Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Email Spammer


  • This topic is locked This topic is locked
19 replies to this topic

#1 aninkling

aninkling

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 29 March 2010 - 09:36 AM

Emails are being sent to many on the email list. This is a VISTA AMD 64 system. Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:45 PM, on 3/28/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
c:\PROGRA~2\mcafee.com\agent\mcagent.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Windows\System32\spool\drivers\x64\3\E_S10IC2.EXE
C:\Program Files (x86)\Polar\WebSync\WebSync.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10e.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~2\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\vdeck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe
O4 - HKLM\..\RunOnce: [STToasterLauncher] C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIAFA.EXE /FU "C:\Windows\TEMP\E_S945.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: Polar WebSync.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~2\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files (x86)\Common Files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\PROGRA~2\COMMON~1\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~2\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files (x86)\McAfee\MPF\MPFSrv.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files (x86)\McAfee\MSK\MskSrver.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Polar Daemon - Unknown owner - C:\Program Files (x86)\Polar\Daemon\polard.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 12277 bytes




BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:34 AM

Posted 02 April 2010 - 02:44 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 aninkling

aninkling
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 03 April 2010 - 12:21 PM

First the description and then some things I did before the most recent post above was added.

Description of problem: Several people, related by being in the same community, are receiving at least SPAM emails and maybe more dangerous emails mailed from each other's email accounts. We have a mass email trojan somewhere in the community. This owner of this particular computer reported the problem. Since then, there has been another community member reporting the problem. I ran the above Hijackthis on the first person's computer- above.

There were 3 main issues I have with the HiJackThis output.
1. The alg.exe file, and the rest of the line in O23.
2. All the @*.dll files in O23.
3. All the (file missing) entries.

I ran Malwarebytes full scan and Windows Essentials full scan. There was one entry in Malwarebytes that related to a key turned off... I didn't consider that important but deleted it anyway. The Windows Essentials run revealed nothing.

I looked at the running programs using the Glary Utilities process viewer app and saw nothing unusual. I used the startup app and saw nothing unusual.

I thought the files missing entries were a problem and found the following on the COMODO web site:

Repairing Corrupt Vista Files

Hi,

All who are using Vista OS very well know that most of the Vista errors occurs due to system corrupt files. Repairing or troubleshooting these files manually is almost near to impossible.

Thanks to Vista's inbuild "System File checker" application or we can say a inbuild tool. A "System File checker" verifys the integrity of all core system files very effitiently.So lets see how this happens.

Basically there are two types of scan system in "Syatem File checker" i.e
1) Verification mode
2) Scan/Repair mode

The Verification mode will only check the files without reparing them and makes you know which files are corrupt.And the second one Scan/Repair Mode will automatically fix errors it finds.

To start open the command prompt by typing cmd in Run box.

Then, type one of the following commands in command prompt depending on the type of scan you wish to perform:

1. sfc /verifyonly ->To verify any corrupt files only.
2. sfc /scannow ->To verify and fix any corrupt files.


Now the scan will start and this will inform you of any files that are corrupt or require fixing.


This is a 64 bit Windows 7 system, but I found a web entry that said the procedure was the same as for Vista. So I did a verifyonly and there were many errors. I did a scannow. I then reran Hijackthis.

Here are the results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:45 PM, on 3/28/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
c:\PROGRA~2\mcafee.com\agent\mcagent.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Windows\System32\spool\drivers\x64\3\E_S10IC2.EXE
C:\Program Files (x86)\Polar\WebSync\WebSync.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10e.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~2\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\vdeck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe
O4 - HKLM\..\RunOnce: [STToasterLauncher] C:\program files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIAFA.EXE /FU "C:\Windows\TEMP\E_S945.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: Polar WebSync.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~2\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files (x86)\Common Files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\PROGRA~2\COMMON~1\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~2\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files (x86)\McAfee\MPF\MPFSrv.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files (x86)\McAfee\MSK\MskSrver.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Polar Daemon - Unknown owner - C:\Program Files (x86)\Polar\Daemon\polard.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 12277 bytes


Didn't help much, did it? So... Shall I continue as you instructed? Above all, please tell me what all the (file missing)'s mean. And tell me what the @*.dll entries mean. The sfc removed some, but not all, of the @*.dll entries.

Thanks

#4 aninkling

aninkling
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 03 April 2010 - 12:28 PM

I was reading over my most recent post and saw some words I should clarify. I haven't been able to "see" the source code of the email messages in order to understand who is actually sending the emails. I understand that only one person in the community needs to be infected. That person's infected computer can then communicate with it's master and send out whatever the master wants mailed. As part of the mailing, the rogue program can insert any email address it finds on the computer as the "sender" of the email. In other words, it is not that all the computers are infected. The trick is finding the one or more that is.

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:34 AM

Posted 03 April 2010 - 01:13 PM

Yes, please follow my above instructions, then I can have a deeper look and answer your questions.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 aninkling

aninkling
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 05 April 2010 - 12:31 PM

This is the first time I have had this problem: Neither dds.scr or GMER will run. I've turned off all known antivirus, after disconnecting from the internet. I've tried both standard and safe mode. I don't get any message from dds.scr other than the standard wait 3 minutes and a log will display. From GMER I get the message that c:windows\system32\config\system doesn't exist.

I thought maybe, because this was a 64 bit system, I'd have to run in compatibility mode, but, alas, I can't control that attribute.

Directions please. Thank you.

#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:34 AM

Posted 06 April 2010 - 01:44 PM

Hello, aninkling
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 aninkling

aninkling
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 07 April 2010 - 12:00 PM

I will do as you describe. For reference, I am adding here an email that was sent by the spammer. Note that it even responded to itself (near the end). I have xxed out the original email user id to protect identities. (This was created by 1 receiving the email from the victim, 2 copying it to Word, 3 exporting that as an html file, 4 opening in Firefox 5 viewing source 6 copying source here and removing some of the extra Word code and xxxxing out the userids and yyyying out domains.

I would particularly like to know what the http://mc/compose? means?

