded /nodetect] -> [2003/05/03 02:19:00 | 000,323,584 | ---- | M] (NVIDIA Corporation)
"PS2" -> C:\WINDOWS\system32\ps2.EXE [C:\WINDOWS\system32\ps2.exe] -> [2002/07/31 23:28:38 | 000,081,920 | ---- | M] (Hewlett-Packard Company)
"Recguard" -> C:\WINDOWS\SMINST\Recguard.exe [C:\WINDOWS\SMINST\RECGUARD.EXE] -> [2002/09/14 00:42:26 | 000,212,992 | ---- | M] ()
"TkBellExe" -> C:\Program Files\Common Files\Real\Update_OB\realsched.exe ["C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot] -> [2007/07/20 11:43:01 | 000,180,269 | ---- | M] (RealNetworks, Inc.)
"VSOSplash" -> c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe 103 mcvso.ui ["c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" 103 mcvso.ui::splash.htm] -> File not found
< Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"Picasa Media Detector" -> C:\Program Files\Picasa2\PicasaMediaDetector.exe [C:\Program Files\Picasa2\PicasaMediaDetector.exe] -> File not found
< Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"Picasa Media Detector" -> C:\Program Files\Picasa2\PicasaMediaDetector.exe [C:\Program Files\Picasa2\PicasaMediaDetector.exe] -> File not found
< Run [HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\] > -> HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"EPSON Stylus CX4200 Series" -> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"] -> [2005/03/07 23:00:00 | 000,098,304 | ---- | M] (SEIKO EPSON CORPORATION)
"NVIEW" -> C:\WINDOWS\System32\nview.dll [rundll32.exe nview.dll,nViewLoadHook] -> [2003/05/03 02:19:00 | 000,835,654 | ---- | M] (NVIDIA Corporation)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup ->
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\mod_sm.lnk -> C:\hp\bin\cloaker.exe -> [1999/11/07 10:11:14 | 000,027,136 | ---- | M] (Hewlett-Packard Co.)
< Owner Startup Folder > -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" ->  [1] -> File not found
\\"NoCDBurning" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003] > -> HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\] > -> HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000] -> [2010/01/15 01:57:10 | 018,343,272 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{2670000A-7350-4f3c-8081-5663EE0C6C49}:{48E73304-E1D6-4330-914C-F5F514E3486C} [HKLM] -> C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll [Button: Send to OneNote] -> [2008/10/25 08:52:00 | 000,604,056 | ---- | M] (Microsoft Corporation)
{2670000A-7350-4f3c-8081-5663EE0C6C49}:{48E73304-E1D6-4330-914C-F5F514E3486C} [HKLM] -> C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll [Menu: S&end to OneNote] -> [2008/10/25 08:52:00 | 000,604,056 | ---- | M] (Microsoft Corporation)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL [Button: Research] -> [2009/03/06 05:04:56 | 000,039,464 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{E023F504-0C5A-4750-A1E7-A9046DEA8A21}" [HKLM] ->  [Reg Error: Key error.] -> File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{E023F504-0C5A-4750-A1E7-A9046DEA8A21}" [HKLM] ->  [Reg Error: Key error.] -> File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\] > -> HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{2670000A-7350-4f3c-8081-5663EE0C6C49}" [HKLM] -> C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll [Send to OneNote] -> [2008/10/25 08:52:00 | 000,604,056 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2009/03/06 05:04:56 | 000,039,464 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{E023F504-0C5A-4750-A1E7-A9046DEA8A21}" [HKLM] ->  [Reg Error: Key error.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\] > -> HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 2 domain(s) found. ->
internet .[about] -> Trusted sites ->
mcafee.com .[http] -> Trusted sites ->
mcafee.com .[https] -> Trusted sites ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\] > -> HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} [HKLM] -> http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab [Reg Error: Key error.] ->
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} [HKLM] -> http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab [MSN Photo Upload Tool] ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [HKLM] -> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136688450875 [MUWebControl Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab [Java Plug-in 1.4.1_02] ->
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} [HKLM] -> http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab [Reg Error: Key error.] ->
{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab [Java Plug-in 1.4.1_02] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] ->
{E77F23EB-E7AB-4502-8F37-247DBAF1A147} [HKLM] -> http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab [Windows Live Hotmail Photo Upload Tool] ->
DirectAnimation Java Classes [HKLM] -> file://C:\WINDOWS\Java\classes\dajava.cab [Reg Error: Key error.] ->
Microsoft XML Parser for Java [HKLM] -> file://C:\WINDOWS\Java\classes\xmldso.cab [Reg Error: Key error.] ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ ->
DhcpNameServer -> 68.87.71.230 68.87.73.246 ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{652A14E4-57AA-411D-B47D-8584732BBD97}\\DhcpNameServer -> 68.87.71.230 68.87.73.246   (Realtek RTL8139/810x Family Fast Ethernet NIC) ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
igfxcui -> C:\WINDOWS\System32\igfxsrvc.dll -> [2004/08/20 16:50:54 | 000,344,064 | ---- | M] (Intel Corporation)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"C:\Documents and Settings\Owner\Local Settings\Temp\7zSAF8.tmp\SymNRT.exe" -> C:\Documents and Settings\Owner\Local Settings\Temp\7zSAF8.tmp\SymNRT.exe [C:\Documents and Settings\Owner\Local Settings\Temp\7zSAF8.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool] -> File not found
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" -> C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe [C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent] -> [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.)
"C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe" -> C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe:*:Disabled:BackWeb-1940576] -> File not found
"C:\Program Files\iTunes\iTunes.exe" -> C:\Program Files\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes] -> [2010/03/26 01:09:58 | 010,358,568 | ---- | M] (Apple Inc.)
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" -> C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare] -> [2008/07/07 13:14:40 | 000,282,624 | ---- | M] (Eastman Kodak Company)
"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe" -> C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe:*:Disabled:backWeb-7288971] -> File not found
"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" -> C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater] -> File not found
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" -> C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE [C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote] -> [2008/11/24 23:16:44 | 001,020,776 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Real\RealOne Player\realplay.exe" -> C:\Program Files\Real\RealOne Player\realplay.exe [C:\Program Files\Real\RealOne Player\realplay.exe:*:Enabled:RealOne Player] -> [2007/07/20 11:43:35 | 000,208,941 | ---- | M] (RealNetworks, Inc.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" ->  [System32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  ->
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2003/07/24 04:29:01 | 000,000,000 | R-S- | M] ()
D:\AUTOEXEC.BAT [] -> D:\AUTOEXEC.BAT [ FAT32 ] -> [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] ()
D:\Autorun.inf [[AUTORUN] | OPEN=Info.exe folder.htt 480 480 | ] -> D:\Autorun.inf [ FAT32 ] -> [2002/09/11 03:02:32 | 000,000,045 | -HS- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command ->
comfile [open] -> "%1" %* ->
exefile [open] -> "%1" %* ->
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ ->
.com [@ = comfile] -> "%1" %* ->
.exe [@ = exefile] -> "%1" %* ->

[Registry - Additional Scans - Safe List]
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command ->
batfile [open] -> "%1" %* ->
cmdfile [open] -> "%1" %* ->
comfile [open] -> "%1" %* ->
exefile [open] -> "%1" %* ->
htmlfile [edit] -> "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 -> [2008/11/10 11:50:30 | 000,068,472 | ---- | M] (Microsoft Corporation)
htmlfile [print] -> "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 -> [2008/11/10 11:50:30 | 000,068,472 | ---- | M] (Microsoft Corporation)
piffile [open] -> "%1" %* ->
scrfile [config] -> "%1" ->
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l -> [2008/04/14 05:42:42 | 000,135,168 | ---- | M] (Microsoft Corporation)
scrfile [open] -> "%1" /S ->
Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 ->
Directory [find] -> %SystemRoot%\Explorer.exe -> [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
Directory [OneNote.Open] -> C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" -> [2008/11/24 23:16:44 | 001,020,776 | ---- | M] (Microsoft Corporation)
Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L -> [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L -> [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
Drive [find] -> %SystemRoot%\Explorer.exe -> [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
< EventViewer Logs - Last 10 Errors > -> Event Information -> Description
Application [ Error ] 12/2/2009 7:12:02 PM Computer Name = RON | Source = Application Hang | ID = 1002 -> Description = Hanging application EasyShare.exe, version 7.0.25.114, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 12/2/2009 7:46:03 PM Computer Name = RON | Source = Application Hang | ID = 1002 -> Description = Hanging application EasyShare.exe, version 7.0.25.114, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 12/2/2009 9:35:28 PM Computer Name = RON | Source = Application Hang | ID = 1002 -> Description = Hanging application EasyShare.exe, version 7.0.25.114, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 12/11/2009 7:01:29 AM Computer Name = RON | Source = Application Hang | ID = 1002 -> Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 12/11/2009 7:01:30 AM Computer Name = RON | Source = Application Hang | ID = 1002 -> Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 12/11/2009 10:37:10 AM Computer Name = RON | Source = Application Hang | ID = 1002 -> Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 12/12/2009 5:52:46 AM Computer Name = RON | Source = Application Hang | ID = 1002 -> Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 12/28/2009 9:10:54 AM Computer Name = RON | Source = Application Hang | ID = 1002 -> Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 1/7/2010 7:21:37 AM Computer Name = RON | Source = Application Hang | ID = 1002 -> Description = Hanging application EasyShare.exe, version 7.0.25.114, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 1/15/2010 7:50:03 AM Computer Name = RON | Source = Application Hang | ID = 1002 -> Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
System [ Error ] 3/25/2010 6:08:04 PM Computer Name = RON | Source = Service Control Manager | ID = 7034 -> Description = The Application Layer Gateway Service service terminated unexpectedly.  It has done this 1 time(s).
System [ Error ] 3/25/2010 6:10:36 PM Computer Name = RON | Source = Service Control Manager | ID = 7031 -> Description = The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
System [ Error ] 3/25/2010 6:15:34 PM Computer Name = RON | Source = Dhcp | ID = 1002 -> Description = The IP address lease 66.31.27.0 for the Network Card with network address 000C6E88E2D4 has been  denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
System [ Error ] 3/25/2010 7:13:04 PM Computer Name = RON | Source = DCOM | ID = 10010 -> Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.
System [ Error ] 3/25/2010 7:13:04 PM Computer Name = RON | Source = Service Control Manager | ID = 7026 -> Description = The following boot-start or system-start driver(s) failed to load:   agp440  fasttx2k  nv_agp  SISAGP  viaagp1
System [ Error ] 3/25/2010 8:19:26 PM Computer Name = RON | Source = DCOM | ID = 10010 -> Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.
System [ Error ] 3/25/2010 8:52:08 PM Computer Name = RON | Source = DCOM | ID = 10010 -> Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.
System [ Error ] 3/27/2010 10:51:33 PM Computer Name = RON | Source = DCOM | ID = 10010 -> Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.
System [ Error ] 3/30/2010 12:57:28 PM Computer Name = RON | Source = DCOM | ID = 10010 -> Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.
System [ Error ] 3/31/2010 3:20:21 AM Computer Name = RON | Source = DCOM | ID = 10010 -> Description = The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.

