Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was Running the GMER rootkit and my computer went black


  • This topic is locked This topic is locked
26 replies to this topic

#1 timSIM

timSIM

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 22 June 2010 - 03:22 PM

I apologize for not being able to post my ddr or the other log files that are needed but when I was 3 hours into the GMER rootkit my computer screen went black. I turned it off let it sit and tried restarting - I saw the first Dell Start up screen and then went black again - I could tell the computer was still runing because the monitor light was green.

When I first noticed that I was getting redirected / new browser windows would open with ads I tried running Spybot S&D - seemed OK for a day or two then was acting up again I ran Spybot again and it caught virtumundo - I didn't feel confident in my ability to remove it on my own so I began going through the Preperation Guide so I could post here and get some expert help.

I have no log files and a dead computer - any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 PM

Posted 22 June 2010 - 05:25 PM

Let's try this.

You will need a spare CD + USB/Removable drive for the procedures below...

First... we will require a blank writable CD and a USB to help recover your files and deal with the unbootable situation.

Please read here and download ImgBurn and install it as we will use that to burn a file onto your CD.
  • Download OTLPE Network from either location and save it to your desktop:

    http://oldtimer.geekstogo.com/OTLPENet.exe
    http://ottools.noahdfear.net/OTLPENet.exe

  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPENet Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first. Unable to do this? Please read here.


  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start
  • Copy and Paste the following code into the textbox. Do not include the word "Code"

    Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Push
  • When finished, the file will be saved in drive C:\OTL.txt
  • Please post the contents of the C:\OTL.txt file in your next reply.
  • Copy this file to your USB drive if you do not have an internet connection.
You can use your USB and copy and paste the files you need from your computer onto the USB and then copy it to the working computer as well.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 timSIM

timSIM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 23 June 2010 - 11:53 AM

extremeboy thank you for the quick response.

I was able to get as far as getting the reatogo-x-pe desktop to display. When I double clicked on the OTLPE icon I never received the prompts for "Do you wish to load remote user profile(s) for scanning" or "Automatically Load All Remaining Users". I had a window open up with the title "Browse for Folder" My options in this window were: My Computer, RAMDisk (B:), RECOVERY (C:), Local Disk (D:), ReatogoPE (X:), and Shared Documents. When I hit Cancel a window opened titled "Run Scanner..." and said "No Windows Installations Found" - I clicked OK and nothing seemed to run.

I tried rebooting the computer from the disk in case something hadn't loaded properly but had the same result as the first time.

Thank you again.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 PM

Posted 24 June 2010 - 12:44 PM

Select your D:\ drive which is your Local Disk which I am believing is where your Windows was installed on? Correct?

Try it again and see if it works.

Let me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 timSIM

timSIM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 24 June 2010 - 02:17 PM

I didn't realize this until I posted the contents of the OTL file - the computer is on a network - and I am not sure if it should it be disconnected from the network when running the scan?

Since I don't know if it made a difference I pasted in the post the OTL file when I was still hooked up to the network; attached (OTL_offNetwork.txt) is the OTL file disconnected from the network.

Here is the OTL file hooked up to the network:

OTL logfile created on: 6/24/2010 4:09:59 PM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 76.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 10.00 Gb Total Space | 6.93 Gb Free Space | 69.32% Space Free | Partition Type: NTFS
Drive D: | 64.45 Gb Total Space | 25.52 Gb Free Space | 39.60% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand] -- -- (WMPNetworkSvc)
SRV - File not found [Auto] -- -- (W3SVC)
SRV - File not found [On_Demand] -- -- (UPS)
SRV - File not found [Disabled] -- -- (TlntSvr)
SRV - File not found [On_Demand] -- -- (SysmonLog)
SRV - File not found [Auto] -- -- (Spooler)
SRV - File not found [Auto] -- -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - File not found [On_Demand] -- -- (SCardSvr)
SRV - File not found [On_Demand] -- -- (RSVP)
SRV - File not found [On_Demand] -- -- (RpcLocator) Remote Procedure Call (RPC)
SRV - File not found [On_Demand] -- -- (RDSessMgr)
SRV - File not found [On_Demand] -- -- (ose)
SRV - File not found [Auto] -- -- (NVSvc)
SRV - File not found [Disabled] -- -- (NetTcpPortSharing)
SRV - File not found [Disabled] -- -- (NetDDEdsdm)
SRV - File not found [Disabled] -- -- (NetDDE)
SRV - File not found [Disabled] -- -- (msvsmon80)
SRV - File not found [On_Demand] -- -- (MSIServer)
SRV - File not found [On_Demand] -- -- (MSDTC)
SRV - File not found [On_Demand] -- -- (mnmsrvc)
SRV - File not found [Auto] -- -- (MDM)
SRV - File not found [Auto] -- -- (LogMeIn)
SRV - File not found [Auto] -- -- (LMIMaint)
SRV - File not found [Auto] -- -- (JavaQuickStarterService)
SRV - File not found [On_Demand] -- -- (iPod Service)
SRV - File not found [On_Demand] -- -- (ImapiService)
SRV - File not found [Auto] -- -- (IISADMIN)
SRV - File not found [On_Demand] -- -- (idsvc)
SRV - File not found [On_Demand] -- -- (gusvc)
SRV - File not found [Auto] -- -- (gupdate) Google Update Service (gupdate)
SRV - File not found [On_Demand] -- -- (FontCache3.0.0.0)
SRV - File not found [On_Demand] -- -- (FLEXnet Licensing Service)
SRV - File not found [On_Demand] -- -- (dmadmin)
SRV - File not found [Auto] -- -- (ColdFusion 8 Search Server)
SRV - File not found [On_Demand] -- -- (ColdFusion 8 ODBC Server)
SRV - File not found [On_Demand] -- -- (ColdFusion 8 ODBC Agent)
SRV - File not found [On_Demand] -- -- (ColdFusion 8 Application Server)
SRV - File not found [On_Demand] -- -- (clr_optimization_v2.0.50727_32)
SRV - File not found [Disabled] -- -- (ClipSrv)
SRV - File not found [On_Demand] -- -- (CiSvc)
SRV - File not found [Auto] -- -- (Bonjour Service)
SRV - File not found [On_Demand] -- -- (aspnet_state)
SRV - File not found [On_Demand] -- -- (ALG)
SRV - [2008/04/13 20:12:02 | 000,038,400 | ---- | M] (Microsoft Corporation) [Auto] -- D:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WudfRd)
DRV - File not found [Kernel | On_Demand] -- -- (WudfPf)
DRV - File not found [Kernel | On_Demand] -- -- (WSTCODEC)
DRV - File not found [Adapter | On_Demand] -- -- (Winsock)
DRV - File not found [Kernel | On_Demand] -- -- (wdmaud)
DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (usbvideo) USB Video Device (WDM)
DRV - File not found [Kernel | On_Demand] -- -- (USBSTOR)
DRV - File not found [Kernel | On_Demand] -- -- (usbaudio) USB Audio Driver (WDM)
DRV - File not found [Kernel | On_Demand] -- -- (Update)
DRV - File not found [Kernel | On_Demand] -- -- (TDTCP)
DRV - File not found [Kernel | On_Demand] -- -- (TDPIPE)
DRV - File not found [Kernel | On_Demand] -- -- (sysaudio)
DRV - File not found [Kernel | On_Demand] -- -- (swmidi)
DRV - File not found [Kernel | On_Demand] -- -- (streamip)
DRV - File not found [Kernel | On_Demand] -- -- (STHDA)
DRV - File not found [File_System | On_Demand] -- -- (Srv)
DRV - File not found [File_System | Boot] -- -- (sr)
DRV - File not found [Kernel | On_Demand] -- -- (splitter)
DRV - File not found [Kernel | On_Demand] -- -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)
DRV - File not found [Kernel | On_Demand] -- -- (SLIP)
DRV - File not found [Kernel | On_Demand] -- -- (Secdrv)
DRV - File not found [Kernel | System] -- -- (redbook)
DRV - File not found [Kernel | On_Demand] -- -- (RDPWD)
DRV - File not found [Kernel | System] -- -- (RDPCDD)
DRV - File not found [Kernel | On_Demand] -- -- (Raspti)
DRV - File not found [Kernel | On_Demand] -- -- (radpms)
DRV - File not found [Kernel | On_Demand] -- -- (QCPro) Logitech QuickCam Pro USB(PID_D001)
DRV - File not found [Kernel | Boot] -- -- (PxHelp20)
DRV - File not found [Kernel | On_Demand] -- -- (Ptilink)
DRV - File not found [Kernel | On_Demand] -- -- (PSched)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | Boot] -- -- (omeuqgr)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand] -- -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand] -- -- (nv)
DRV - File not found [Kernel | On_Demand] -- -- (NuidFltr)
DRV - File not found [Kernel | On_Demand] -- -- (Ndisuio)
DRV - File not found [Kernel | On_Demand] -- -- (NdisIP)
DRV - File not found [Kernel | On_Demand] -- -- (NABTSFEC)
DRV - File not found [File_System | On_Demand] -- -- (MRxDAV)
DRV - File not found [Kernel | On_Demand] -- -- (Modem)
DRV - File not found [Kernel | System] -- -- (mnmdd)
DRV - File not found [Kernel | On_Demand] -- -- (LVUVC) QuickCam Orbit/Sphere AF(UVC)