[codebox]
--- On <b>Sat, 3/27/10, <a href="mailto:MAILER-DAEMON@yahoo.com" target="_blank">MAILER-DAEMON@yahoo.com</a>
<i><<a href="mailto:MAILER-DAEMON@yahoo.com" target="_blank">MAILER-DAEMON@yahoo.com</a>></i></b>
wrote:<o:p></o:p></span></p>

<p><br>
From: <a href="mailto:MAILER-DAEMON@yahoo.com" target="_blank">MAILER-DAEMON@yahoo.com</a>

<<a href="mailto:MAILER-DAEMON@yahoo.com" target="_blank">MAILER-DAEMON@yahoo.com</a>><br>
Subject: failure notice<br>
<span class=GramE>To</span>: <a href="mailto:xxxx@yahoo.com" target="_blank">xxxx@yahoo.com</a><br>
Date: Saturday, March 27, 2010, 11:29 PM<o:p></o:p></span></p>

Hi. This is the <span class=SpellE>qmail</span>-send
program at <a href="http://yahoo.com" target="_blank">yahoo.com</a>.<br>

I'm afraid I wasn't able to deliver your message to the following addresses.<br>
This is a permanent error; I've given up. Sorry it didn't work out.<br>
<br>
<<a href="http://mc/compose?to=yyyyy1@zzzz"
target="_blank">yyyyy1@zzzz</a>><span class=GramE>:</span><br>
Sorry, I couldn't find any host named <a href="http://zzzz"
target="_blank">zzzz</a>. (#5.1.2)<br>
<br>
<<a href="http://mc/compose?to=yyyyy2@zzzz2" target="_blank">yyyyy1@zzzz2</a>><span
class=GramE>:</span><br>
Sorry, I couldn't find any host named <a href="http://zzzz2"
target="_blank">zzzz2</a>. (#5.1.2)<br>

<br>
<<a href="http://mc/compose?to=yyyy3@zzzz3"
target="_blank">yyyy3@zzzz3</a>>:<br>
66.159.90.115 does not like recipient.<br>
Remote host said: 550 No such user (<a
href="http://mc/compose?to=yyyy3@zzzz3" target="_blank">yyyy3@zzzz3</a><span
class=GramE>)</span><br>
Giving up on 66.159.90.115.<br>
<br>
<<a href="http://mc/compose?to=yyyy4@zzzz4" target="_blank">yyyy4@zzzz4</a>>:<br>
207.115.11.16 does not like recipient.<br>

Remote host said: 551 not our customer<br>
Giving up on 207.115.11.16.<br>
<br>
<<a href="http://mc/compose?to=yyyy5@zzzz5" target="_blank">yyyy5@zzzz5</a>><span
class=GramE>:</span><br>
CNAME lookup failed temporarily. (#4.4.3)<br>
I'm not going to try again; this message has been in the queue too long.<br>
<br>
--- Below this line is a copy of the message.<br>
<br>
Return-Path: <<a href="http://mc/compose?to=xxxx@yahoo.com"
target="_blank">xxxx@yahoo.com</a>><br>

Received: (<span class=SpellE>qmail</span> 72405 invoked by <span class=SpellE>uid</span>
60001); 27 Mar 2010 02:29:05 -0000<br>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=<a
href="http://yahoo.com" target="_blank">yahoo.com</a>; s=s1024; t=1269656945; <span
class=SpellE>bh</span>=lmCwPQ2OMfL8V6NuMxcV/cDgzubwSUULbfJ02KDrSCY=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=jG3sPCWlThfWcUDDjE/if6HuBz0hBfowbeIeGa+rWhpWr2HE5+urYJlIOf5go1jXKQJVcPKsXTDkXL+ry1ab1MP0RPTrDCZMv3GdhQNsv7kpkyxTYpPCTG3ms79rbinuDiSJAgadKG4n2dSybdOdn8+fOYqgEIc2HppgKHXmqD4=<br>
<span class=SpellE>DomainKey-Signature:a</span>=rsa-sha1; q=<span class=SpellE>dns</span>;
c=<span class=SpellE>nofws</span>;<br>

á s=s1024; d=<a href="http://yahoo.com" target="_blank">yahoo.com</a>;<br>
á
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;<br>
á b=XSUCx0MYUAtrGfOnAxfCj4bko6O0FEkphoHPwGtsf7JGg+yK/yFw7I3T683zSM/+nVX6/VOc2URezWMHOEwLMwJ+R3Peyz2PYl8mL8fG5sjF/O+c0O1ZvsyIkBfwftqdYVCFJ3Q7vEKMWbEHs+cYk2VB7x8bn+Ire+fymkY0sho=;<br>
Message-ID: <<a
href="http://mc/compose?to=103867.71482.qm@web33007.mail.mud.yahoo.com"
target="_blank">103867.71482.qm@web33007.mail.mud.yahoo.com</a>><br>
X-<span class=SpellE>YMail</span>-OSG:
5TL0W.MVM1mdqivVij8hVak20T6QPx0_OMuli19.DzDl2K9<br>

_fRdvcuey7dyQFnEPKIYCpmANYxG4hCK6y7b1TnS_XpijCbV7pfnlG8q86iV<br>
VreIoxx4IQKsi5EYHHiBVoZk2Z0Rc03w9v06uYYfvHWrFFND7Roo5NmXqxvO<br>
pit5UOF35x5YxRrQkLDV5mvvpSWXp96C2DLvSFte6n3t7gkKYMusEpVffrR7<br>
eP3Gj6BEpA8.y9r.pa.tSJ4So7_5Gxb9iwQZYZttzzRnf8F9XnxSivhYRy.N<br>
Y8ulpgmVWJlaTuCP.6YdAp.PjEklgTti5t1wyO5OeYXgnNh4H4mo1JIc3Zp7<br>
7NVeuOzs-<br>
Received: from [41.234.68.107] by <a href="http://web33007.mail.mud.yahoo.com"
target="_blank">web33007.mail.mud.yahoo.com</a> via HTTP; Fri, 26 Mar 2010
19:29:04 PDT<br>

X-Mailer: <span class=SpellE>YahooMailClassic</span>/10.0.8 <span class=SpellE>YahooMailWebService</span>/0.8.100.260964<br>
Date: Fri, 26 Mar 2010 19:29:04 -0700 (PDT)<br>
From: aPerson <span class=SpellE>Person</span> <<a
href="http://mc/compose?to=xxxx@yahoo.com" target="_blank">xxxx@yahoo.com</a>><br>
Subject: NO MAIL YET???<br>
To: aPerson<span class=SpellE>Person</span> <<a
href="http://mc/compose?to=xxxx@yahoo.com" target="_blank">xxxx@yahoo.com</a>><br>