[Files/Folders - Created Within 30 Days]
OTS.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2010/03/31 15:49:55 | 000,637,440 | ---- | C] (OldTimer Tools)
iTunes -> C:\Program Files\iTunes -> [2010/03/30 21:27:11 | 000,000,000 | ---D | C]
{429CAD59-35B1-4DBC-BB6D-1DB246563521} -> C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} -> [2010/03/30 21:27:11 | 000,000,000 | ---D | C]
QuickTime -> C:\Program Files\QuickTime -> [2010/03/30 21:19:41 | 000,000,000 | ---D | C]
Bonjour -> C:\Program Files\Bonjour -> [2010/03/30 21:11:41 | 000,000,000 | ---D | C]
Minidump -> C:\WINDOWS\Minidump -> [2010/03/25 20:18:21 | 000,000,000 | ---D | C]
gmer -> C:\Documents and Settings\Owner\Desktop\gmer -> [2010/03/25 19:25:04 | 000,000,000 | ---D | C]
Malwarebytes -> C:\Documents and Settings\Owner\Application Data\Malwarebytes -> [2010/03/25 18:18:33 | 000,000,000 | ---D | C]
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2010/03/25 18:18:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation)
Malwarebytes -> C:\Documents and Settings\All Users\Application Data\Malwarebytes -> [2010/03/25 18:18:13 | 000,000,000 | ---D | C]
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2010/03/25 18:18:12 | 000,019,160 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware -> [2010/03/25 18:18:11 | 000,000,000 | ---D | C]
AV7 -> C:\Program Files\AV7 -> [2010/03/25 14:22:59 | 000,000,000 | ---D | C]
QuickTimeVR.qtx -> C:\WINDOWS\System32\QuickTimeVR.qtx -> [2010/03/17 21:53:42 | 000,094,208 | ---- | C] (Apple Inc.)
QuickTime.qts -> C:\WINDOWS\System32\QuickTime.qts -> [2010/03/17 21:53:42 | 000,069,632 | ---- | C] (Apple Inc.)
moviemk.exe -> C:\WINDOWS\System32\dllcache\moviemk.exe -> [2010/03/10 05:41:47 | 003,558,912 | ---- | C] (Microsoft Corporation)
Real -> C:\Documents and Settings\All Users\Application Data\Real -> [2010/03/08 16:16:40 | 000,000,000 | ---D | C]
Microsoft -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft -> [2009/07/22 03:00:53 | 000,000,000 | ---D | M]
Microsoft -> C:\Documents and Settings\LocalService\Application Data\Microsoft -> [2008/08/27 21:29:26 | 000,000,000 | --SD | M]
Macromedia -> C:\Documents and Settings\LocalService\Application Data\Macromedia -> [2008/07/09 07:22:09 | 000,000,000 | ---D | M]
Adobe -> C:\Documents and Settings\LocalService\Application Data\Adobe -> [2008/07/09 07:22:09 | 000,000,000 | ---D | M]
Microsoft -> C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft -> [2008/07/09 07:22:07 | 000,000,000 | ---D | M]
Microsoft -> C:\Documents and Settings\NetworkService\Application Data\Microsoft -> [2007/12/02 04:01:21 | 000,000,000 | --SD | M]
Apple -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple -> [2007/09/27 11:21:02 | 000,000,000 | ---D | M]
Macromedia -> C:\Documents and Settings\NetworkService\Application Data\Macromedia -> [2004/11/19 12:25:30 | 000,000,000 | ---D | M]
66 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp ->
4 C:\*.tmp files -> C:\*.tmp ->
3 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp ->
2600 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
23 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->

[Files/Folders - Modified Within 30 Days]
OTS.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2010/03/31 15:49:55 | 000,637,440 | ---- | M] (OldTimer Tools)
ntuser.dat -> C:\Documents and Settings\Owner\ntuser.dat -> [2010/03/31 15:46:01 | 006,029,312 | ---- | M] ()
iTunes.lnk -> C:\Documents and Settings\All Users\Desktop\iTunes.lnk -> [2010/03/31 11:01:11 | 000,002,137 | ---- | M] ()
wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2010/03/31 03:21:37 | 000,001,158 | ---- | M] ()
Config.MPF -> C:\WINDOWS\System32\Config.MPF -> [2010/03/31 03:20:50 | 000,013,803 | ---- | M] ()
hpsysdrv.DAT -> C:\WINDOWS\System\hpsysdrv.DAT -> [2010/03/31 03:19:24 | 000,001,403 | ---- | M] ()
SA.DAT -> C:\WINDOWS\tasks\SA.DAT -> [2010/03/31 03:19:20 | 000,000,006 | -H-- | M] ()
bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2010/03/31 03:19:16 | 000,002,048 | --S- | M] ()
hiberfil.sys -> C:\hiberfil.sys -> [2010/03/31 03:19:15 | 528,052,224 | -HS- | M] ()
ntuser.ini -> C:\Documents and Settings\Owner\ntuser.ini -> [2010/03/31 03:17:55 | 000,000,178 | -HS- | M] ()
IMG.tif -> C:\Documents and Settings\Owner\Desktop\IMG.tif -> [2010/03/30 12:13:50 | 001,053,641 | ---- | M] ()
McDefragTask.job -> C:\WINDOWS\tasks\McDefragTask.job -> [2010/03/29 16:30:00 | 000,000,340 | ---- | M] ()
McQcTask.job -> C:\WINDOWS\tasks\McQcTask.job -> [2010/03/29 14:21:59 | 000,000,332 | ---- | M] ()
Disk Cleanup.job -> C:\WINDOWS\tasks\Disk Cleanup.job -> [2010/03/29 13:58:55 | 000,000,304 | ---- | M] ()
gmer.zip -> C:\Documents and Settings\Owner\Desktop\gmer.zip -> [2010/03/25 18:48:36 | 000,284,915 | ---- | M] ()
dds.scr -> C:\Documents and Settings\Owner\Desktop\dds.scr -> [2010/03/25 18:44:33 | 000,525,824 | ---- | M] ()
defogger_reenable -> C:\Documents and Settings\Owner\defogger_reenable -> [2010/03/25 18:42:43 | 000,000,000 | ---- | M] ()
Defogger.exe -> C:\Documents and Settings\Owner\Desktop\Defogger.exe -> [2010/03/25 18:42:14 | 000,050,477 | ---- | M] ()
ESBK.mbb -> C:\Documents and Settings\All Users\Documents\ESBK.mbb -> [2010/03/25 14:54:35 | 015,680,512 | R--- | M] ()
ESBK.mb -> C:\Documents and Settings\All Users\Documents\ESBK.mb -> [2010/03/25 14:54:35 | 008,282,112 | R--- | M] ()
.plugin141_02.trace -> C:\Documents and Settings\Owner\.plugin141_02.trace -> [2010/03/25 12:56:30 | 000,000,692 | ---- | M] ()
NurseNavigatorJuly09final[1].doc -> C:\Documents and Settings\Owner\My Documents\NurseNavigatorJuly09final[1].doc -> [2010/03/22 19:24:08 | 000,171,520 | ---- | M] ()
PerfStringBackup.INI -> C:\WINDOWS\System32\PerfStringBackup.INI -> [2010/03/20 07:42:28 | 000,524,016 | ---- | M] ()
perfh009.dat -> C:\WINDOWS\System32\perfh009.dat -> [2010/03/20 07:42:28 | 000,442,796 | ---- | M] ()
perfc009.dat -> C:\WINDOWS\System32\perfc009.dat -> [2010/03/20 07:42:28 | 000,071,936 | ---- | M] ()
QuickTimeVR.qtx -> C:\WINDOWS\System32\QuickTimeVR.qtx -> [2010/03/17 21:53:42 | 000,094,208 | ---- | M] (Apple Inc.)
QuickTime.qts -> C:\WINDOWS\System32\QuickTime.qts -> [2010/03/17 21:53:42 | 000,069,632 | ---- | M] (Apple Inc.)
imsins.BAK -> C:\WINDOWS\imsins.BAK -> [2010/03/11 04:08:34 | 000,001,374 | ---- | M] ()
Microsoft Office Word 2007.lnk -> C:\Documents and Settings\Owner\Desktop\Microsoft Office Word 2007.lnk -> [2010/03/03 07:52:39 | 000,002,515 | ---- | M] ()
484 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp ->
484 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp ->
4 C:\*.tmp files -> C:\*.tmp ->
3 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp ->
2600 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
23 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
1 C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Owner\Local Settings\Temp\*.tmp ->

[Files - No Company Name]
iTunes.lnk -> C:\Documents and Settings\All Users\Desktop\iTunes.lnk -> [2010/03/30 21:29:38 | 000,002,137 | ---- | C] ()
IMG.tif -> C:\Documents and Settings\Owner\Desktop\IMG.tif -> [2010/03/30 12:13:50 | 001,053,641 | ---- | C] ()
gmer.zip -> C:\Documents and Settings\Owner\Desktop\gmer.zip -> [2010/03/25 18:48:28 | 000,284,915 | ---- | C] ()
dds.scr -> C:\Documents and Settings\Owner\Desktop\dds.scr -> [2010/03/25 18:44:32 | 000,525,824 | ---- | C] ()
defogger_reenable -> C:\Documents and Settings\Owner\defogger_reenable -> [2010/03/25 18:42:43 | 000,000,000 | ---- | C] ()
Defogger.exe -> C:\Documents and Settings\Owner\Desktop\Defogger.exe -> [2010/03/25 18:42:11 | 000,050,477 | ---- | C] ()
NurseNavigatorJuly09final[1].doc -> C:\Documents and Settings\Owner\My Documents\NurseNavigatorJuly09final[1].doc -> [2010/03/22 19:24:06 | 000,171,520 | ---- | C] ()
pmsbfn32.dll -> C:\WINDOWS\System32\pmsbfn32.dll -> [2008/05/18 08:02:04 | 000,011,776 | ---- | C] ()
MAXLINK.INI -> C:\WINDOWS\MAXLINK.INI -> [2008/05/18 08:00:01 | 000,000,412 | ---- | C] ()
GlobalUserInterface.CompositeFont -> C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont -> [2006/06/29 14:58:52 | 000,030,808 | ---- | C] ()
GlobalSansSerif.CompositeFont -> C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont -> [2006/06/29 14:53:56 | 000,026,489 | ---- | C] ()
GlobalSerif.CompositeFont -> C:\WINDOWS\Fonts\GlobalSerif.CompositeFont -> [2006/04/18 15:39:28 | 000,029,779 | ---- | C] ()
GlobalMonospace.CompositeFont -> C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont -> [2006/04/18 15:39:28 | 000,026,040 | ---- | C] ()
Acroread.ini -> C:\WINDOWS\Acroread.ini -> [2006/01/20 12:48:42 | 000,000,037 | ---- | C] ()
PICSDK.ini -> C:\WINDOWS\System32\PICSDK.ini -> [2005/12/14 12:28:20 | 000,000,097 | ---- | C] ()
EPCX4200.ini -> C:\WINDOWS\EPCX4200.ini -> [2005/12/14 12:25:33 | 000,000,044 | ---- | C] ()
OPPRIN~1.INI -> C:\WINDOWS\OPPRIN~1.INI -> [2005/10/29 13:45:19 | 000,000,000 | ---- | C] ()
liveup.ini -> C:\WINDOWS\liveup.ini -> [2005/06/26 07:33:06 | 000,000,044 | ---- | C] ()
ipixActivex.ini -> C:\WINDOWS\ipixActivex.ini -> [2004/08/27 16:10:29 | 000,000,037 | ---- | C] ()
kodakpcd.Owner.ini -> C:\WINDOWS\kodakpcd.Owner.ini -> [2004/06/29 09:18:58 | 000,000,022 | ---- | C] ()
ODBC.INI -> C:\WINDOWS\ODBC.INI -> [2004/01/16 19:37:04 | 000,000,376 | ---- | C] ()
Decln.dll -> C:\WINDOWS\System32\Decln.dll -> [2004/01/08 10:36:02 | 000,032,256 | ---- | C] ()
Declw.dll -> C:\WINDOWS\System32\Declw.dll -> [2004/01/08 10:36:02 | 000,014,629 | ---- | C] ()
cdPlayer.ini -> C:\WINDOWS\cdPlayer.ini -> [2003/12/07 08:59:29 | 000,009,373 | ---- | C] ()
EPSP820.ini -> C:\WINDOWS\EPSP820.ini -> [2003/12/06 20:57:07 | 000,000,045 | ---- | C] ()
iAlmcoin.dll -> C:\WINDOWS\System32\iAlmcoin.dll -> [2003/12/06 20:51:38 | 000,000,000 | ---- | C] ()
_006903_.tmp.dll -> C:\WINDOWS\System32\_006903_.tmp.dll -> [2003/08/08 13:57:22 | 000,249,270 | ---- | C] ()
_006871_.tmp.dll -> C:\WINDOWS\System32\_006871_.tmp.dll -> [2003/08/08 13:30:58 | 000,022,040 | ---- | C] ()
smscfg.ini -> C:\WINDOWS\smscfg.ini -> [2003/07/26 06:17:16 | 000,000,061 | ---- | C] ()
mshrml.ini -> C:\WINDOWS\System32\mshrml.ini -> [2003/07/26 04:57:44 | 000,000,051 | ---- | C] ()
JAWTAccessBridge.dll -> C:\WINDOWS\System32\JAWTAccessBridge.dll -> [2003/07/24 06:10:43 | 000,028,672 | ---- | C] ()
PcdrKernelModeServices.dll -> C:\WINDOWS\System32\PcdrKernelModeServices.dll -> [2003/07/24 06:10:24 | 000,094,208 | ---- | C] ()
ProgressTrace.dll -> C:\WINDOWS\System32\ProgressTrace.dll -> [2003/07/24 06:10:24 | 000,077,824 | ---- | C] ()
PCDrJNI_1_1.dll -> C:\WINDOWS\System32\PCDrJNI_1_1.dll -> [2003/07/24 06:05:31 | 000,167,936 | ---- | C] ()
CHODDI.SYS -> C:\WINDOWS\System32\CHODDI.SYS -> [2003/07/24 06:02:11 | 000,025,438 | ---- | C] ()
syscontr.dll -> C:\WINDOWS\System32\syscontr.dll -> [2003/07/24 06:01:47 | 000,024,576 | ---- | C] ()
hpreg.dll -> C:\WINDOWS\System32\hpreg.dll -> [2003/07/24 06:01:15 | 000,045,056 | ---- | C] ()
intuprof.ini -> C:\WINDOWS\intuprof.ini -> [2003/07/24 05:47:54 | 000,000,052 | ---- | C] ()
QUICKEN.INI -> C:\WINDOWS\QUICKEN.INI -> [2003/07/24 05:47:40 | 000,000,608 | ---- | C] ()
fxsperf.ini -> C:\WINDOWS\System32\fxsperf.ini -> [2003/07/24 05:19:54 | 000,001,793 | ---- | C] ()
psisdecd.dll -> C:\WINDOWS\System32\psisdecd.dll -> [2003/07/24 04:52:31 | 000,363,520 | ---- | C] ()
PythonCOM22.dll -> C:\WINDOWS\System32\PythonCOM22.dll -> [2003/07/24 04:44:55 | 000,299,073 | ---- | C] ()
PyWinTypes22.dll -> C:\WINDOWS\System32\PyWinTypes22.dll -> [2003/07/24 04:44:55 | 000,065,536 | ---- | C] ()
bcbmm.dll -> C:\WINDOWS\System32\bcbmm.dll -> [2003/07/24 04:44:37 | 000,016,896 | ---- | C] ()
orun32.ini -> C:\WINDOWS\orun32.ini -> [2003/07/24 04:32:33 | 000,000,802 | ---- | C] ()
oeminfo.ini -> C:\WINDOWS\System32\oeminfo.ini -> [2003/07/24 04:18:12 | 000,000,552 | ---- | C] ()
1_ssetup.ini -> C:\WINDOWS\System32\1_ssetup.ini -> [2003/07/24 01:46:21 | 000,000,438 | ---- | C] ()
sunistlog.ini -> C:\WINDOWS\System32\sunistlog.ini -> [2003/07/24 01:46:21 | 000,000,000 | ---- | C] ()
sh.dll -> C:\WINDOWS\System32\sh.dll -> [2003/07/01 16:11:48 | 000,049,152 | ---- | C] ()
px.ini -> C:\WINDOWS\System32\px.ini -> [2003/06/23 21:27:16 | 000,000,000 | ---- | C] ()
lockout.dll -> C:\WINDOWS\System32\lockout.dll -> [2002/05/24 11:00:00 | 000,208,896 | ---- | C] ()
lockres.dll -> C:\WINDOWS\System32\lockres.dll -> [2002/05/24 11:00:00 | 000,045,056 | ---- | C] ()