DRV - File not found [Kernel | On_Demand] -- -- (LVUSBSta)
DRV - File not found [Kernel | On_Demand] -- -- (lvselsus)
DRV - File not found [Kernel | On_Demand] -- -- (LVRS)
DRV - File not found [Kernel | On_Demand] -- -- (lvpopflt)
DRV - File not found [File_System | Auto] -- -- (LMIRfsDriver)
DRV - File not found [Kernel | On_Demand] -- -- (lmimirr)
DRV - File not found [Kernel | Auto] -- -- (LMIInfo)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand] -- -- (kmixer)
DRV - File not found [Kernel | On_Demand] -- -- (KeyScrambler)
DRV - File not found [Kernel | On_Demand] -- -- (IRENUM)
DRV - File not found [Kernel | System] -- -- (IPSec)
DRV - File not found [Kernel | On_Demand] -- -- (IpNat)
DRV - File not found [Kernel | On_Demand] -- -- (IpInIp)
DRV - File not found [Kernel | On_Demand] -- -- (IpFilterDriver)
DRV - File not found [Kernel | On_Demand] -- -- (ip6fw)
DRV - File not found [Kernel | On_Demand] -- -- (HTTP)
DRV - File not found [Kernel | On_Demand] -- -- (HidBatt)
DRV - File not found [Kernel | On_Demand] -- -- (Gpc)
DRV - File not found [Kernel | On_Demand] -- -- (GEARAspiWDM)
DRV - File not found [Kernel | Boot] -- -- (Ftdisk)
DRV - File not found [Kernel | System] -- -- (Fips)
DRV - File not found [Kernel | On_Demand] -- -- (FilterService)
DRV - File not found [Kernel | On_Demand] -- -- (drmkaud)
DRV - File not found [Kernel | On_Demand] -- -- (DMusic)
DRV - File not found [Kernel | Boot] -- -- (dmload)
DRV - File not found [Kernel | Boot] -- -- (dmio)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | System] -- -- (Cdaudio)
DRV - File not found [Kernel | On_Demand] -- -- (CCDECODE)
DRV - File not found [Kernel | System] -- -- (Beep)
DRV - File not found [Kernel | On_Demand] -- -- (b57w2k)
DRV - File not found [Kernel | On_Demand] -- -- (audstub)
DRV - File not found [Kernel | On_Demand] -- -- (Atmarpc)
DRV - File not found [Kernel | On_Demand] -- -- (aec)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\Windows\System32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\System32\drivers\symc8xx.sys -- (symc8xx)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\System32\drivers\sym_u3.sys -- (sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled] -- C:\Windows\System32\drivers\Mraid35x.sys -- (mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\Windows\System32\drivers\sym_hi.sys -- (sym_hi)
DRV - [2006/11/02 05:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled] -- C:\Windows\System32\drivers\viaide.sys -- (ViaIde)
DRV - [2006/11/02 05:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled] -- C:\Windows\System32\drivers\cmdide.sys -- (CmdIde)
DRV - [2006/11/02 05:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled] -- C:\Windows\System32\drivers\aliide.sys -- (AliIde)
DRV - [2006/11/02 05:46:05 | 000,105,984 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\Windows\System32\imapi.dll -- (Imapi)
DRV - [2006/11/02 03:30:53 | 000,045,056 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator.TRAINING-D521_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Administrator.TRAINING-D521_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\administrator_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\administrator_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\administrator_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 84 02 C0 D7 E2 C9 CA 01 [binary data]
IE - HKU\administrator_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\alan_ON_D\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKU\alan_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sitepreview.us/
IE - HKU\alan_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\alan_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\forestt_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\forestt_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\forestt_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 19 66 20 91 81 7A CA 01 [binary data]
IE - HKU\forestt_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\kirk_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\kirk_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\kirk_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D2 DA 95 6B 7F 8D CA 01 [binary data]
IE - HKU\kirk_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\LocalService_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\luke_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.getsim.com/
IE - HKU\luke_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\NetworkService_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\tim_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\tim_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\tim_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\tim_ON_D\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 60 04 CA C0 AB D1 CA 01 [binary data]
IE - HKU\tim_ON_D\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - HKLM\software\mozilla\Firefox\Extensions\\{B53E85E9-319C-4F66-919E-9196CEB0349C}: C:\Documents and Settings\tim\Local Settings\Application Data\{B53E85E9-319C-4F66-919E-9196CEB0349C}
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins


O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll File not found
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Adobe Contribute CS3\contributeieplugin.dll File not found
O2 - BHO: (CKeyScramblerBHO Object) - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll File not found
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Adobe Contribute CS3\contributeieplugin.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\Administrator.TRAINING-D521_ON_D\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
O3 - HKU\Administrator.TRAINING-D521_ON_D\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O3 - HKU\administrator_ON_D\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O3 - HKU\alan_ON_D\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O3 - HKU\forestt_ON_D\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O3 - HKU\kirk_ON_D\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O3 - HKU\luke_ON_D\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
O3 - HKU\luke_ON_D\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O3 - HKU\tim_ON_D\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll File not found
O3 - HKU\tim_ON_D\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O4 - HKLM..\Run: [\\gateway-gt5056\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe File not found
O4 - HKLM..\Run: [Exeburifumakul] C:\WINDOWS\okofogutudi.DLL File not found
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe File not found
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe File not found
O4 - HKLM..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL File not found
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL File not found
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe File not found
O4 - HKLM..\Run: [SigmatelSysTrayApp] File not found
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe File not found
O4 - HKU\Administrator.TRAINING-D521_ON_D..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe File not found
O4 - HKU\Administrator.TRAINING-D521_ON_D..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found
O4 - HKU\administrator_ON_D..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe File not found
O4 - HKU\alan_ON_D..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe File not found
O4 - HKU\alan_ON_D..\Run: [Google Update] C:\Documents and Settings\alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe File not found
O4 - HKU\alan_ON_D..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe File not found
O4 - HKU\forestt_ON_D..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe File not found
O4 - HKU\kirk_ON_D..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe File not found
O4 - HKU\luke_ON_D..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe File not found
O4 - HKU\luke_ON_D..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe File not found
O4 - HKU\luke_ON_D..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found
O4 - HKU\tim_ON_D..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe File not found
O4 - HKU\tim_ON_D..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe File not found
O4 - HKU\tim_ON_D..\Run: [Google Update] C:\Documents and Settings\tim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe File not found
O4 - HKU\tim_ON_D..\Run: [Pnujupoh] C:\WINDOWS\cr2fi32.DLL File not found
O4 - HKU\tim_ON_D..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe File not found
O4 - HKU\tim_ON_D..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found
O4 - HKLM..\RunOnceEx: [Register Homesite+.exe] C:\Program Files\Macromedia\HomeSite+\Homesite+.exe File not found
O4 - Startup: Error locating startup folders.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\Administrator.TRAINING-D521_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\administrator_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\alan_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\forestt_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\kirk_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\luke_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\tim_ON_D\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll File not found
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\System32\winrnr.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll File not found
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1177799632126 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1177802694375 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = local.sim.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.54,93.188.161.184
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll File not found
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll File not found
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll File not found
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll File not found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll File not found
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL File not found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll File not found
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll File not found
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll File not found
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll File not found
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL File not found
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL File not found
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL File not found
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL File not found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL File not found
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll File not found
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll File not found
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - File not found
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - File not found
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\System32\dimsntfy.dll File not found
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - File not found
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - File not found
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - File not found
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\System32\stobject.dll File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\System32\webcheck.dll File not found
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\System32\WPDShServiceObj.dll File not found
O24 - Desktop WallPaper: C:\WINDOWS\web\wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\web\wallpaper\Bliss.bmp
O29 - HKLM SecurityProviders - (msapsspc.dll) - File not found
O29 - HKLM SecurityProviders - (digest.dll) - File not found
O29 - HKLM SecurityProviders - (msnsspc.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/28 18:09:33 | 000,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: mshtosk - (C:\WINDOWS\system32\cmsthare.dll) - C:\WINDOWS\System32\cmsthare.dll File not found
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - D:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: dmadmin - File not found
SafeBootMin: dmboot.sys - File not found
SafeBootMin: dmio.sys - File not found
SafeBootMin: dmload.sys - File not found
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - D:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: sr.sys - File not found
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: dmadmin - File not found
SafeBootNet: dmboot.sys - File not found
SafeBootNet: dmio.sys - File not found
SafeBootNet: dmload.sys - File not found
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - D:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SafeBootNet: ip6fw.sys - File not found
SafeBootNet: ipnat.sys - File not found
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: Ndisuio - File not found
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: nm - File not found
SafeBootNet: nm.sys - File not found
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdpcdd.sys - File not found
SafeBootNet: rdpdd.sys - File not found
SafeBootNet: rdpwd.sys - File not found
SafeBootNet: rdsessmgr - File not found
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: sr.sys - File not found
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: tdpipe.sys - File not found
SafeBootNet: tdtcp.sys - File not found
SafeBootNet: UploadMgr - Service
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608555} - Internet Explorer Classes for Java
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.2
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.2
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4d64f3ba-f112-4efe-a02e-96680859937c} - KB918899
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5b7bf89d-d196-4c32-a303-a57b8ab7f18d} - KB918439
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6969E3DC-E1C8-0A53-F175-5DEF0757AF6A} - Internet Explorer Version Update
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {D93F9C7C-AB57-44C8-BAD6-1494674BCAF7} - Microsoft Visual Studio 2005 Premier Partner Edition - ENU Service Pack 1 (KB926601)
ActiveX: {dd772a76-bef3-44d7-8b39-502c8504c1f1} - KB925486
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: {f15ee071-deb7-4cbb-951f-431c98338d8e} - KB911567
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: aux - wdmaud.drv File not found
Drivers32: midi - wdmaud.drv File not found
Drivers32: midi1 - wdmaud.drv File not found
Drivers32: midimapper - midimap.dll File not found
Drivers32: mixer - wdmaud.drv File not found
Drivers32: mixer1 - wdmaud.drv File not found
Drivers32: msacm.imaadpcm - imaadp32.acm File not found
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm File not found
Drivers32: msacm.msadpcm - msadp32.acm File not found
Drivers32: msacm.msaudio1 - msaud32.acm File not found
Drivers32: msacm.msg711 - msg711.acm File not found
Drivers32: msacm.msg723 - msg723.acm File not found
Drivers32: msacm.msgsm610 - msgsm32.acm File not found
Drivers32: msacm.siren - sirenacm.dll File not found
Drivers32: msacm.sl_anet - sl_anet.acm File not found
Drivers32: msacm.trspch - tssoft32.acm File not found
Drivers32: msacm.voxacm160 - vct3216.acm File not found
Drivers32: MSVideo - vfwwdm32.dll File not found
Drivers32: MSVideo8 - VfWWDM32.dll File not found
Drivers32: vidc.cvid - iccvid.dll File not found
Drivers32: VIDC.I420 - msh263.drv File not found
Drivers32: vidc.iv31 - ir32_32.dll File not found
Drivers32: vidc.iv32 - ir32_32.dll File not found
Drivers32: VIDC.IYUV - iyuv_32.dll File not found
Drivers32: VIDC.JPGL - jpgl.dll File not found
Drivers32: vidc.M261 - msh261.drv File not found
Drivers32: vidc.M263 - msh263.drv File not found
Drivers32: vidc.mrle - msrle32.dll File not found
Drivers32: vidc.msvc - msvidc32.dll File not found
Drivers32: VIDC.UYVY - msyuv.dll File not found
Drivers32: VIDC.XFR1 - xfcodec.dll File not found
Drivers32: VIDC.YUY2 - msyuv.dll File not found
Drivers32: VIDC.YVU9 - tsbyuv.dll File not found
Drivers32: VIDC.YVYU - msyuv.dll File not found
Drivers32: wave - wdmaud.drv File not found
Drivers32: wave1 - wdmaud.drv File not found
Drivers32: wavemapper - msacm32.drv File not found