MIME-Version: 1.0<br>
Content-Type: multipart/alternative; boundary="0-1474920036-1269656944=:71482"<br>
<br>
--0-1474920036-1269656944=:71482<br>
Content-Type: text/plain; charset=iso-8859-1<br>
Content-Transfer-Encoding: quoted-printable<br>
<br>
I have sent you several emails <span class=SpellE>andi</span> am yet to receive
your <span class=SpellE>reply,because</span> i =<br>

told you about my present condition here in Scotland and i write to let you=<br>
know that i am still in <span class=SpellE>Scotland,by</span> which i misplace
my wallet on my way h=<br>
<span class=SpellE>eading</span> back to my hotel room from the coffee shop and
i lost my phone <span class=SpellE>inclu</span>=<br>
ding my money with the wallet.<br>
=A0<br>

I have spoken to the Embassy here but i was issued a temporary ID to travel=<br>
back and they are not responding to my issue effectively and i already <span
class=SpellE>sen</span>=<br>
t several mails and no reply and i will like you to assist me with a loan o=<br>
f $2,000 in sorting myself out and i promise to refund the money back to <span
class=SpellE>yo</span>=<br>
u as soon as i <span class=SpellE>return,let</span> me know if you can help me
today but i don't have=<br>

a phone where i can be reached and i have limited access to internet.<br>
=A0<br>
I know this email sounds strange but i did send it.<br>
<br>
<br>
<br>
<br>
<br>
<br>
aPerson<span class=SpellE>Person</span>=20<br>
<a href="http://mc/compose?to=xxxx@yahoo.com" target="_blank">xxxx@yahoo.com</a>=0A=0A=0Aá

á á <br>
--0-1474920036-1269656944=:71482<br>
Content-Type: text/html; charset=iso-8859-1<br>
Content-Transfer-Encoding: quoted-printable<br>
<br>
<table <span class=SpellE>cellspacing</span>=3D"0" <span
class=SpellE>cellpadding</span>=3D"0" border=3D"0" ><<span
class=SpellE>tr</span>><td <span class=SpellE>valign</span>=3D"=<br>

top" style=3D"font: inherit;"><DIV>I have sent you
several emails <span class=SpellE>andi</span> am y=<br>
et to receive your <span class=SpellE>reply,because</span> i told you about my
present condition here=<br>
in Scotland and i write to let you know that i am still in <span class=SpellE>Scotland,by</span>

<span class=SpellE>whi</span>=<br>
<span class=SpellE>ch</span> i misplace my wallet on my way heading back to my
hotel room from the co=<br>
<span class=SpellE>ffee</span> shop and i lost my phone including my money with
the wallet.</DIV><br>
<DIV>&<span class=SpellE>nbsp</span>;</DIV><br>

<DIV>I have spoken to the Embassy here but i was issued a temporary ID to
t=<br>
ravel back and they are not responding to my issue effectively and i <span
class=SpellE>alread</span>=<br>
y sent several mails and no reply and i will like you to assist me with a l=<br>
<span class=SpellE>oan</span> of $2,000 in sorting myself out and i promise to
refund the money back =<br>
to you as soon as i <span class=SpellE>return,let</span> me know if you can
help me today but i don't=<br>

have a phone where i can be reached and i have limited access to internet.=<br>
</DIV><br>
<DIV>&<span class=SpellE>nbsp</span>;</DIV><br>
<DIV>I know this email sounds strange but i did send
it.<BR><BR></DIV><br>
<DIV><br>

<DIV><br>
<DIV><br>
<DIV><br>
<DIV><FONT color=3D#bf00bf size=3D4><STRONG>aPerson
<span class=SpellE>Person</span></STRON=<br>
G> <BR><A href=3D"mailto:<a
href="http://mc/compose?to=xxxx@yahoo.com" target="_blank">xxxx@yahoo.com</a>"><a
href="http://mc/compose?to=xxxx@yahoo.com" target="_blank">xxxx@yahoo.com</a></A></FONT></D=<br>

IV></DIV></DIV></DIV></DIV></td></<span
class=SpellE>tr</span>></table><<span class=SpellE>br</span>>=0A=0A=0A=0Aá
á á <br>
--0-1474920036-1269656944=:71482--<o:p></o:p></span></p>[/codebox]

#9 aninkling

aninkling
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 07 April 2010 - 03:00 PM

OTL.txt File:
OTL logfile created on: 4/7/2010 3:46:33 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = G:\Applications\Security\OTL
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 67.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 581.48 Gb Total Space | 546.25 Gb Free Space | 93.94% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
Drive G: | 3.74 Gb Total Space | 1.06 Gb Free Space | 28.34% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL
Current User Name: Barb
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - File not found -- C:\Windows\SysWow64\spool\drivers\x64\3\E_S10IC2.EXE
PRC - [2010/04/07 12:35:16 | 000,561,664 | ---- | M] (OldTimer Tools) -- G:\Applications\Security\OTL\OTL.exe
PRC - [2010/03/31 12:34:45 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2009/10/30 11:40:26 | 000,341,504 | ---- | M] (SoftThinks - Dell) -- C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
PRC - [2009/10/02 15:46:00 | 000,656,624 | ---- | M] (SoftThinks) -- C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
PRC - [2009/08/25 11:03:32 | 000,163,840 | ---- | M] () -- C:\Program Files (x86)\Polar\Daemon\polard.exe
PRC - [2009/06/18 23:46:24 | 000,494,064 | ---- | M] () -- C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
PRC - [2009/05/21 10:59:08 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
PRC - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/12/18 16:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe


========== Modules (SafeList) ==========

MOD - [2010/04/07 12:35:16 | 000,561,664 | ---- | M] (OldTimer Tools) -- G:\Applications\Security\OTL\OTL.exe
MOD - [2009/12/08 13:12:24 | 000,014,544 | ---- | M] (McAfee, Inc.) -- c:\Program Files (x86)\McAfee\SiteAdvisor\sahook.dll
MOD - [2009/07/13 21:15:07 | 000,486,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\comdlg32.dll
MOD - [2009/07/13 21:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/12/09 20:30:34 | 000,017,416 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/07/13 21:41:59 | 000,229,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wwansvc.dll -- (WwanSvc)
SRV:64bit: - [2009/07/13 21:41:56 | 000,202,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wbiosrvc.dll -- (WbioSrvc)
SRV:64bit: - [2009/07/13 21:41:56 | 000,163,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\umpo.dll -- (Power)
SRV:64bit: - [2009/07/13 21:41:55 | 000,044,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\themeservice.dll -- (Themes)
SRV:64bit: - [2009/07/13 21:41:54 | 000,065,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sppuinotify.dll -- (sppuinotify)
SRV:64bit: - [2009/07/13 21:41:54 | 000,029,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sensrsvc.dll -- (SensrSvc)
SRV:64bit: - [2009/07/13 21:41:53 | 000,327,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\pnrpsvc.dll -- (PNRPsvc)
SRV:64bit: - [2009/07/13 21:41:53 | 000,327,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\pnrpsvc.dll -- (p2pimsvc)
SRV:64bit: - [2009/07/13 21:41:53 | 000,187,904 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\provsvc.dll -- (HomeGroupProvider)
SRV:64bit: - [2009/07/13 21:41:53 | 000,067,072 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\SysNative\RpcEpMap.dll -- (RpcEptMapper)
SRV:64bit: - [2009/07/13 21:41:53 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\pnrpauto.dll -- (PNRPAutoReg)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 21:41:18 | 000,231,936 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\ListSvc.dll -- (HomeGroupListener)
SRV:64bit: - [2009/07/13 21:40:54 | 001,127,936 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FntCache.dll -- (FontCache)
SRV:64bit: - [2009/07/13 21:40:28 | 000,314,368 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dhcpcore.dll -- (Dhcp)
SRV:64bit: - [2009/07/13 21:40:28 | 000,291,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\defragsvc.dll -- (defragsvc)
SRV:64bit: - [2009/07/13 21:40:13 | 000,083,968 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\bthserv.dll -- (bthserv)
SRV:64bit: - [2009/07/13 21:40:10 | 000,100,864 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\SysNative\bdesvc.dll -- (BDESVC)
SRV:64bit: - [2009/07/13 21:40:05 | 000,114,688 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\AxInstSv.dll -- (AxInstSV)
SRV:64bit: - [2009/07/13 21:40:01 | 000,032,256 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appidsvc.dll -- (AppIDSvc)
SRV:64bit: - [2009/07/13 21:39:51 | 001,503,744 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wbengine.exe -- (wbengine)
SRV:64bit: - [2009/07/13 21:39:28 | 003,524,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\sppsvc.exe -- (sppsvc)
SRV:64bit: - [2009/07/13 21:39:11 | 000,689,152 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FXSSVC.exe -- (Fax)
SRV:64bit: - [2009/06/14 20:12:12 | 000,203,264 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2008/12/18 16:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2009/12/08 14:25:28 | 000,110,312 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/11/04 06:11:24 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/11/04 06:01:14 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2009/10/02 15:46:00 | 000,656,624 | ---- | M] (SoftThinks) [Auto | Running] -- C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE -- (SftService)
SRV - [2009/08/25 11:03:32 | 000,163,840 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Polar\Daemon\polard.exe -- (Polar Daemon)
SRV - [2009/07/13 23:20:14 | 000,000,000 | ---D | M] [On_Demand | Stopped] -- C:\Windows\Vss -- (VSS)
SRV - [2009/07/13 23:20:14 | 000,000,000 | ---D | M] [Unknown | Stopped] -- C:\Windows\SysWOW64\Msdtc -- (MSDTC)
SRV - [2009/07/13 21:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 21:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 16:30:11 | 000,061,056 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbem\vds.mof -- (vds)
SRV - [2009/06/10 16:39:58 | 000,089,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)
SRV - [2009/06/05 20:07:28 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/05/21 10:59:08 | 000,206,064 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2009/05/19 12:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2007/01/11 05:02:00 | 000,126,464 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.66.0
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files (x86)\McAfee\SiteAdvisor [2010/03/31 14:26:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/03/31 12:34:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/03/31 13:06:55 | 000,000,000 | ---D | M]

[2010/03/31 15:16:38 | 000,000,000 | ---D | M] -- C:\Users\Barb\AppData\Roaming\Mozilla\Extensions
[2010/04/05 12:47:37 | 000,000,000 | ---D | M] -- C:\Users\Barb\AppData\Roaming\Mozilla\Firefox\Profiles\og4h15pq.default\extensions
[2010/03/31 15:18:03 | 000,000,000 | ---D | M] -- C:\Users\Barb\AppData\Roaming\Mozilla\Firefox\Profiles\og4h15pq.default\extensions\support@lastpass.com
[2010/03/31 12:19:33 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/03/31 13:06:11 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2010/03/31 15:17:04 | 000,002,024 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~2\mcafee\msk\MSKAPB~1.DLL File not found
O2:64bit: - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3:64bit: - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [\\OFFICE-IMAC\Epson Stylus Photo 2200] C:\Windows\SysNative\spool\DRIVERS\x64\3\E_S10IC2.EXE (SEIKO EPSON CORPORATION)
O4:64bit: - HKLM..\Run: [\\OFFICE-IMAC-2\Epson Stylus Photo 2200] C:\Windows\SysNative\spool\DRIVERS\x64\3\E_S10IC2.EXE (SEIKO EPSON CORPORATION)
O4:64bit: - HKLM..\Run: [EPSON Stylus Photo 2200] C:\Windows\SysNative\spool\DRIVERS\x64\3\E_S10IC2.EXE (SEIKO EPSON CORPORATION)
O4:64bit: - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Desktop Disc Tool] C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe ()
O4 - HKLM..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe (VIA)
O4 - HKLM..\Run: [StartCCC] c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4:64bit: - HKLM..\RunOnce: [DSUpdateLauncher] c:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe (Dell)
O4 - HKLM..\RunOnce: [STToasterLauncher] C:\Program Files (x86)\Dell DataSafe Local Backup\ToasterLauncher.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll (PCPitstop Exam)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 192.168.1.254
O18:64bit: - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files (x86)\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - Reg Error: Key error. - C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30:64bit: - LSA: Security Packages - (pku2u) - C:\Windows\SysNative\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\SysWow64\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/06 08:26:23 | 000,000,309 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{791fc2aa-3cc0-11df-bc53-002564d34d6e}\Shell - "" = AutoRun
O33 - MountPoints2\{791fc2aa-3cc0-11df-bc53-002564d34d6e}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{791fc361-3cc0-11df-bc53-002564d34d6e}\Shell - "" = AutoRun
O33 - MountPoints2\{791fc361-3cc0-11df-bc53-002564d34d6e}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{e446638b-c937-11de-b391-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{e446638b-c937-11de-b391-806e6f6e6963}\Shell\AutoRun\command - "" = D:\autorun\autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs:64bit: Ias - C:\Windows\SysNative\ias [2009/07/13 23:20:14 | 000,000,000 | ---D | M]
NetSvcs:64bit: Irmon - C:\Windows\SysNative\irmon.dll (Microsoft Corporation)
NetSvcs:64bit: Wmi - C:\Windows\SysNative\wmi.dll (Microsoft Corporation)
NetSvcs:64bit: Themes - C:\Windows\SysNative\themeservice.dll (Microsoft Corporation)
NetSvcs:64bit: BDESVC - C:\Windows\SysNative\bdesvc.dll (Microsoft Corporation)
NetSvcs: Ias - C:\Windows\SysWOW64\ias.dll (Microsoft Corporation)
NetSvcs: Wmi - C:\Windows\SysWOW64\wmi.dll (Microsoft Corporation)
OTL cannot create restorepoints on Vista OSs!