[File - Lop Check]
CanonBJ -> C:\Documents and Settings\All Users\Application Data\CanonBJ -> [2008/05/18 07:45:56 | 000,000,000 | -H-D | M]
Maxtor -> C:\Documents and Settings\All Users\Application Data\Maxtor -> [2008/09/01 13:47:30 | 000,000,000 | ---D | M]
ScanSoft -> C:\Documents and Settings\All Users\Application Data\ScanSoft -> [2008/05/18 07:59:46 | 000,000,000 | ---D | M]
Viewpoint -> C:\Documents and Settings\All Users\Application Data\Viewpoint -> [2008/09/07 19:38:20 | 000,000,000 | ---D | M]
{429CAD59-35B1-4DBC-BB6D-1DB246563521} -> C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} -> [2010/03/30 21:29:33 | 000,000,000 | ---D | M]
{755AC846-7372-4AC8-8550-C52491DAA8BD} -> C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} -> [2009/10/10 06:10:34 | 000,000,000 | ---D | M]
{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} -> C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} -> [2009/05/01 09:45:30 | 000,000,000 | ---D | M]
interMute -> C:\Documents and Settings\Default User\Application Data\interMute -> [2003/07/26 04:57:44 | 000,000,000 | ---D | M]
SampleView -> C:\Documents and Settings\Default User\Application Data\SampleView -> [2003/07/24 06:02:08 | 000,000,000 | ---D | M]
Canon -> C:\Documents and Settings\Owner\Application Data\Canon -> [2008/05/18 08:26:51 | 000,000,000 | ---D | M]
interMute -> C:\Documents and Settings\Owner\Application Data\interMute -> [2006/06/25 12:25:53 | 000,000,000 | ---D | M]
InterVideo -> C:\Documents and Settings\Owner\Application Data\InterVideo -> [2005/09/28 06:13:17 | 000,000,000 | ---D | M]
Leadertech -> C:\Documents and Settings\Owner\Application Data\Leadertech -> [2005/12/14 12:33:21 | 000,000,000 | ---D | M]
NewSoft -> C:\Documents and Settings\Owner\Application Data\NewSoft -> [2008/05/18 16:11:42 | 000,000,000 | ---D | M]
SampleView -> C:\Documents and Settings\Owner\Application Data\SampleView -> [2003/07/24 06:02:08 | 000,000,000 | ---D | M]
ScanSoft -> C:\Documents and Settings\Owner\Application Data\ScanSoft -> [2008/05/18 07:59:51 | 000,000,000 | ---D | M]
Skinux -> C:\Documents and Settings\Owner\Application Data\Skinux -> [2008/06/29 19:43:26 | 000,000,000 | ---D | M]
Snapfish -> C:\Documents and Settings\Owner\Application Data\Snapfish -> [2008/02/10 17:46:11 | 000,000,000 | ---D | M]
Template -> C:\Documents and Settings\Owner\Application Data\Template -> [2003/12/06 21:05:01 | 000,000,000 | ---D | M]
Viewpoint -> C:\Documents and Settings\Owner\Application Data\Viewpoint -> [2007/08/30 20:19:01 | 000,000,000 | ---D | M]
Disk Cleanup.job -> C:\WINDOWS\Tasks\Disk Cleanup.job -> [2010/03/29 13:58:55 | 000,000,304 | ---- | M] ()
McDefragTask.job -> C:\WINDOWS\Tasks\McDefragTask.job -> [2010/03/29 16:30:00 | 000,000,340 | ---- | M] ()
McQcTask.job -> C:\WINDOWS\Tasks\McQcTask.job -> [2010/03/29 14:21:59 | 000,000,332 | ---- | M] ()

[File - Purity Scan]

[Custom Scans]
< netsvcs >
< %SYSTEMDRIVE%\*.exe >
< %SYSTEMDRIVE%\*.* >
AUTOEXEC.BAT -> C:\AUTOEXEC.BAT -> [2003/07/24 04:29:01 | 000,000,000 | R-S- | M] ()
BOOT.BAK -> C:\BOOT.BAK -> [2003/12/06 20:48:17 | 000,000,196 | RHS- | M] ()
boot.ini -> C:\boot.ini -> [2009/08/29 17:20:00 | 000,000,281 | RHS- | M] ()
cmldr -> C:\cmldr -> [2002/08/29 08:00:00 | 000,245,920 | RHS- | M] ()
CONFIG.SYS -> C:\CONFIG.SYS -> [2003/07/24 04:29:01 | 000,000,000 | R-S- | M] ()
EasyShareInstall.log -> C:\EasyShareInstall.log -> [2005/11/12 15:42:28 | 000,864,006 | ---- | M] ()
hiberfil.sys -> C:\hiberfil.sys -> [2010/03/31 03:19:15 | 528,052,224 | -HS- | M] ()
IO.SYS -> C:\IO.SYS -> [2003/07/24 04:29:01 | 000,000,000 | RHS- | M] ()
logfile -> C:\logfile -> [2008/06/29 19:19:18 | 000,331,889 | ---- | M] ()
MSDOS.SYS -> C:\MSDOS.SYS -> [2003/07/24 04:29:01 | 000,000,000 | RHS- | M] ()
net_save.dna -> C:\net_save.dna -> [2006/09/28 11:50:33 | 000,000,939 | ---- | M] ()
NTDETECT.COM -> C:\NTDETECT.COM -> [2004/09/21 19:32:04 | 000,047,564 | RHS- | M] ()
ntldr -> C:\ntldr -> [2009/08/31 13:50:47 | 000,250,048 | RHS- | M] ()
pagefile.sys -> C:\pagefile.sys -> [2010/03/31 03:19:13 | 792,723,456 | -HS- | M] ()
TB.log -> C:\TB.log -> [2007/06/03 04:01:57 | 000,918,660 | ---- | M] ()
volumeid.zbx -> C:\volumeid.zbx -> [2005/10/29 13:49:44 | 000,000,080 | RH-- | M] ()
wizard.txt -> C:\wizard.txt -> [2007/06/06 11:20:11 | 000,000,029 | ---- | M] ()
4 C:\*.tmp files -> C:\*.tmp ->
< %ProgramFiles%\Movie Maker\*.dll >
wmm2ae.dll -> C:\Program Files\Movie Maker\wmm2ae.dll -> [2008/04/14 05:42:10 | 000,167,936 | ---- | M] (Microsoft Corporation)
wmm2eres.dll -> C:\Program Files\Movie Maker\wmm2eres.dll -> [2008/04/14 05:42:10 | 000,004,096 | ---- | M] (Microsoft Corporation)
wmm2ext.dll -> C:\Program Files\Movie Maker\wmm2ext.dll -> [2008/04/14 05:42:10 | 000,007,680 | ---- | M] (Microsoft Corporation)
wmm2filt.dll -> C:\Program Files\Movie Maker\wmm2filt.dll -> [2008/04/14 05:42:10 | 000,402,432 | ---- | M] (Microsoft Corporation)
wmm2fxa.dll -> C:\Program Files\Movie Maker\wmm2fxa.dll -> [2008/04/14 05:42:10 | 000,502,272 | ---- | M] (Microsoft Corporation)
wmm2fxb.dll -> C:\Program Files\Movie Maker\wmm2fxb.dll -> [2008/04/14 05:42:10 | 000,325,632 | ---- | M] (Microsoft Corporation)
wmm2res.dll -> C:\Program Files\Movie Maker\wmm2res.dll -> [2008/04/14 05:42:10 | 004,256,768 | ---- | M] (Microsoft Corporation)
wmm2res2.dll -> C:\Program Files\Movie Maker\wmm2res2.dll -> [2008/04/14 05:42:10 | 000,005,632 | ---- | M] (Microsoft Corporation)
wmmfilt.dll -> C:\Program Files\Movie Maker\wmmfilt.dll -> [2002/08/29 08:00:00 | 000,110,648 | ---- | M] (Microsoft Corporation)
wmmres.dll -> C:\Program Files\Movie Maker\wmmres.dll -> [2002/08/29 08:00:00 | 000,319,542 | ---- | M] (Microsoft Corporation)
wmmutil.dll -> C:\Program Files\Movie Maker\wmmutil.dll -> [2002/08/29 08:00:00 | 000,163,897 | ---- | M] (Microsoft Corporation)
Invalid Environment Variable: ALLUSERSAPPDATA
< %SYSTEMROOT%\*.tmp >
23 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
< %PROGRAMFILES%\Internet Explorer\*.dll >
custsat.dll -> C:\Program Files\Internet Explorer\custsat.dll -> [2007/08/13 18:54:10 | 000,033,792 | ---- | M] (Microsoft Corporation)
hmmapi.dll -> C:\Program Files\Internet Explorer\hmmapi.dll -> [2009/03/08 04:24:28 | 000,068,608 | ---- | M] (Microsoft Corporation)
iecompat.dll -> C:\Program Files\Internet Explorer\iecompat.dll -> [2009/08/07 04:48:40 | 000,100,352 | ---- | M] (Microsoft Corporation)
iedvtool.dll -> C:\Program Files\Internet Explorer\iedvtool.dll -> [2009/03/08 04:35:32 | 000,742,912 | ---- | M] (Microsoft Corporation)
ieproxy.dll -> C:\Program Files\Internet Explorer\ieproxy.dll -> [2010/02/25 02:24:35 | 000,247,808 | ---- | M] (Microsoft Corporation)
jsdbgui.dll -> C:\Program Files\Internet Explorer\jsdbgui.dll -> [2009/03/08 04:35:02 | 000,521,216 | ---- | M] (Microsoft Corporation)
jsdebuggeride.dll -> C:\Program Files\Internet Explorer\jsdebuggeride.dll -> [2009/03/08 04:35:02 | 000,121,344 | ---- | M] (Microsoft Corporation)
JSProfilerCore.dll -> C:\Program Files\Internet Explorer\JSProfilerCore.dll -> [2009/03/08 04:35:04 | 000,118,272 | ---- | M] (Microsoft Corporation)
jsprofilerui.dll -> C:\Program Files\Internet Explorer\jsprofilerui.dll -> [2009/03/08 04:35:12 | 000,233,984 | ---- | M] (Microsoft Corporation)
pdm.dll -> C:\Program Files\Internet Explorer\pdm.dll -> [2009/01/07 18:20:18 | 000,355,832 | ---- | M] (Microsoft Corporation)
sqmapi.dll -> C:\Program Files\Internet Explorer\sqmapi.dll -> [2009/01/07 18:20:54 | 000,134,144 | ---- | M] (Microsoft Corporation)
xpshims.dll -> C:\Program Files\Internet Explorer\xpshims.dll -> [2010/02/25 02:24:37 | 000,012,800 | ---- | M] (Microsoft Corporation)
Invalid Environment Variable: DriveLetter
< %systemroot%\system32\*.dll /lockedfiles >
2600 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp ->
< MD5 Scans Start>
< %systemdrive%\AGP440.SYS  /md5 /s >
AGP440.sys : .cab file  -> C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys -> [2004/09/21 19:26:27 | 022,245,337 | ---- | M] ()
AGP440.sys : .cab file  -> C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys -> [2008/04/14 05:51:44 | 020,056,462 | ---- | M] ()
AGP440.sys : .cab file  -> C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys -> [2004/09/21 19:26:27 | 022,245,337 | ---- | M] ()
AGP440.sys : .cab file  -> C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys -> [2008/04/14 05:51:44 | 020,056,462 | ---- | M] ()
AGP440.sys : .cab file  -> C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:AGP440.sys -> [2008/08/27 19:55:58 | 023,852,652 | ---- | M] ()
agp440.sys : MD5=08FD04AA961BDC77FB983F328334E3D7 -> C:\WINDOWS\ServicePackFiles\i386\agp440.sys -> [2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation)
agp440.sys : MD5=08FD04AA961BDC77FB983F328334E3D7 -> C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys -> [2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation)
agp440.sys : MD5=08FD04AA961BDC77FB983F328334E3D7 -> C:\WINDOWS\system32\drivers\agp440.sys -> [2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation)
agp440.sys : MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -> C:\WINDOWS\$NtServicePackUninstall$\agp440.sys -> [2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation)
< %systemdrive%\ATAPI.SYS  /md5 /s >
atapi.sys : .cab file  -> C:\I386\sp1.cab:atapi.sys -> [2002/08/29 08:00:00 | 010,158,890 | ---- | M] ()
atapi.sys : .cab file  -> C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys -> [2002/08/29 15:00:00 | 010,158,890 | ---- | M] ()
atapi.sys : .cab file  -> C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys -> [2004/09/21 19:26:27 | 022,245,337 | ---- | M] ()
atapi.sys : .cab file  -> C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys -> [2008/04/14 05:51:44 | 020,056,462 | ---- | M] ()
atapi.sys : .cab file  -> C:\WINDOWS\I386\sp1.cab:atapi.sys -> [2002/08/29 15:00:00 | 010,158,890 | ---- | M] ()
atapi.sys : .cab file  -> C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys -> [2004/09/21 19:26:27 | 022,245,337 | ---- | M] ()
atapi.sys : .cab file  -> C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys -> [2008/04/14 05:51:44 | 020,056,462 | ---- | M] ()
atapi.sys : .cab file  -> C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\sp3.cab:atapi.sys -> [2008/08/27 19:55:58 | 023,852,652 | ---- | M] ()
atapi.sys : MD5=95B858761A00E1D4F81F79A0DA019ACA -> C:\WINDOWS\$NtUninstallQ331958$\atapi.sys -> [2002/08/29 08:00:00 | 000,086,912 | ---- | M] (Microsoft Corporation)
atapi.sys : MD5=9F3A2F5AA6875C72BF062C712CFA2674 -> C:\WINDOWS\ServicePackFiles\i386\atapi.sys -> [2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation)
atapi.sys : MD5=9F3A2F5AA6875C72BF062C712CFA2674 -> C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys -> [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation)
atapi.sys : MD5=9F3A2F5AA6875C72BF062C712CFA2674 -> C:\WINDOWS\system32\drivers\atapi.sys -> [2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation)
atapi.sys : MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -> C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -> [2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation)
< %systemdrive%\EVENTLOG.DLL  /md5 /s >
eventlog.dll : MD5=6D4FEB43EE538FC5428CC7F0565AA656 -> C:\WINDOWS\ServicePackFiles\i386\eventlog.dll -> [2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation)
eventlog.dll : MD5=6D4FEB43EE538FC5428CC7F0565AA656 -> C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll -> [2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation)
eventlog.dll : MD5=6D4FEB43EE538FC5428CC7F0565AA656 -> C:\WINDOWS\system32\eventlog.dll -> [2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation)
eventlog.dll : MD5=82B24CB70E5944E6E34662205A2A5B78 -> C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -> [2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation)
< %systemdrive%\NETLOGON.DLL  /md5 /s >
netlogon.dll : MD5=1B7F071C51B77C272875C3A23E1E4550 -> C:\WINDOWS\ServicePackFiles\i386\netlogon.dll -> [2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation)
netlogon.dll : MD5=1B7F071C51B77C272875C3A23E1E4550 -> C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll -> [2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation)
netlogon.dll : MD5=1B7F071C51B77C272875C3A23E1E4550 -> C:\WINDOWS\system32\netlogon.dll -> [2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation)
netlogon.dll : MD5=96353FCECBA774BB8DA74A1C6507015A -> C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -> [2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation)
< %systemdrive%\SCECLI.DLL  /md5 /s >
scecli.dll : MD5=0F78E27F563F2AAF74B91A49E2ABF19A -> C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -> [2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation)
scecli.dll : MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -> C:\WINDOWS\ServicePackFiles\i386\scecli.dll -> [2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation)
scecli.dll : MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -> C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll -> [2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation)
scecli.dll : MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -> C:\WINDOWS\system32\scecli.dll -> [2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation)
< MD5 Scans End>
< %systemroot%\*. /mp /s >
< %systemroot%\system32\*.dll /lockedfiles >
2600 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp ->
< %systemroot%\Tasks\*.job /lockedfiles >
< c:\$recycle.bin\*.* /s >
Restore point Set: OTS Restore Point (0)
< End of report >



#5 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:10:10 PM

Posted 31 March 2010 - 04:09 PM

I think that the whole OTS file pasted OK in my last post, but I realized that you requested that one as an attachment, so here it is. Maybe the format is better as an attachment?

Thank you again!

Attached Files

  • Attached File  OTS.Txt   131.73KB   1 downloads


#6 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:10:10 AM

Posted 01 April 2010 - 05:22 AM

Hey dever,

Thank you for the logs. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (McAfee) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Next reply (please include in your post):

OTS.txt (Re-run OTS with quick scan)
ComboFix.txt

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#7 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:10:10 PM

Posted 01 April 2010 - 03:45 PM

Hi Ltangelic,

Here you go... everything downloaded and ran OK that time...

Thanks again!

dev

ComboFix 10-03-29.04 - Owner 04/01/2010 15:26:10.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.161 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RN!15D.tmp
c:\windows\system32\_004806_.tmp.dll
c:\windows\system32\_004807_.tmp.dll
c:\windows\system32\_004808_.tmp.dll
c:\windows\system32\_004809_.tmp.dll
c:\windows\system32\_004815_.tmp.dll
c:\windows\system32\_004816_.tmp.dll
c:\windows\system32\_004817_.tmp.dll
c:\windows\system32\_004818_.tmp.dll
c:\windows\system32\_004819_.tmp.dll
c:\windows\system32\_004820_.tmp.dll
c:\windows\system32\_004821_.tmp.dll
c:\windows\system32\_004822_.tmp.dll
c:\windows\system32\_004823_.tmp.dll
c:\windows\system32\_004824_.tmp.dll
c:\windows\system32\_004825_.tmp.dll
c:\windows\system32\_004826_.tmp.dll
c:\windows\system32\_004827_.tmp.dll
c:\windows\system32\_004828_.tmp.dll
c:\windows\system32\_004829_.tmp.dll
c:\windows\system32\_004830_.tmp.dll
c:\windows\system32\_004831_.tmp.dll
c:\windows\system32\_004832_.tmp.dll
c:\windows\system32\_004833_.tmp.dll
c:\windows\system32\_004834_.tmp.dll
c:\windows\system32\_004835_.tmp.dll
c:\windows\system32\_004838_.tmp.dll
c:\windows\system32\_004839_.tmp.dll
c:\windows\system32\_004840_.tmp.dll
c:\windows\system32\_004841_.tmp.dll
c:\windows\system32\_004842_.tmp.dll
c:\windows\system32\_004843_.tmp.dll
c:\windows\system32\_004845_.tmp.dll
c:\windows\system32\_004846_.tmp.dll
c:\windows\system32\_004847_.tmp.dll
c:\windows\system32\_004848_.tmp.dll
c:\windows\system32\_004849_.tmp.dll
c:\windows\system32\_004850_.tmp.dll
c:\windows\system32\_004851_.tmp.dll
c:\windows\system32\_004853_.tmp.dll
c:\windows\system32\_004854_.tmp.dll
c:\windows\system32\_004855_.tmp.dll
c:\windows\system32\_004856_.tmp.dll
c:\windows\system32\_004857_.tmp.dll
c:\windows\system32\_004859_.tmp.dll
c:\windows\system32\_004860_.tmp.dll
c:\windows\system32\_004862_.tmp.dll
c:\windows\system32\_004863_.tmp.dll
c:\windows\system32\_004864_.tmp.dll
c:\windows\system32\_004865_.tmp.dll
c:\windows\system32\_004866_.tmp.dll
c:\windows\system32\_004867_.tmp.dll
c:\windows\system32\_004868_.tmp.dll
c:\windows\system32\_004869_.tmp.dll
c:\windows\system32\_004870_.tmp.dll
c:\windows\system32\_004871_.tmp.dll
c:\windows\system32\_004872_.tmp.dll
c:\windows\system32\_004873_.tmp.dll
c:\windows\system32\_004875_.tmp.dll
c:\windows\system32\_004876_.tmp.dll
c:\windows\system32\_004877_.tmp.dll
c:\windows\system32\_004878_.tmp.dll
c:\windows\system32\_004880_.tmp.dll
c:\windows\system32\_004882_.tmp.dll
c:\windows\system32\_004883_.tmp.dll
c:\windows\system32\_004884_.tmp.dll
c:\windows\system32\_004885_.tmp.dll
c:\windows\system32\_004886_.tmp.dll
c:\windows\system32\_004887_.tmp.dll
c:\windows\system32\_004888_.tmp.dll
c:\windows\system32\_004890_.tmp.dll
c:\windows\system32\_004891_.tmp.dll
c:\windows\system32\_004892_.tmp.dll
c:\windows\system32\_004893_.tmp.dll
c:\windows\system32\_004894_.tmp.dll
c:\windows\system32\_004895_.tmp.dll
c:\windows\system32\_004896_.tmp.dll
c:\windows\system32\_004897_.tmp.dll
c:\windows\system32\_004899_.tmp.dll
c:\windows\system32\_004900_.tmp.dll
c:\windows\system32\_004902_.tmp.dll
c:\windows\system32\_004903_.tmp.dll
c:\windows\system32\_004905_.tmp.dll
c:\windows\system32\_004906_.tmp.dll
c:\windows\system32\_004910_.tmp.dll
c:\windows\system32\_004911_.tmp.dll
c:\windows\system32\_004913_.tmp.dll
c:\windows\system32\_004916_.tmp.dll
c:\windows\system32\_004918_.tmp.dll
c:\windows\system32\_004919_.tmp.dll
c:\windows\system32\_004920_.tmp.dll
c:\windows\system32\_004921_.tmp.dll
c:\windows\system32\_004924_.tmp.dll
c:\windows\system32\_004925_.tmp.dll
c:\windows\system32\_004926_.tmp.dll
c:\windows\system32\_004927_.tmp.dll
c:\windows\system32\_004928_.tmp.dll
c:\windows\system32\_004929_.tmp.dll
c:\windows\system32\_004930_.tmp.dll
c:\windows\system32\_004931_.tmp.dll
c:\windows\system32\_004932_.tmp.dll
c:\windows\system32\_004933_.tmp.dll
c:\windows\system32\_004935_.tmp.dll
c:\windows\system32\_004936_.tmp.dll
c:\windows\system32\_004937_.tmp.dll
c:\windows\system32\_004938_.tmp.dll
c:\windows\system32\_004939_.tmp.dll
c:\windows\system32\_004940_.tmp.dll
c:\windows\system32\_004942_.tmp.dll
c:\windows\system32\_004943_.tmp.dll
c:\windows\system32\_004944_.tmp.dll
c:\windows\system32\_004946_.tmp.dll
c:\windows\system32\_004947_.tmp.dll
c:\windows\system32\_004950_.tmp.dll
c:\windows\system32\_004951_.tmp.dll
c:\windows\system32\_004953_.tmp.dll
c:\windows\system32\_004954_.tmp.dll
c:\windows\system32\_004955_.tmp.dll
c:\windows\system32\_004957_.tmp.dll
c:\windows\system32\_004958_.tmp.dll
c:\windows\system32\_004959_.tmp.dll
c:\windows\system32\_004960_.tmp.dll
c:\windows\system32\_004961_.tmp.dll
c:\windows\system32\_004962_.tmp.dll
c:\windows\system32\_004963_.tmp.dll
c:\windows\system32\_004965_.tmp.dll
c:\windows\system32\_004966_.tmp.dll
c:\windows\system32\_004967_.tmp.dll
c:\windows\system32\_004968_.tmp.dll
c:\windows\system32\_004969_.tmp.dll
c:\windows\system32\_004971_.tmp.dll
c:\windows\system32\_004973_.tmp.dll
c:\windows\system32\_004974_.tmp.dll
c:\windows\system32\_004975_.tmp.dll
c:\windows\system32\_004976_.tmp.dll
c:\windows\system32\_004977_.tmp.dll
c:\windows\system32\_004978_.tmp.dll
c:\windows\system32\_004979_.tmp.dll
c:\windows\system32\_004980_.tmp.dll
c:\windows\system32\_004981_.tmp.dll
c:\windows\system32\_004982_.tmp.dll
c:\windows\system32\_004983_.tmp.dll
c:\windows\system32\_004984_.tmp.dll
c:\windows\system32\_004985_.tmp.dll
c:\windows\system32\_004986_.tmp.dll
c:\windows\system32\_004987_.tmp.dll
c:\windows\system32\_004988_.tmp.dll
c:\windows\system32\_004989_.tmp.dll
c:\windows\system32\_004990_.tmp.dll
c:\windows\system32\_004991_.tmp.dll
c:\windows\system32\_004992_.tmp.dll
c:\windows\system32\_004993_.tmp.dll
c:\windows\system32\_004994_.tmp.dll
c:\windows\system32\_004995_.tmp.dll
c:\windows\system32\_004996_.tmp.dll
c:\windows\system32\_005000_.tmp.dll
c:\windows\system32\_005001_.tmp.dll
c:\windows\system32\_005003_.tmp.dll
c:\windows\system32\_005006_.tmp.dll
c:\windows\system32\_005007_.tmp.dll
c:\windows\system32\_005008_.tmp.dll
c:\windows\system32\_005009_.tmp.dll
c:\windows\system32\_005010_.tmp.dll
c:\windows\system32\_005011_.tmp.dll
c:\windows\system32\_005012_.tmp.dll
c:\windows\system32\_005013_.tmp.dll
c:\windows\system32\_005014_.tmp.dll
c:\windows\system32\_005015_.tmp.dll
c:\windows\system32\_005016_.tmp.dll
c:\windows\system32\_005017_.tmp.dll
c:\windows\system32\_005018_.tmp.dll
c:\windows\system32\_005019_.tmp.dll
c:\windows\system32\_005020_.tmp.dll
c:\windows\system32\_005021_.tmp.dll
c:\windows\system32\_005022_.tmp.dll
c:\windows\system32\_005023_.tmp.dll
c:\windows\system32\_005024_.tmp.dll
c:\windows\system32\_005025_.tmp.dll
c:\windows\system32\_005026_.tmp.dll
c:\windows\system32\_005027_.tmp.dll
c:\windows\system32\_005028_.tmp.dll
c:\windows\system32\_005029_.tmp.dll
c:\windows\system32\_005030_.tmp.dll
c:\windows\system32\_005031_.tmp.dll
c:\windows\system32\_005032_.tmp.dll
c:\windows\system32\_005034_.tmp.dll
c:\windows\system32\_005037_.tmp.dll
c:\windows\system32\_005038_.tmp.dll
c:\windows\system32\_005042_.tmp.dll
c:\windows\system32\_005043_.tmp.dll
c:\windows\system32\_005044_.tmp.dll
c:\windows\system32\_005045_.tmp.dll
c:\windows\system32\_005046_.tmp.dll
c:\windows\system32\_005047_.tmp.dll
c:\windows\system32\_005048_.tmp.dll
c:\windows\system32\_005050_.tmp.dll
c:\windows\system32\_005051_.tmp.dll
c:\windows\system32\_005052_.tmp.dll
c:\windows\system32\_005053_.tmp.dll
c:\windows\system32\_005054_.tmp.dll
c:\windows\system32\_005055_.tmp.dll
c:\windows\system32\_005056_.tmp.dll
c:\windows\system32\_005057_.tmp.dll
c:\windows\system32\_005058_.tmp.dll
c:\windows\system32\_005059_.tmp.dll
c:\windows\system32\_005060_.tmp.dll
c:\windows\system32\_005063_.tmp.dll
c:\windows\system32\_005064_.tmp.dll