========== Files/Folders - Created Within 14 Days ==========

[2010/04/05 13:15:42 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Roaming\Malwarebytes
[2010/03/31 20:36:53 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Roaming\GlarySoft
[2010/03/31 15:38:18 | 000,000,000 | R--D | C] -- C:\Users\Barb\Documents\Scanned Documents
[2010/03/31 15:38:18 | 000,000,000 | ---D | C] -- C:\Users\Barb\Documents\Fax
[2010/03/31 15:38:03 | 000,000,000 | ---D | C] -- C:\Users\Barb\Documents\Quicken 2010
[2010/03/31 15:38:00 | 000,000,000 | ---D | C] -- C:\Users\Barb\Documents\TurboTax
[2010/03/31 15:37:59 | 000,000,000 | ---D | C] -- C:\Users\Barb\Documents\Word
[2010/03/31 15:37:59 | 000,000,000 | ---D | C] -- C:\Users\Barb\Documents\Excel
[2010/03/31 15:37:49 | 000,000,000 | ---D | C] -- C:\Users\Barb\Documents\Videos
[2010/03/31 15:37:49 | 000,000,000 | ---D | C] -- C:\Users\Barb\Documents\Quicken
[2010/03/31 15:37:49 | 000,000,000 | ---D | C] -- C:\Users\Barb\Documents\Pictures
[2010/03/31 15:37:49 | 000,000,000 | ---D | C] -- C:\Users\Barb\Documents\Music
[2010/03/31 15:37:49 | 000,000,000 | ---D | C] -- C:\Users\Barb\Documents\Downloads
[2010/03/31 15:30:57 | 004,199,784 | ---- | C] (Amyuni Technologies
http://www.amyuni.com) -- C:\Windows\SysWow64\cdintf400.dll
[2010/03/31 15:30:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Quicken
[2010/03/31 15:30:03 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Roaming\Intuit
[2010/03/31 15:16:30 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Roaming\Mozilla
[2010/03/31 15:16:30 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Local\Mozilla
[2010/03/31 15:15:05 | 000,000,000 | R--D | C] -- C:\Users\Barb\Desktop\Favorites
[2010/03/31 15:14:26 | 000,000,000 | ---D | C] -- C:\Users\Barb\Desktop\Duane
[2010/03/31 15:12:33 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Roaming\Dell
[2010/03/31 15:12:31 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Local\Stardock_Corporation
[2010/03/31 15:12:28 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Roaming\Roxio
[2010/03/31 15:12:28 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Local\Polar_Electro_Oy
[2010/03/31 15:12:26 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Roaming\ATI
[2010/03/31 15:12:26 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Local\ATI
[2010/03/31 15:12:16 | 000,000,000 | R--D | C] -- C:\Users\Barb\Searches
[2010/03/31 15:12:06 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Roaming\Identities
[2010/03/31 15:12:05 | 000,000,000 | R--D | C] -- C:\Users\Barb\Contacts
[2010/03/31 15:12:03 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Local\VirtualStore
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\AppData\Local\Temporary Internet Files
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\Templates
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\Start Menu
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\SendTo
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\Recent
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\PrintHood
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\NetHood
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\Documents\My Videos
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\Documents\My Pictures
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\Documents\My Music
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\My Documents
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\Local Settings
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\AppData\Local\History
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\Cookies
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\Application Data
[2010/03/31 15:11:47 | 000,000,000 | -HSD | C] -- C:\Users\Barb\AppData\Local\Application Data
[2010/03/31 15:11:46 | 000,000,000 | --SD | C] -- C:\Users\Barb\AppData\Roaming\Microsoft
[2010/03/31 15:11:46 | 000,000,000 | R--D | C] -- C:\Users\Barb\Videos
[2010/03/31 15:11:46 | 000,000,000 | R--D | C] -- C:\Users\Barb\Saved Games
[2010/03/31 15:11:46 | 000,000,000 | R--D | C] -- C:\Users\Barb\Pictures
[2010/03/31 15:11:46 | 000,000,000 | R--D | C] -- C:\Users\Barb\Music
[2010/03/31 15:11:46 | 000,000,000 | R--D | C] -- C:\Users\Barb\Links
[2010/03/31 15:11:46 | 000,000,000 | R--D | C] -- C:\Users\Barb\Favorites
[2010/03/31 15:11:46 | 000,000,000 | R--D | C] -- C:\Users\Barb\Downloads
[2010/03/31 15:11:46 | 000,000,000 | R--D | C] -- C:\Users\Barb\My Documents
[2010/03/31 15:11:46 | 000,000,000 | R--D | C] -- C:\Users\Barb\Desktop
[2010/03/31 15:11:46 | 000,000,000 | -H-D | C] -- C:\Users\Barb\AppData
[2010/03/31 15:11:46 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Local\Temp
[2010/03/31 15:11:46 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Local\SoftThinks
[2010/03/31 15:11:46 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Local\Microsoft Help
[2010/03/31 15:11:46 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Local\Microsoft
[2010/03/31 15:11:46 | 000,000,000 | ---D | C] -- C:\Users\Barb\AppData\Roaming\Media Center Programs
[2010/03/31 15:07:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Antimalware
[2010/03/31 14:21:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\McAfee
[2010/03/31 14:21:20 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2010/03/31 14:21:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\McAfee
[2010/03/31 14:04:14 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/03/31 13:06:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Foxit Software
[2010/03/31 12:22:24 | 000,000,000 | ---D | C] -- C:\ProgramData\PCPitstop
[2010/03/31 12:19:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2010/03/31 11:29:10 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/03/31 11:29:09 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/03/31 11:29:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/03/31 11:29:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/03/31 11:19:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Glary Utilities
[2010/03/28 21:48:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro

========== Files - Modified Within 14 Days ==========

[2010/04/07 15:50:33 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/07 15:50:33 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/07 15:50:21 | 001,048,576 | -HS- | M] () -- C:\Users\Barb\NTUSER.DAT
[2010/04/07 15:48:17 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/04/07 15:48:17 | 000,615,122 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/04/07 15:48:17 | 000,103,496 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/04/07 15:43:49 | 000,000,328 | ---- | M] () -- C:\Windows\tasks\GlaryInitialize.job
[2010/04/07 15:43:26 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/04/07 15:43:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/04/07 15:43:18 | 3019,202,560 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/05 20:09:16 | 001,978,033 | -H-- | M] () -- C:\Users\Barb\AppData\Local\IconCache.db
[2010/03/31 15:44:24 | 000,524,288 | -HS- | M] () -- C:\Users\Barb\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
[2010/03/31 15:44:24 | 000,524,288 | -HS- | M] () -- C:\Users\Barb\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
[2010/03/31 15:44:24 | 000,065,536 | -HS- | M] () -- C:\Users\Barb\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
[2010/03/31 15:30:57 | 000,001,804 | ---- | M] () -- C:\Users\Public\Desktop\Quicken Home & Business 2010.lnk
[2010/03/31 15:30:39 | 000,000,126 | ---- | M] () -- C:\Windows\QUICKEN.INI
[2010/03/31 15:12:25 | 000,073,040 | ---- | M] () -- C:\Users\Barb\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/03/31 15:11:47 | 000,000,020 | -HS- | M] () -- C:\Users\Barb\ntuser.ini
[2010/03/31 15:04:36 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
[2010/03/31 15:04:13 | 000,013,733 | ---- | M] () -- C:\Users\Public\Documents\bookmarks-2010-03-31.json
[2010/03/31 14:29:46 | 000,000,990 | ---- | M] () -- C:\Users\Barb\Desktop\Glary Utilities.lnk
[2010/03/31 12:19:35 | 000,001,959 | ---- | M] () -- C:\Users\Barb\Desktop\Mozilla Firefox.lnk
[2010/03/29 15:24:58 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/03/29 15:24:46 | 000,024,664 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2010/03/31 15:30:57 | 000,001,804 | ---- | C] () -- C:\Users\Public\Desktop\Quicken Home & Business 2010.lnk
[2010/03/31 15:16:17 | 000,001,959 | ---- | C] () -- C:\Users\Barb\Desktop\Mozilla Firefox.lnk
[2010/03/31 15:14:46 | 000,002,693 | ---- | C] () -- C:\Users\Barb\Desktop\Microsoft Office Word 2007.lnk
[2010/03/31 15:14:43 | 000,002,645 | ---- | C] () -- C:\Users\Barb\Desktop\Microsoft Office PowerPoint 2007.lnk
[2010/03/31 15:14:41 | 000,002,655 | ---- | C] () -- C:\Users\Barb\Desktop\Microsoft Office Excel 2007.lnk
[2010/03/31 15:14:33 | 000,000,990 | ---- | C] () -- C:\Users\Barb\Desktop\Glary Utilities.lnk
[2010/03/31 15:11:47 | 000,524,288 | -HS- | C] () -- C:\Users\Barb\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
[2010/03/31 15:11:47 | 000,524,288 | -HS- | C] () -- C:\Users\Barb\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
[2010/03/31 15:11:47 | 000,065,536 | -HS- | C] () -- C:\Users\Barb\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
[2010/03/31 15:11:47 | 000,000,020 | -HS- | C] () -- C:\Users\Barb\ntuser.ini
[2010/03/31 15:11:46 | 001,048,576 | -HS- | C] () -- C:\Users\Barb\NTUSER.DAT
[2010/03/31 15:11:46 | 000,262,144 | -HS- | C] () -- C:\Users\Barb\ntuser.dat.LOG1
[2010/03/31 15:11:46 | 000,000,000 | -HS- | C] () -- C:\Users\Barb\ntuser.dat.LOG2
[2010/03/31 15:04:36 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/03/31 15:04:13 | 000,013,733 | ---- | C] () -- C:\Users\Public\Documents\bookmarks-2010-03-31.json
[2010/03/31 11:19:17 | 000,000,328 | ---- | C] () -- C:\Windows\tasks\GlaryInitialize.job
[2009/11/12 15:35:46 | 000,000,097 | ---- | C] () -- C:\Windows\SysWow64\PICSDK.ini
[2009/11/12 14:22:38 | 000,000,126 | ---- | C] () -- C:\Windows\QUICKEN.INI
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

========== LOP Check ==========

[2010/03/31 20:36:53 | 000,000,000 | ---D | M] -- C:\Users\Barb\AppData\Roaming\GlarySoft
[2009/11/12 18:06:26 | 000,000,468 | ---- | M] () -- C:\Windows\Tasks\Driver Robot.job
[2010/04/07 15:43:49 | 000,000,328 | ---- | M] () -- C:\Windows\Tasks\GlaryInitialize.job
[2010/03/09 22:13:23 | 000,032,538 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/07/13 23:01:04 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\System32\drivers\AGP440.sys
[2009/07/13 23:01:04 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_neutral_9e6bb86c3b39a3e9\AGP440.sys
[2009/07/13 23:01:04 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_1607dee2d861e021\AGP440.sys
[2009/07/13 21:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\SysWow64\DriverStore\FileRepository\machine.inf_amd64_neutral_9e6bb86c3b39a3e9\AGP440.sys
[2009/07/13 21:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_1607dee2d861e021\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/13 23:01:04 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\System32\drivers\atapi.sys
[2009/07/13 23:01:04 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys
[2009/07/13 23:01:04 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys
[2009/07/13 21:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysWow64\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys
[2009/07/13 21:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 21:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/13 21:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/13 21:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
[2009/07/13 21:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\System32\cngaudit.dll
[2009/07/13 21:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461\cngaudit.dll
[2009/07/13 21:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/13 23:01:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\System32\drivers\iaStorV.sys
[2009/07/13 23:01:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\System32\DriverStore\FileRepository\iastorv.inf_amd64_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 23:01:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_0b06441fa1790136\iaStorV.sys
[2009/07/13 21:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\SysWow64\DriverStore\FileRepository\iastorv.inf_amd64_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 21:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_0b06441fa1790136\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/13 21:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\System32\netlogon.dll
[2009/07/13 21:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_59aca8ea51aaeefe\netlogon.dll
[2009/07/13 21:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_59aca8ea51aaeefe\netlogon.dll
[2009/07/13 21:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/13 21:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/13 21:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_6401533c860bb0f9\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/13 23:01:04 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\System32\drivers\nvstor.sys
[2009/07/13 23:01:04 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\System32\DriverStore\FileRepository\nvraid.inf_amd64_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 23:01:04 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvstor.sys
[2009/07/13 21:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\SysWow64\DriverStore\FileRepository\nvraid.inf_amd64_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 21:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/13 21:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/13 21:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/13 21:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9e577e55272d37b4\scecli.dll
[2009/07/13 21:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\System32\scecli.dll
[2009/07/13 21:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\$Recycle.Bin\S-1-5-21-212741669-1789864945-1912202479-1001\$R1FEEDN\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9402d402f2cc75b9\scecli.dll
[2009/07/13 21:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9402d402f2cc75b9\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
< End of report >