c:\windows\system32\_005065_.tmp.dll
c:\windows\system32\_005067_.tmp.dll
c:\windows\system32\_005068_.tmp.dll
c:\windows\system32\_005069_.tmp.dll
c:\windows\system32\_005070_.tmp.dll
c:\windows\system32\_005071_.tmp.dll
c:\windows\system32\_005072_.tmp.dll
c:\windows\system32\_005073_.tmp.dll
c:\windows\system32\_005074_.tmp.dll
c:\windows\system32\_005075_.tmp.dll
c:\windows\system32\_005076_.tmp.dll
c:\windows\system32\_005077_.tmp.dll
c:\windows\system32\_005078_.tmp.dll
c:\windows\system32\_005081_.tmp.dll
c:\windows\system32\_005082_.tmp.dll
c:\windows\system32\_005084_.tmp.dll
c:\windows\system32\_005087_.tmp.dll
c:\windows\system32\_005089_.tmp.dll
c:\windows\system32\_005090_.tmp.dll
c:\windows\system32\_005091_.tmp.dll
c:\windows\system32\_005092_.tmp.dll
c:\windows\system32\_005093_.tmp.dll
c:\windows\system32\_005094_.tmp.dll
c:\windows\system32\_005095_.tmp.dll
c:\windows\system32\_005096_.tmp.dll
c:\windows\system32\_005097_.tmp.dll
c:\windows\system32\_005098_.tmp.dll
c:\windows\system32\_005099_.tmp.dll
c:\windows\system32\_005100_.tmp.dll
c:\windows\system32\_005102_.tmp.dll
c:\windows\system32\_005103_.tmp.dll
c:\windows\system32\_005104_.tmp.dll
c:\windows\system32\_005106_.tmp.dll
c:\windows\system32\_005107_.tmp.dll
c:\windows\system32\_005109_.tmp.dll
c:\windows\system32\_005110_.tmp.dll
c:\windows\system32\_005112_.tmp.dll
c:\windows\system32\_005113_.tmp.dll
c:\windows\system32\_005114_.tmp.dll
c:\windows\system32\_005116_.tmp.dll
c:\windows\system32\_005119_.tmp.dll
c:\windows\system32\_005120_.tmp.dll
c:\windows\system32\_005124_.tmp.dll
c:\windows\system32\_005125_.tmp.dll
c:\windows\system32\_005127_.tmp.dll
c:\windows\system32\_005130_.tmp.dll
c:\windows\system32\_005132_.tmp.dll
c:\windows\system32\_005133_.tmp.dll
c:\windows\system32\_005134_.tmp.dll
c:\windows\system32\_005135_.tmp.dll
c:\windows\system32\_005138_.tmp.dll
c:\windows\system32\_005139_.tmp.dll
c:\windows\system32\_005140_.tmp.dll
c:\windows\system32\_005141_.tmp.dll
c:\windows\system32\_005142_.tmp.dll
c:\windows\system32\_005147_.tmp.dll
c:\windows\system32\_005149_.tmp.dll
c:\windows\system32\_005150_.tmp.dll
c:\windows\system32\_006860_.tmp.dll
c:\windows\system32\_006861_.tmp.dll
c:\windows\system32\_006862_.tmp.dll
c:\windows\system32\_006863_.tmp.dll
c:\windows\system32\_006870_.tmp.dll
c:\windows\system32\_006871_.tmp.dll
c:\windows\system32\_006872_.tmp.dll
c:\windows\system32\_006873_.tmp.dll
c:\windows\system32\_006875_.tmp.dll
c:\windows\system32\_006876_.tmp.dll
c:\windows\system32\_006879_.tmp.dll
c:\windows\system32\_006880_.tmp.dll
c:\windows\system32\_006882_.tmp.dll
c:\windows\system32\_006883_.tmp.dll
c:\windows\system32\_006884_.tmp.dll
c:\windows\system32\_006886_.tmp.dll
c:\windows\system32\_006889_.tmp.dll
c:\windows\system32\_006890_.tmp.dll
c:\windows\system32\_006894_.tmp.dll
c:\windows\system32\_006895_.tmp.dll
c:\windows\system32\_006897_.tmp.dll
c:\windows\system32\_006900_.tmp.dll
c:\windows\system32\_006902_.tmp.dll
c:\windows\system32\_006903_.tmp.dll
c:\windows\system32\_006904_.tmp.dll
c:\windows\system32\_006905_.tmp.dll
c:\windows\system32\_006906_.tmp.dll
c:\windows\system32\_006909_.tmp.dll
c:\windows\system32\_006910_.tmp.dll
c:\windows\system32\_006911_.tmp.dll
c:\windows\system32\_006912_.tmp.dll
c:\windows\system32\_006913_.tmp.dll
c:\windows\system32\_006918_.tmp.dll
c:\windows\system32\_006920_.tmp.dll
c:\windows\system32\_008274_.tmp.dll
c:\windows\system32\_008275_.tmp.dll
c:\windows\system32\_008276_.tmp.dll
c:\windows\system32\_008277_.tmp.dll
c:\windows\system32\_008284_.tmp.dll
c:\windows\system32\_008285_.tmp.dll
c:\windows\system32\_008286_.tmp.dll
c:\windows\system32\_008288_.tmp.dll
c:\windows\system32\_008289_.tmp.dll
c:\windows\system32\_008292_.tmp.dll
c:\windows\system32\_008293_.tmp.dll
c:\windows\system32\_008295_.tmp.dll
c:\windows\system32\_008296_.tmp.dll
c:\windows\system32\_008297_.tmp.dll
c:\windows\system32\_008299_.tmp.dll
c:\windows\system32\_008302_.tmp.dll
c:\windows\system32\_008303_.tmp.dll
c:\windows\system32\_008307_.tmp.dll
c:\windows\system32\_008308_.tmp.dll
c:\windows\system32\_008310_.tmp.dll
c:\windows\system32\_008313_.tmp.dll
c:\windows\system32\_008315_.tmp.dll
c:\windows\system32\_008316_.tmp.dll
c:\windows\system32\_008317_.tmp.dll
c:\windows\system32\_008318_.tmp.dll
c:\windows\system32\_008321_.tmp.dll
c:\windows\system32\_008322_.tmp.dll
c:\windows\system32\_008323_.tmp.dll
c:\windows\system32\_008324_.tmp.dll
c:\windows\system32\_008325_.tmp.dll
c:\windows\system32\_008330_.tmp.dll
c:\windows\system32\_008332_.tmp.dll
c:\windows\system32\_008333_.tmp.dll
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\ps2.bat
c:\windows\System32\sh.Dll
c:\windows\system32\Temp
c:\windows\viassary-hp.reg
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-03-01 to 2010-04-01 )))))))))))))))))))))))))))))))
.

2010-03-31 20:47 . 2010-03-31 20:47 34816 ----a-w- c:\windows\system32\drivers\rootrepeal3.sys
2010-03-31 20:46 . 2010-03-31 20:46 34816 ----a-w- c:\windows\system32\drivers\rootrepeal2.sys
2010-03-31 01:27 . 2010-03-31 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-31 01:27 . 2010-03-31 01:29 -------- d-----w- c:\program files\iTunes
2010-03-31 01:19 . 2010-03-31 01:21 -------- d-----w- c:\program files\QuickTime
2010-03-31 01:11 . 2010-03-31 01:11 -------- d-----w- c:\program files\Bonjour
2010-03-25 22:18 . 2010-03-25 22:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-25 22:18 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-25 22:18 . 2010-03-25 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-25 22:18 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 22:18 . 2010-03-25 22:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-25 18:22 . 2010-03-25 23:09 -------- d-----w- c:\program files\AV7
2010-03-10 09:41 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-01 00:00 . 2004-12-27 14:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-03-31 01:27 . 2004-12-27 14:13 -------- d-----w- c:\program files\iPod
2010-03-31 01:27 . 2007-07-02 23:08 -------- d-----w- c:\program files\Common Files\Apple
2010-03-11 08:06 . 2008-09-01 16:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-25 06:24 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-21 14:51 . 2008-09-14 20:41 -------- d-----w- c:\program files\McAfee
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-04 13:43 . 2008-03-30 12:19 54924 -c-ha-w- c:\windows\system32\mlfcache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"NVIEW"="nview.dll" [2003-05-03 835654]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"nwiz"="nwiz.exe" [2003-05-03 323584]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-07-20 180269]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-08-20 20:51 118784 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-08-20 20:55 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2008-07-21 21:16 169312 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-05-03 06:19 4640768 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
2003-05-03 06:19 835654 ----a-w- c:\windows\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 16:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-07-20 15:43 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 05:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
2006-09-20 12:35 20480 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [3/31/2010 4:46 PM 34816]
S3 rootrepeal3;rootrepeal3;c:\windows\system32\drivers\rootrepeal3.sys [3/31/2010 4:47 PM 34816]
.
Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\Disk Cleanup.job
- c:\documents and settings\Owner\My Documents\clean.bat [2003-12-22 21:35]

2010-03-31 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-09-14 16:22]

2010-03-29 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-09-14 16:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = localhost;*.local
IE: c:\progra~1\COMMON~1\BTLINK\btlink.dll//iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p25ltiag.default\
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{4A20B7AF-2835-47EF-BBBF-09CAF8AF2907}} - (no file)
HKLM-Run-VSOSplash - c:\progra~1\mcafee.com\vso\mcmnhdlr.exe
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-Microsoft Works Portfolio - c:\program files\Microsoft Works\WksSb.exe
MSConfigStartUp-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll
AddRemove-ComcastHSI - c:\program files\support.com\uninstall\chsi_uninstaller.exe
AddRemove-WinTools_ADKW - c:\progra~1\COMMON~1\WinTools\WToolsA.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 15:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3616)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-01 16:15:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-01 20:15

Pre-Run: 71,871,930,368 bytes free
Post-Run: 72,129,249,280 bytes free

- - End Of File - - 438ED0BCE4C339EB98F003E20DD1798F




CODE
OTS logfile created on: 4/1/2010 4:22:20 PM - Run 3
OTS by OldTimer - Version 3.1.27.1     Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

504.00 Mb Total Physical Memory | 127.00 Mb Available Physical Memory | 25.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 106.81 Gb Total Space | 67.23 Gb Free Space | 62.94% Space Free | Partition Type: NTFS
Drive D: | 4.96 Gb Total Space | 0.91 Gb Free Space | 18.39% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RON
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Quick Scan

[Processes - Safe List]
firefox.exe -> C:\Program Files\Mozilla Firefox\firefox.exe -> [2010/04/01 16:17:36 | 000,307,672 | ---- | M] (Mozilla Corporation)
ots.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2010/03/31 15:49:55 | 000,637,440 | ---- | M] (OldTimer Tools)
applemobiledeviceservice.exe -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -> [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.)
mcupdate.exe -> c:\Program Files\McAfee.com\Agent\mcupdate.exe -> [2010/02/11 13:36:12 | 000,562,928 | ---- | M] (McAfee, Inc.)
mcagent.exe -> c:\Program Files\McAfee.com\Agent\mcagent.exe -> [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.)
mpfsrv.exe -> C:\Program Files\McAfee\MPF\MpfSrv.exe -> [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.)
mcshield.exe -> C:\Program Files\McAfee\VirusScan\Mcshield.exe -> [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.)
mcsysmon.exe -> C:\Program Files\McAfee\VirusScan\mcsysmon.exe -> [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.)
mcmscsvc.exe -> C:\Program Files\McAfee\MSC\mcmscsvc.exe -> [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.)
mcproxy.exe -> c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -> [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.)
mcnasvc.exe -> c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -> [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.)
syncservices.exe -> C:\Program Files\Maxtor\Sync\SyncServices.exe -> [2008/07/21 17:15:14 | 000,193,888 | ---- | M] (Seagate Technology LLC)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
realsched.exe -> C:\Program Files\Common Files\Real\Update_OB\realsched.exe -> [2007/07/20 11:43:01 | 000,180,269 | ---- | M] (RealNetworks, Inc.)
ps2.exe -> C:\WINDOWS\system32\ps2.EXE -> [2002/07/31 23:28:38 | 000,081,920 | ---- | M] (Hewlett-Packard Company)

[Modules - Safe List]
ots.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2010/03/31 15:49:55 | 000,637,440 | ---- | M] (OldTimer Tools)

[Win32 Services - Safe List]
(Apple Mobile Device) Apple Mobile Device [Auto | Running] -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -> [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.)
(MpfService) McAfee Personal Firewall Service [Auto | Running] -> C:\Program Files\McAfee\MPF\MPFSrv.exe -> [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.)
(McODS) McAfee Scanner [On_Demand | Stopped] -> C:\Program Files\McAfee\VirusScan\mcods.exe -> [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.)
(McShield) McAfee Real-time Scanner [Unknown | Running] -> C:\Program Files\McAfee\VirusScan\Mcshield.exe -> [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.)
(McSysmon) McAfee SystemGuards [On_Demand | Running] -> C:\Program Files\McAfee\VirusScan\mcsysmon.exe -> [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.)
(mcmscsvc) McAfee Services [Auto | Running] -> C:\Program Files\McAfee\MSC\mcmscsvc.exe -> [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.)
(MBackMonitor) MBackMonitor [On_Demand | Stopped] -> C:\Program Files\McAfee\MBK\MBackMonitor.exe -> [2009/07/08 20:22:22 | 000,068,112 | ---- | M] (McAfee)
(McProxy) McAfee Proxy Service [Auto | Running] -> c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -> [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.)
(McNASvc) McAfee Network Agent [Auto | Running] -> c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -> [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.)
(Maxtor Sync Service) Maxtor Service [Auto | Running] -> C:\Program Files\Maxtor\Sync\SyncServices.exe -> [2008/07/21 17:15:14 | 000,193,888 | ---- | M] (Seagate Technology LLC)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: SearchURL\\"" -> http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Default_Search_URL" -> http://home.microsoft.com/search/search.asp ->
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultName" -> Live Search ->
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultURL" -> http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?} ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.msn.com/ ->
HKEY_CURRENT_USER\: SearchURL\\"" -> http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR ->
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
HKEY_CURRENT_USER\: "ProxyOverride" -> localhost;*.local ->
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Owner\Application Data\Mozilla\FireFox\Profiles\p25ltiag.default\prefs.js ->
browser.startup.homepage -> "www.msn.com" ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  ->
HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c} -> C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MOZILLA\FIREFOX EXTENSIONS\{3112CA9C-DE6D-4884-A869-9855DE68056C}] -> [2007/07/20 09:28:23 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions ->  ->
HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components -> C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2010/04/01 16:17:46 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins -> C:\Program Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2010/04/01 16:17:46 | 000,000,000 | ---D | M]
< FireFox Extensions [User Folders] > ->
  -> C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions -> [2008/12/28 21:43:43 | 000,000,000 | ---D | M]
  -> C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p25ltiag.default\extensions -> [2010/03/31 16:55:05 | 000,000,000 | ---D | M]
Microsoft .NET Framework Assistant   -> C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p25ltiag.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} -> [2009/09/21 07:55:19 | 000,000,000 | ---D | M]
< FireFox Extensions [Program Folders] > ->
  -> C:\Program Files\Mozilla Firefox\extensions -> [2008/12/28 21:42:23 | 000,000,000 | ---D | M]
< HOSTS File > ([2010/04/01 15:53:31 | 000,000,027 | ---- | M] - 1 lines) -> C:\WINDOWS\system32\drivers\etc\hosts ->
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/10/23 00:08:42 | 000,062,080 | ---- | M] (Adobe Systems Incorporated)
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} [HKLM] -> C:\Program Files\McAfee\VirusScan\scriptsn.dll [scriptproxy] -> [2009/09/16 10:22:16 | 000,062,784 | ---- | M] (McAfee, Inc.)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"AppleSyncNotifier" -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe] -> [2010/03/16 21:58:34 | 000,047,392 | ---- | M] (Apple Inc.)
"CanonMyPrinter" -> C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon] -> [2007/04/03 21:50:00 | 001,603,152 | ---- | M] (CANON INC.)
"CanonSolutionMenu" -> C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon] -> [2007/05/14 21:01:00 | 000,644,696 | ---- | M] (CANON INC.)
"EPSON Stylus CX4200 Series" -> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"] -> [2005/03/07 23:00:00 | 000,098,304 | ---- | M] (SEIKO EPSON CORPORATION)
"mcagent_exe" -> C:\Program Files\McAfee.com\Agent\mcagent.exe ["C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey] -> [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.)
"mxomssmenu" -> C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe ["C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"] -> [2008/07/21 17:16:06 | 000,169,312 | ---- | M] (Maxtor Corporation)
"nwiz" -> C:\WINDOWS\System32\nwiz.exe [nwiz.exe /installquiet /keeploaded /nodetect] -> [2003/05/03 02:19:00 | 000,323,584 | ---- | M] (NVIDIA Corporation)
"PS2" -> C:\WINDOWS\system32\ps2.EXE [C:\WINDOWS\system32\ps2.exe] -> [2002/07/31 23:28:38 | 000,081,920 | ---- | M] (Hewlett-Packard Company)
"Recguard" -> C:\WINDOWS\SMINST\Recguard.exe [C:\WINDOWS\SMINST\RECGUARD.EXE] -> [2002/09/14 00:42:26 | 000,212,992 | ---- | M] ()
"TkBellExe" -> C:\Program Files\Common Files\Real\Update_OB\realsched.exe ["C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot] -> [2007/07/20 11:43:01 | 000,180,269 | ---- | M] (RealNetworks, Inc.)
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"EPSON Stylus CX4200 Series" -> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"] -> [2005/03/07 23:00:00 | 000,098,304 | ---- | M] (SEIKO EPSON CORPORATION)
"NVIEW" -> C:\WINDOWS\System32\nview.dll [rundll32.exe nview.dll,nViewLoadHook] -> [2003/05/03 02:19:00 | 000,835,654 | ---- | M] (NVIDIA Corporation)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Owner Startup Folder > -> C:\Documents and Settings\Owner\Start Menu\Programs\Startup ->
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" ->  [1] -> File not found
\\"NoCDBurning" ->  [0] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000] -> [2010/01/15 01:57:10 | 018,343,272 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{2670000A-7350-4f3c-8081-5663EE0C6C49}:{48E73304-E1D6-4330-914C-F5F514E3486C} [HKLM] -> C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll [Button: Send to OneNote] -> [2008/10/25 08:52:00 | 000,604,056 | ---- | M] (Microsoft Corporation)
{2670000A-7350-4f3c-8081-5663EE0C6C49}:{48E73304-E1D6-4330-914C-F5F514E3486C} [HKLM] -> C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll [Menu: S&end to OneNote] -> [2008/10/25 08:52:00 | 000,604,056 | ---- | M] (Microsoft Corporation)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL [Button: Research] -> [2009/03/06 05:04:56 | 000,039,464 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{2670000A-7350-4f3c-8081-5663EE0C6C49}" [HKLM] -> C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll [Send to OneNote] -> [2008/10/25 08:52:00 | 000,604,056 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2009/03/06 05:04:56 | 000,039,464 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{E023F504-0C5A-4750-A1E7-A9046DEA8A21}" [HKLM] ->  [Reg Error: Key error.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 2 domain(s) found. ->
internet .[about] -> Trusted sites ->
mcafee.com .[http] -> Trusted sites ->
mcafee.com .[https] -> Trusted sites ->
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} [HKLM] -> http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab [Reg Error: Key error.] ->
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} [HKLM] -> http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab [MSN Photo Upload Tool] ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [HKLM] -> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136688450875 [MUWebControl Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab [Java Plug-in 1.4.1_02] ->
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} [HKLM] -> http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab [Reg Error: Key error.] ->
{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab [Java Plug-in 1.4.1_02] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] ->
{E77F23EB-E7AB-4502-8F37-247DBAF1A147} [HKLM] -> http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab [Windows Live Hotmail Photo Upload Tool] ->
DirectAnimation Java Classes [HKLM] -> file://C:\WINDOWS\Java\classes\dajava.cab [Reg Error: Key error.] ->
Microsoft XML Parser for Java [HKLM] -> file://C:\WINDOWS\Java\classes\xmldso.cab [Reg Error: Key error.] ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ ->
DhcpNameServer -> 68.87.71.230 68.87.73.246 ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{652A14E4-57AA-411D-B47D-8584732BBD97}\\DhcpNameServer -> 68.87.71.230 68.87.73.246   (Realtek RTL8139/810x Family Fast Ethernet NIC) ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
igfxcui -> C:\WINDOWS\System32\igfxsrvc.dll -> [2004/08/20 16:50:54 | 000,344,064 | ---- | M] (Intel Corporation)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" -> C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe [C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent] -> [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.)
"C:\Program Files\iTunes\iTunes.exe" -> C:\Program Files\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes] -> [2010/03/26 01:09:58 | 010,358,568 | ---- | M] (Apple Inc.)
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" -> C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare] -> [2008/07/07 13:14:40 | 000,282,624 | ---- | M] (Eastman Kodak Company)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" -> C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE [C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote] -> [2008/11/24 23:16:44 | 001,020,776 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Real\RealOne Player\realplay.exe" -> C:\Program Files\Real\RealOne Player\realplay.exe [C:\Program Files\Real\RealOne Player\realplay.exe:*:Enabled:RealOne Player] -> [2007/07/20 11:43:35 | 000,208,941 | ---- | M] (RealNetworks, Inc.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" ->  [System32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  ->
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2003/07/24 04:29:01 | 000,000,000 | R-S- | M] ()
D:\AUTOEXEC.BAT [] -> D:\AUTOEXEC.BAT [ FAT32 ] -> [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command ->
comfile [open] -> "%1" %* ->
exefile [open] -> "%1" %* ->
< AppCertDlls [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls ->
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ ->
.com [@ = comfile] -> "%1" %* ->
.exe [@ = exefile] -> "%1" %* ->
< File Associations - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>\ ->
.com [@ = ComFile] -> Reg Error: Key error. -> File not found
.exe [@ = exefile] -> Reg Error: Key error. -> File not found