#10 aninkling

aninkling
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 07 April 2010 - 03:12 PM

Extra.txt:
OTL Extras logfile created on: 4/7/2010 3:46:33 PM - Run 1
OTL by OldTimer - Version 3.2.1.0 Folder = G:\Applications\Security\OTL
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 67.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 581.48 Gb Total Space | 546.25 Gb Free Space | 93.94% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
Drive G: | 3.74 Gb Total Space | 1.06 Gb Free Space | 28.34% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL
Current User Name: Barb
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F86416014FF}" = Java™ 6 Update 14 (64-bit)
"{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}" = Dell Edoc Viewer
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95C9C76F-ECF3-40FA-94F8-5DDFB6BAF40D}" = Microsoft Security Essentials
"{E590FD1C-E8C6-4D2E-8CA9-77B403F7EE01}" = Microsoft Antimalware
"{E60B7350-EA5F-41E0-9D6F-E508781E36D2}" = Dell Dock
"{F6E2FA73-B2A7-8223-98EC-685E2E8F6CE0}" = ccc-utility64
"EPSON Printer and Utilities" = EPSON Printer Software
"Microsoft Security Essentials" = Microsoft Security Essentials

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04F3038E-4120-44CC-B330-E05F737246A5}" = Roxio Update Manager
"{052bac4a-6f79-46d4-a024-1ce1b4f73cd4}" = Microsoft Visual C++ 2005 Redistributable
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0A169B94-4AF2-AD4B-1265-E1074A347418}" = Catalyst Control Center Core Implementation
"{0ED7EE95-6A97-47AA-AD73-152C08A15B04}" = Dell DataSafe Local Backup
"{0F15BB9F-7E5E-A355-FA8E-C2164726E577}" = CCC Help Portuguese
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{277832E3-0A34-C91C-D344-2FED4C847397}" = CCC Help German
"{279355E6-EE94-A7A5-F6B5-2903748443AE}" = Catalyst Control Center Graphics Full New
"{290AC453-D1F4-F73B-F01C-0018BC10B62B}" = ccc-core-static
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{39A3C9DD-457C-5BF1-4B2D-A76927264B26}" = CCC Help Dutch
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{5AC4AE26-732F-40DE-CC6C-A4BFC2142BF8}" = CCC Help English
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{665B3CA4-DAB1-D27E-6727-0BEF6593E882}" = CCC Help Greek
"{674AD787-B463-ED3E-CCA8-4F49A9C1785D}" = Catalyst Control Center Localization All
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD DX
"{7009600B-85C8-5D83-1101-6446540F1897}" = Catalyst Control Center Graphics Previews Common
"{7305AE01-CD11-18B5-DC5F-B1A2960935C3}" = CCC Help Polish
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{83BBF5E6-004F-1DBA-EC29-1033B675831B}" = CCC Help Thai
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{8508FB72-89A3-41FD-DE33-9EEBFB298947}" = CCC Help Italian
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8B76B8E9-F773-4B75-A08C-120079EB765E}" = RAIDXpert
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002A-0000-1000-0000000FF1CE}_HOMESTUDENTR_{E64BA721-2310-4B55-BE5A-2925F9706192}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002A-0409-1000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0116-0409-1000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{903679E8-44C8-4C07-9600-05C92654FC50}" = QualXServ Service Agreement
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{97835E04-BA21-6878-768F-1B84EA2ADAC1}" = CCC Help Norwegian
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9EDA3DD1-130D-4EE1-A3D2-5A3D795CC8C9}" = MFCLOC
"{A192CA8A-5259-ECD5-1564-AB715B722432}" = CCC Help Japanese
"{A33E7B0C-B99C-4EC9-B702-8A328B161AF9}" = Roxio Burn
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A9668246-FB70-4103-A1E3-66C9BC2EFB49}" = Dell DataSafe Local Backup - Support Software
"{AA8C0785-3F20-43E0-BFA3-223FFB5D25AA}" = Polar Daemon
"{AC76BA86-1033-F400-BA7E-000000000004}" = Adobe Acrobat 9 Standard - English, Franšais, Deutsch
"{AC76BA86-1033-F400-BA7E-000000000004}_930" = Adobe Acrobat 9.3.0 - CPSID_52073
"{AC76BA86-1033-F400-BA7E-000000000004}{AC76BA86-1033-F400-BA7E-000000000004}" = Adobe Acrobat 9 Standard - English, Franšais, Deutsch
"{B2E47DE7-800B-40BB-BD1F-9F221C3AEE87}" = Roxio Burn
"{B31327DF-2B59-F072-8B44-79CDE915D75E}" = CCC Help Danish
"{B41423C9-C260-F8C8-39DD-541400ECF367}" = CCC Help French
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C6CBE669-DDCA-DB7F-236D-18B20BEFF1B5}" = CCC Help Chinese Traditional
"{CA7D81F8-5661-3D97-F6B0-5E0993511A5D}" = CCC Help Finnish
"{CCF6F57B-F6B4-4508-BF45-63AAC9DE416A}" = Quicken 2010
"{D069C7EF-001B-5378-9F71-F005DE42E255}" = Catalyst Control Center Graphics Light
"{D2A7D7D8-1E27-8464-6666-44B6FB83B3FC}" = CCC Help Czech
"{D4B75A5A-2BA2-4761-BC27-9EA30FA5B483}" = Polar WebSync
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D86DE1ED-9BF1-6101-6D08-2D762B28D8C8}" = CCC Help Korean
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{E1A8F958-D748-63DD-F2D2-82BE71B0F905}" = CCC Help Hungarian
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E40A74A2-D821-2442-CCA3-75C54964D525}" = Catalyst Control Center Graphics Full Existing
"{E43ACD6B-0E7E-4F4C-0BA8-999FCB5FC5B9}" = CCC Help Chinese Standard
"{E481DB0E-52F2-4EE0-9BDA-9EE173FA6EA2}" = Catalyst Control Center - Branding
"{E9684BDD-32A6-550C-6456-0A4209EB4F3A}" = CCC Help Russian
"{F05F2DB5-4300-C318-4560-08CD9E35F512}" = CCC Help Spanish
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F1D038D6-6229-AA2E-A8D1-43EED2CBF0BD}" = CCC Help Swedish
"{F322850C-6CCB-FC54-D36D-0F4E1CC90CBF}" = Skins
"{F527F14E-B80A-5BE7-DC85-8BF2D172067F}" = CCC Help Turkish
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FF4F3E30-6638-6A16-2A68-139F6C613233}" = Catalyst Control Center Graphics Previews Vista
"{FFB07785-9FC3-334F-A54F-AC8D5B471EAE}" = Catalyst Control Center InstallProxy
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"EPSON Scanner" = EPSON Scan
"Foxit Reader" = Foxit Reader
"Glary Utilities_is1" = Glary Utilities 2.21.0.863
"GoToAssist" = GoToAssist 8.0.0.514
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{8B76B8E9-F773-4B75-A08C-120079EB765E}" = RAIDXpert
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.2)" = Mozilla Firefox (3.6.2)
"WildTangent dell Master Uninstall" = WildTangent Games
"WinLiveSuite_Wave3" = Windows Live Essentials