[Files/Folders - Created Within 14 Days]
SWXCACLS.exe -> C:\WINDOWS\SWXCACLS.exe -> [2010/04/01 15:23:48 | 000,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> C:\WINDOWS\SWREG.exe -> [2010/04/01 15:23:48 | 000,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> C:\WINDOWS\SWSC.exe -> [2010/04/01 15:23:48 | 000,136,704 | ---- | C] (SteelWerX)
NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2010/04/01 15:23:48 | 000,031,232 | ---- | C] (NirSoft)
ERDNT -> C:\WINDOWS\ERDNT -> [2010/04/01 15:23:07 | 000,000,000 | ---D | C]
Qoobox -> C:\Qoobox -> [2010/04/01 15:20:59 | 000,000,000 | ---D | C]
OTS.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2010/03/31 15:49:55 | 000,637,440 | ---- | C] (OldTimer Tools)
iTunes -> C:\Program Files\iTunes -> [2010/03/30 21:27:11 | 000,000,000 | ---D | C]
{429CAD59-35B1-4DBC-BB6D-1DB246563521} -> C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} -> [2010/03/30 21:27:11 | 000,000,000 | ---D | C]
QuickTime -> C:\Program Files\QuickTime -> [2010/03/30 21:19:41 | 000,000,000 | ---D | C]
Bonjour -> C:\Program Files\Bonjour -> [2010/03/30 21:11:41 | 000,000,000 | ---D | C]
Minidump -> C:\WINDOWS\Minidump -> [2010/03/25 20:18:21 | 000,000,000 | ---D | C]
gmer -> C:\Documents and Settings\Owner\Desktop\gmer -> [2010/03/25 19:25:04 | 000,000,000 | ---D | C]
Malwarebytes -> C:\Documents and Settings\Owner\Application Data\Malwarebytes -> [2010/03/25 18:18:33 | 000,000,000 | ---D | C]
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2010/03/25 18:18:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation)
Malwarebytes -> C:\Documents and Settings\All Users\Application Data\Malwarebytes -> [2010/03/25 18:18:13 | 000,000,000 | ---D | C]
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2010/03/25 18:18:12 | 000,019,160 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware -> [2010/03/25 18:18:11 | 000,000,000 | ---D | C]
AV7 -> C:\Program Files\AV7 -> [2010/03/25 14:22:59 | 000,000,000 | ---D | C]
Microsoft -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft -> [2009/07/22 03:00:53 | 000,000,000 | ---D | M]
Microsoft -> C:\Documents and Settings\LocalService\Application Data\Microsoft -> [2008/08/27 21:29:26 | 000,000,000 | --SD | M]
Macromedia -> C:\Documents and Settings\LocalService\Application Data\Macromedia -> [2008/07/09 07:22:09 | 000,000,000 | ---D | M]
Adobe -> C:\Documents and Settings\LocalService\Application Data\Adobe -> [2008/07/09 07:22:09 | 000,000,000 | ---D | M]
Microsoft -> C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft -> [2008/07/09 07:22:07 | 000,000,000 | ---D | M]
Microsoft -> C:\Documents and Settings\NetworkService\Application Data\Microsoft -> [2007/12/02 04:01:21 | 000,000,000 | --SD | M]
Apple -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple -> [2007/09/27 11:21:02 | 000,000,000 | ---D | M]
Macromedia -> C:\Documents and Settings\NetworkService\Application Data\Macromedia -> [2004/11/19 12:25:30 | 000,000,000 | ---D | M]
66 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp ->
3 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp ->
3 C:\*.tmp files -> C:\*.tmp ->
2600 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
23 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->

[Files/Folders - Modified Within 14 Days]
system.ini -> C:\WINDOWS\system.ini -> [2010/04/01 15:55:55 | 000,000,227 | ---- | M] ()
wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2010/04/01 15:54:49 | 000,001,158 | ---- | M] ()
hpsysdrv.DAT -> C:\WINDOWS\System\hpsysdrv.DAT -> [2010/04/01 15:54:43 | 000,001,403 | ---- | M] ()
Config.MPF -> C:\WINDOWS\System32\Config.MPF -> [2010/04/01 15:54:01 | 000,013,945 | ---- | M] ()
hosts -> C:\WINDOWS\System32\drivers\etc\hosts -> [2010/04/01 15:53:31 | 000,000,027 | ---- | M] ()
SA.DAT -> C:\WINDOWS\tasks\SA.DAT -> [2010/04/01 15:52:06 | 000,000,006 | -H-- | M] ()
bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2010/04/01 15:52:02 | 000,002,048 | --S- | M] ()
hiberfil.sys -> C:\hiberfil.sys -> [2010/04/01 15:52:01 | 528,052,224 | -HS- | M] ()
ntuser.dat -> C:\Documents and Settings\Owner\ntuser.dat -> [2010/04/01 15:50:38 | 006,029,312 | ---- | M] ()
ntuser.ini -> C:\Documents and Settings\Owner\ntuser.ini -> [2010/04/01 15:50:38 | 000,000,178 | -HS- | M] ()
ComboFix.exe -> C:\Documents and Settings\Owner\Desktop\ComboFix.exe -> [2010/04/01 15:22:26 | 003,906,159 | R--- | M] ()
iTunes.lnk -> C:\Documents and Settings\All Users\Desktop\iTunes.lnk -> [2010/03/31 20:02:10 | 000,002,137 | ---- | M] ()
McDefragTask.job -> C:\WINDOWS\tasks\McDefragTask.job -> [2010/03/31 19:51:58 | 000,000,340 | ---- | M] ()
rootrepeal3.sys -> C:\WINDOWS\System32\drivers\rootrepeal3.sys -> [2010/03/31 16:47:24 | 000,034,816 | ---- | M] ()
rootrepeal2.sys -> C:\WINDOWS\System32\drivers\rootrepeal2.sys -> [2010/03/31 16:46:28 | 000,034,816 | ---- | M] ()
OTS.exe -> C:\Documents and Settings\Owner\Desktop\OTS.exe -> [2010/03/31 15:49:55 | 000,637,440 | ---- | M] (OldTimer Tools)
IMG.tif -> C:\Documents and Settings\Owner\Desktop\IMG.tif -> [2010/03/30 12:13:50 | 001,053,641 | ---- | M] ()
McQcTask.job -> C:\WINDOWS\tasks\McQcTask.job -> [2010/03/29 14:21:59 | 000,000,332 | ---- | M] ()
Disk Cleanup.job -> C:\WINDOWS\tasks\Disk Cleanup.job -> [2010/03/29 13:58:55 | 000,000,304 | ---- | M] ()
gmer.zip -> C:\Documents and Settings\Owner\Desktop\gmer.zip -> [2010/03/25 18:48:36 | 000,284,915 | ---- | M] ()
dds.scr -> C:\Documents and Settings\Owner\Desktop\dds.scr -> [2010/03/25 18:44:33 | 000,525,824 | ---- | M] ()
defogger_reenable -> C:\Documents and Settings\Owner\defogger_reenable -> [2010/03/25 18:42:43 | 000,000,000 | ---- | M] ()
Defogger.exe -> C:\Documents and Settings\Owner\Desktop\Defogger.exe -> [2010/03/25 18:42:14 | 000,050,477 | ---- | M] ()
ESBK.mbb -> C:\Documents and Settings\All Users\Documents\ESBK.mbb -> [2010/03/25 14:54:35 | 015,680,512 | R--- | M] ()
ESBK.mb -> C:\Documents and Settings\All Users\Documents\ESBK.mb -> [2010/03/25 14:54:35 | 008,282,112 | R--- | M] ()
.plugin141_02.trace -> C:\Documents and Settings\Owner\.plugin141_02.trace -> [2010/03/25 12:56:30 | 000,000,692 | ---- | M] ()
NurseNavigatorJuly09final[1].doc -> C:\Documents and Settings\Owner\My Documents\NurseNavigatorJuly09final[1].doc -> [2010/03/22 19:24:08 | 000,171,520 | ---- | M] ()
PerfStringBackup.INI -> C:\WINDOWS\System32\PerfStringBackup.INI -> [2010/03/20 07:42:28 | 000,524,016 | ---- | M] ()
perfh009.dat -> C:\WINDOWS\System32\perfh009.dat -> [2010/03/20 07:42:28 | 000,442,796 | ---- | M] ()
perfc009.dat -> C:\WINDOWS\System32\perfc009.dat -> [2010/03/20 07:42:28 | 000,071,936 | ---- | M] ()
3 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp ->
3 C:\*.tmp files -> C:\*.tmp ->
2600 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
23 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->

[Files - No Company Name]
PEV.exe -> C:\WINDOWS\PEV.exe -> [2010/04/01 15:23:48 | 000,261,632 | ---- | C] ()
sed.exe -> C:\WINDOWS\sed.exe -> [2010/04/01 15:23:48 | 000,098,816 | ---- | C] ()
grep.exe -> C:\WINDOWS\grep.exe -> [2010/04/01 15:23:48 | 000,080,412 | ---- | C] ()
MBR.exe -> C:\WINDOWS\MBR.exe -> [2010/04/01 15:23:48 | 000,077,312 | ---- | C] ()
zip.exe -> C:\WINDOWS\zip.exe -> [2010/04/01 15:23:48 | 000,068,096 | ---- | C] ()
ComboFix.exe -> C:\Documents and Settings\Owner\Desktop\ComboFix.exe -> [2010/04/01 15:22:10 | 003,906,159 | R--- | C] ()
rootrepeal3.sys -> C:\WINDOWS\System32\drivers\rootrepeal3.sys -> [2010/03/31 16:47:24 | 000,034,816 | ---- | C] ()
rootrepeal2.sys -> C:\WINDOWS\System32\drivers\rootrepeal2.sys -> [2010/03/31 16:46:28 | 000,034,816 | ---- | C] ()
iTunes.lnk -> C:\Documents and Settings\All Users\Desktop\iTunes.lnk -> [2010/03/30 21:29:38 | 000,002,137 | ---- | C] ()
IMG.tif -> C:\Documents and Settings\Owner\Desktop\IMG.tif -> [2010/03/30 12:13:50 | 001,053,641 | ---- | C] ()
gmer.zip -> C:\Documents and Settings\Owner\Desktop\gmer.zip -> [2010/03/25 18:48:28 | 000,284,915 | ---- | C] ()
dds.scr -> C:\Documents and Settings\Owner\Desktop\dds.scr -> [2010/03/25 18:44:32 | 000,525,824 | ---- | C] ()
defogger_reenable -> C:\Documents and Settings\Owner\defogger_reenable -> [2010/03/25 18:42:43 | 000,000,000 | ---- | C] ()
Defogger.exe -> C:\Documents and Settings\Owner\Desktop\Defogger.exe -> [2010/03/25 18:42:11 | 000,050,477 | ---- | C] ()
NurseNavigatorJuly09final[1].doc -> C:\Documents and Settings\Owner\My Documents\NurseNavigatorJuly09final[1].doc -> [2010/03/22 19:24:06 | 000,171,520 | ---- | C] ()
pmsbfn32.dll -> C:\WINDOWS\System32\pmsbfn32.dll -> [2008/05/18 08:02:04 | 000,011,776 | ---- | C] ()
MAXLINK.INI -> C:\WINDOWS\MAXLINK.INI -> [2008/05/18 08:00:01 | 000,000,412 | ---- | C] ()
GlobalUserInterface.CompositeFont -> C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont -> [2006/06/29 14:58:52 | 000,030,808 | ---- | C] ()
GlobalSansSerif.CompositeFont -> C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont -> [2006/06/29 14:53:56 | 000,026,489 | ---- | C] ()
GlobalSerif.CompositeFont -> C:\WINDOWS\Fonts\GlobalSerif.CompositeFont -> [2006/04/18 15:39:28 | 000,029,779 | ---- | C] ()
GlobalMonospace.CompositeFont -> C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont -> [2006/04/18 15:39:28 | 000,026,040 | ---- | C] ()
Acroread.ini -> C:\WINDOWS\Acroread.ini -> [2006/01/20 12:48:42 | 000,000,037 | ---- | C] ()
PICSDK.ini -> C:\WINDOWS\System32\PICSDK.ini -> [2005/12/14 12:28:20 | 000,000,097 | ---- | C] ()
EPCX4200.ini -> C:\WINDOWS\EPCX4200.ini -> [2005/12/14 12:25:33 | 000,000,044 | ---- | C] ()
OPPRIN~1.INI -> C:\WINDOWS\OPPRIN~1.INI -> [2005/10/29 13:45:19 | 000,000,000 | ---- | C] ()
liveup.ini -> C:\WINDOWS\liveup.ini -> [2005/06/26 07:33:06 | 000,000,044 | ---- | C] ()
ipixActivex.ini -> C:\WINDOWS\ipixActivex.ini -> [2004/08/27 16:10:29 | 000,000,037 | ---- | C] ()
kodakpcd.Owner.ini -> C:\WINDOWS\kodakpcd.Owner.ini -> [2004/06/29 09:18:58 | 000,000,022 | ---- | C] ()
ODBC.INI -> C:\WINDOWS\ODBC.INI -> [2004/01/16 19:37:04 | 000,000,376 | ---- | C] ()
Decln.dll -> C:\WINDOWS\System32\Decln.dll -> [2004/01/08 10:36:02 | 000,032,256 | ---- | C] ()
Declw.dll -> C:\WINDOWS\System32\Declw.dll -> [2004/01/08 10:36:02 | 000,014,629 | ---- | C] ()
cdPlayer.ini -> C:\WINDOWS\cdPlayer.ini -> [2003/12/07 08:59:29 | 000,009,373 | ---- | C] ()
EPSP820.ini -> C:\WINDOWS\EPSP820.ini -> [2003/12/06 20:57:07 | 000,000,045 | ---- | C] ()
smscfg.ini -> C:\WINDOWS\smscfg.ini -> [2003/07/26 06:17:16 | 000,000,061 | ---- | C] ()
mshrml.ini -> C:\WINDOWS\System32\mshrml.ini -> [2003/07/26 04:57:44 | 000,000,051 | ---- | C] ()
JAWTAccessBridge.dll -> C:\WINDOWS\System32\JAWTAccessBridge.dll -> [2003/07/24 06:10:43 | 000,028,672 | ---- | C] ()
PcdrKernelModeServices.dll -> C:\WINDOWS\System32\PcdrKernelModeServices.dll -> [2003/07/24 06:10:24 | 000,094,208 | ---- | C] ()
ProgressTrace.dll -> C:\WINDOWS\System32\ProgressTrace.dll -> [2003/07/24 06:10:24 | 000,077,824 | ---- | C] ()
PCDrJNI_1_1.dll -> C:\WINDOWS\System32\PCDrJNI_1_1.dll -> [2003/07/24 06:05:31 | 000,167,936 | ---- | C] ()
CHODDI.SYS -> C:\WINDOWS\System32\CHODDI.SYS -> [2003/07/24 06:02:11 | 000,025,438 | ---- | C] ()
syscontr.dll -> C:\WINDOWS\System32\syscontr.dll -> [2003/07/24 06:01:47 | 000,024,576 | ---- | C] ()
hpreg.dll -> C:\WINDOWS\System32\hpreg.dll -> [2003/07/24 06:01:15 | 000,045,056 | ---- | C] ()
intuprof.ini -> C:\WINDOWS\intuprof.ini -> [2003/07/24 05:47:54 | 000,000,052 | ---- | C] ()
QUICKEN.INI -> C:\WINDOWS\QUICKEN.INI -> [2003/07/24 05:47:40 | 000,000,608 | ---- | C] ()
fxsperf.ini -> C:\WINDOWS\System32\fxsperf.ini -> [2003/07/24 05:19:54 | 000,001,793 | ---- | C] ()
psisdecd.dll -> C:\WINDOWS\System32\psisdecd.dll -> [2003/07/24 04:52:31 | 000,363,520 | ---- | C] ()
PythonCOM22.dll -> C:\WINDOWS\System32\PythonCOM22.dll -> [2003/07/24 04:44:55 | 000,299,073 | ---- | C] ()
PyWinTypes22.dll -> C:\WINDOWS\System32\PyWinTypes22.dll -> [2003/07/24 04:44:55 | 000,065,536 | ---- | C] ()
bcbmm.dll -> C:\WINDOWS\System32\bcbmm.dll -> [2003/07/24 04:44:37 | 000,016,896 | ---- | C] ()
orun32.ini -> C:\WINDOWS\orun32.ini -> [2003/07/24 04:32:33 | 000,000,802 | ---- | C] ()
oeminfo.ini -> C:\WINDOWS\System32\oeminfo.ini -> [2003/07/24 04:18:12 | 000,000,552 | ---- | C] ()
1_ssetup.ini -> C:\WINDOWS\System32\1_ssetup.ini -> [2003/07/24 01:46:21 | 000,000,438 | ---- | C] ()
sunistlog.ini -> C:\WINDOWS\System32\sunistlog.ini -> [2003/07/24 01:46:21 | 000,000,000 | ---- | C] ()
px.ini -> C:\WINDOWS\System32\px.ini -> [2003/06/23 21:27:16 | 000,000,000 | ---- | C] ()
lockout.dll -> C:\WINDOWS\System32\lockout.dll -> [2002/05/24 11:00:00 | 000,208,896 | ---- | C] ()
lockres.dll -> C:\WINDOWS\System32\lockres.dll -> [2002/05/24 11:00:00 | 000,045,056 | ---- | C] ()

[File - Lop Check]
CanonBJ -> C:\Documents and Settings\All Users\Application Data\CanonBJ -> [2008/05/18 07:45:56 | 000,000,000 | -H-D | M]
Maxtor -> C:\Documents and Settings\All Users\Application Data\Maxtor -> [2008/09/01 13:47:30 | 000,000,000 | ---D | M]
ScanSoft -> C:\Documents and Settings\All Users\Application Data\ScanSoft -> [2008/05/18 07:59:46 | 000,000,000 | ---D | M]
Viewpoint -> C:\Documents and Settings\All Users\Application Data\Viewpoint -> [2008/09/07 19:38:20 | 000,000,000 | ---D | M]
{429CAD59-35B1-4DBC-BB6D-1DB246563521} -> C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} -> [2010/03/30 21:29:33 | 000,000,000 | ---D | M]
{755AC846-7372-4AC8-8550-C52491DAA8BD} -> C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} -> [2009/10/10 06:10:34 | 000,000,000 | ---D | M]
{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} -> C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} -> [2009/05/01 09:45:30 | 000,000,000 | ---D | M]
Canon -> C:\Documents and Settings\Owner\Application Data\Canon -> [2008/05/18 08:26:51 | 000,000,000 | ---D | M]
interMute -> C:\Documents and Settings\Owner\Application Data\interMute -> [2006/06/25 12:25:53 | 000,000,000 | ---D | M]
InterVideo -> C:\Documents and Settings\Owner\Application Data\InterVideo -> [2005/09/28 06:13:17 | 000,000,000 | ---D | M]
Leadertech -> C:\Documents and Settings\Owner\Application Data\Leadertech -> [2005/12/14 12:33:21 | 000,000,000 | ---D | M]
NewSoft -> C:\Documents and Settings\Owner\Application Data\NewSoft -> [2008/05/18 16:11:42 | 000,000,000 | ---D | M]
SampleView -> C:\Documents and Settings\Owner\Application Data\SampleView -> [2003/07/24 06:02:08 | 000,000,000 | ---D | M]
ScanSoft -> C:\Documents and Settings\Owner\Application Data\ScanSoft -> [2008/05/18 07:59:51 | 000,000,000 | ---D | M]
Skinux -> C:\Documents and Settings\Owner\Application Data\Skinux -> [2008/06/29 19:43:26 | 000,000,000 | ---D | M]
Snapfish -> C:\Documents and Settings\Owner\Application Data\Snapfish -> [2008/02/10 17:46:11 | 000,000,000 | ---D | M]
Template -> C:\Documents and Settings\Owner\Application Data\Template -> [2003/12/06 21:05:01 | 000,000,000 | ---D | M]
Viewpoint -> C:\Documents and Settings\Owner\Application Data\Viewpoint -> [2007/08/30 20:19:01 | 000,000,000 | ---D | M]
Disk Cleanup.job -> C:\WINDOWS\Tasks\Disk Cleanup.job -> [2010/03/29 13:58:55 | 000,000,304 | ---- | M] ()
McDefragTask.job -> C:\WINDOWS\Tasks\McDefragTask.job -> [2010/03/31 19:51:58 | 000,000,340 | ---- | M] ()
McQcTask.job -> C:\WINDOWS\Tasks\McQcTask.job -> [2010/03/29 14:21:59 | 000,000,332 | ---- | M] ()

[File - Purity Scan]

< End of report >





#8 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:10:10 AM

Posted 02 April 2010 - 09:12 AM

Hey dever,

Thank you for the logs, look like ComboFix did a pretty good job. smile.gif

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (McAfee) as it/they may hinder the tools from running. Instructions is in the link below:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

1) Run CFScript

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
:DDS::
TB: {FE6BC4EF-5676-484B-88AE-883323913256} - No File
EB: {90C61707-C8F8-43DB-A25C-C1F4B18EE41E} - No File
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll

Folder::
c:\program files\AV7

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000

RegLockDel::
[HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\Software\Microsoft\SystemCertificates\AddressBook*]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt .

2) Run MBAM scan
  • Open Malwarebytes by clicking on its shortcut on desktop. Please click on the "Update" tab and click "Check for Updates".
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next reply (please include in your post):

Tell me how your computer is doing
ComboFix.txt
MBAM scan log

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#9 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:10:10 PM

Posted 04 April 2010 - 06:26 PM

Hey Ltangelic,

So here are the results of the two scans. No problems running either... MBAM didn't find anything, and combofix, well you tell me - that's a bit over my head...

The computer seems to be running OK. Like I said before, it's my mother-in-law's machine, so I don't have a great feel for it's history, but Iv'e always complained about it seeming sluggish, and if anything, it definitely is running better than usual. There have definitely been no further signs of actual malware.

Thank you again for all of your great help!

dev

ComboFix 10-04-03.02 - Owner 04/04/2010 18:06:06.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.504.286 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AV7
c:\windows\AppPatch\AcAdProc.dll
c:\windows\Temp\0134421270354176mcinst.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-04 to 2010-04-04 )))))))))))))))))))))))))))))))
.

2010-03-31 20:47 . 2010-03-31 20:47 34816 ----a-w- c:\windows\system32\drivers\rootrepeal3.sys
2010-03-31 20:46 . 2010-03-31 20:46 34816 ----a-w- c:\windows\system32\drivers\rootrepeal2.sys
2010-03-31 01:27 . 2010-03-31 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-31 01:27 . 2010-03-31 01:29 -------- d-----w- c:\program files\iTunes
2010-03-31 01:19 . 2010-03-31 01:21 -------- d-----w- c:\program files\QuickTime
2010-03-31 01:11 . 2010-03-31 01:11 -------- d-----w- c:\program files\Bonjour
2010-03-25 22:18 . 2010-03-25 22:18 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-25 22:18 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-25 22:18 . 2010-03-25 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-25 22:18 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 22:18 . 2010-03-25 22:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-10 09:41 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"NVIEW"="nview.dll" [2003-05-03 835654]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"nwiz"="nwiz.exe" [2003-05-03 323584]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 98304]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-07-20 180269]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
mod_sm.lnk - c:\hp\bin\cloaker.exe [1999-11-7 27136]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 18:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-08-20 20:51 118784 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-08-20 20:55 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2008-07-21 21:16 169312 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-05-03 06:19 4640768 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
2003-05-03 06:19 835654 ----a-w- c:\windows\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 16:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-07-20 15:43 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 05:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
2006-09-20 12:35 20480 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 0134421270354176mcinstcleanup;McAfee Application Installer Cleanup (0134421270354176);c:\windows\TEMP\013442~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\013442~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [3/31/2010 4:46 PM 34816]
S3 rootrepeal3;rootrepeal3;c:\windows\system32\drivers\rootrepeal3.sys [3/31/2010 4:47 PM 34816]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0134421270354176MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\Disk Cleanup.job
- c:\documents and settings\Owner\My Documents\clean.bat [2003-12-22 21:35]

2010-03-31 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-09-14 16:22]

2010-03-29 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-09-14 16:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = localhost;*.local
IE: c:\progra~1\COMMON~1\BTLINK\btlink.dll//iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p25ltiag.default\
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPJPI141_02.dll
FF - plugin: c:\program files\Java\j2re1.4.1_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 18:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3622777010-2906908073-3483555715-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3740)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-04 18:47:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-04 22:47
ComboFix2.txt 2010-04-01 20:15

Pre-Run: 72,081,326,080 bytes free
Post-Run: 72,079,663,104 bytes free

- - End Of File - - 588AAFA0614BE131F501E6F4146FB497


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/4/2010 7:03:49 PM
mbam-log-2010-04-04 (19-03-49).txt

Scan type: Quick scan
Objects scanned: 108520
Time elapsed: 13 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#10 Ltangelic

Ltangelic

    Angel Annihilator of Malware


  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Somewhere
  • Local time:10:10 AM

Posted 06 April 2010 - 09:18 AM

Hi,

Sincere apologies for the late reply. I will be unavailable from today and a fellow colleague will take over and help you instead. Please be patient in waiting for a reply, thank you. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.


#11 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:10:10 PM

Posted 06 April 2010 - 09:30 AM

No problem LtA,

Thanks for your help until now!

dev

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:10 AM

Posted 06 April 2010 - 11:09 AM

Hello, dever
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

I will review the topic now, in the meantime, please tell me how the system is running and run this tool:

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 dever

dever
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:10:10 PM

Posted 08 April 2010 - 02:15 PM

Hi Tom,

Thanks for taking over this project. I had to take a trip out of town through next week, so it will be just a little while before I can get back to the desktop machine that we were working on. Is it every five days that this topic needs to show activity in order to stay active? I will be able to load and run the program you requested next weekend. If needed I can post a comment mid week to keep the topic active.

Thanks again for your help, in advance.

dev

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:10 AM

Posted 08 April 2010 - 03:32 PM

Hi,

you can post a short comment or just send me a pm after the topic is closed, I will reopen it asap smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:10 AM

Posted 12 April 2010 - 11:20 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users