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/8/2010 5:02:07 PM | Computer Name = Dell | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 3/8/2010 5:02:51 PM | Computer Name = Dell | Source = SideBySide | ID = 16842811
Description = Activation context generation failed for "c:\program files (x86)\microsoft\search
enhancement pack\search helper\sepsearchhelperie.dll".Error in manifest or policy
file "c:\program files (x86)\microsoft\search enhancement pack\search helper\sepsearchhelperie.dll"
on line 2. Invalid Xml syntax.

Error - 3/12/2010 1:39:27 PM | Computer Name = Dell | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 3/12/2010 1:40:14 PM | Computer Name = Dell | Source = SideBySide | ID = 16842811
Description = Activation context generation failed for "c:\program files (x86)\microsoft\search
enhancement pack\search helper\sepsearchhelperie.dll".Error in manifest or policy
file "c:\program files (x86)\microsoft\search enhancement pack\search helper\sepsearchhelperie.dll"
on line 2. Invalid Xml syntax.

Error - 3/21/2010 5:58:27 PM | Computer Name = Dell | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 3/21/2010 6:25:18 PM | Computer Name = Dell | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 3/22/2010 12:01:11 PM | Computer Name = Dell | Source = RpcNs | ID = 2
Description =

Error - 3/22/2010 12:21:46 PM | Computer Name = Dell | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 3/23/2010 9:18:41 PM | Computer Name = Dell | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "c:\program files (x86)\windows
live\photo gallery\MovieMaker.Exe".Error in manifest or policy file "c:\program
files (x86)\windows live\photo gallery\WLMFDS.DLL" on line 8. Component identity
found in manifest does not match the identity of the component requested. Reference
is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1". Definition
is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1". Please use
sxstrace.exe for detailed diagnosis.

Error - 3/23/2010 9:19:31 PM | Computer Name = Dell | Source = SideBySide | ID = 16842811
Description = Activation context generation failed for "c:\program files (x86)\microsoft\search
enhancement pack\search helper\sepsearchhelperie.dll".Error in manifest or policy
file "c:\program files (x86)\microsoft\search enhancement pack\search helper\sepsearchhelperie.dll"
on line 2. Invalid Xml syntax.

[ System Events ]
Error - 3/31/2010 1:58:16 PM | Computer Name = Dell | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk2\DR3.

Error - 3/31/2010 1:58:17 PM | Computer Name = Dell | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk2\DR3.

Error - 3/31/2010 1:58:17 PM | Computer Name = Dell | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk2\DR3.

Error - 3/31/2010 1:59:42 PM | Computer Name = Dell | Source = Service Control Manager | ID = 7000
Description = The McAfee SystemGuards service failed to start due to the following
error: %%3

Error - 3/31/2010 3:30:40 PM | Computer Name = Dell | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR3.

Error - 3/31/2010 3:30:41 PM | Computer Name = Dell | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR3.

Error - 3/31/2010 3:42:50 PM | Computer Name = Dell | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR4.

Error - 3/31/2010 3:42:53 PM | Computer Name = Dell | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR4.

Error - 3/31/2010 3:42:54 PM | Computer Name = Dell | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR4.

Error - 3/31/2010 3:42:54 PM | Computer Name = Dell | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR4.


< End of report >

From submitter: There were 7 errors during the entire run. All are "hardisk not found errors

#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:34 AM

Posted 08 April 2010 - 03:04 PM

Hi,

Please change the password from your email account.


Also please update your version of Malwarebytes and run a quick scan, post back with the content of the logfile.



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt



Also please post back with a fresh OTL logfile.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 aninkling

aninkling
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 09 April 2010 - 10:06 AM

Updated Malwarebytes and ran quick scan: No infections found:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3972

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/9/2010 11:05:51 AM
mbam-log-2010-04-09 (11-05-51).txt

Scan type: Quick scan
Objects scanned: 110871
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:34 AM

Posted 10 April 2010 - 03:59 AM

Ok, now the rest please smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 aninkling

aninkling
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 10 April 2010 - 10:25 AM

ESET Scanner Results: There were no found threats, so no export to do.

The log.txt file follows. For the future, note that ESET installs in the Program Files (x86) folder for 64 bit operating systems and Windows 7.

It might be important to point out the the user does not do email on the computer. It is done through yahoo. So it is possible that an external source is responsible for the emails. It is just extremely curious that the spammer is actually answering other people's complaints sent to this user. Yahoo support is a black hole, with no "face" to work with.


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cd9919cf09be924983771bc210d321f7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-09 04:47:41
# local_time=2010-04-09 12:47:41 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 77048 77048 0 0
# compatibility_mode=5891 16776573 100 100 0 10338252 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=124405
# found=0
# cleaned=0
# scan_time=5712



I'll rerun the OTL now.

#15 aninkling

aninkling
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 10 April 2010 - 10:31 AM

Note: I checked the "remove ESET" checkbox at the end of the run. The system said that the uninstaller was not installed correctly. It gave me the options to say it was installed correctly or to install using recommended installation. I chose the latter. The result was that ESET started going through the reinstall procedure. I suspect some work needs to be done with ESET to make it fully compatible with Windows 7 systems and/or 64 bit systems. If you want I'll take a few minutes to examine how it installs and what has to be done. I may or may not come up with something.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users