========== Files/Folders - Created Within 30 Days ==========


========== Files - Modified Within 30 Days ==========


========== Files Created - No Company Name ==========

[2006/11/17 14:22:49 | 000,000,053 | ---- | C] () -- C:\WINDOWS\System32\winpeshl.ini
[2006/11/02 07:31:53 | 000,262,144 | ---- | C] () -- C:\Windows\System32\config\systemprofile\ntuser.dat
[2006/11/02 07:31:53 | 000,001,024 | -H-- | C] () -- C:\Windows\System32\config\systemprofile\ntuser.dat.LOG
[2006/11/02 02:55:16 | 000,080,010 | ---- | C] () -- C:\WINDOWS\System32\manage-bde.ini.en

========== LOP Check ==========


========== Purity Check ==========



========== Custom Scans ==========


Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.

Invalid Environment Variable: %ALLUSERSPROFILE%\Application Data\*.exe

Invalid Environment Variable: %APPDATA%\*.

Invalid Environment Variable: %APPDATA%\*.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\drivers\atapi.sys
[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 05:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\System32\netlogon.dll
[2006/11/02 05:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys

< MD5 for: SCECLI.DLL >
[2006/11/02 05:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\System32\scecli.dll
[2006/11/02 05:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll

< MD5 for: USERINIT.EXE >
[2006/11/02 05:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\System32\userinit.exe
[2006/11/02 05:45:50 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=22027835939F86C3E47AD8E3FBDE3D11 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737\userinit.exe

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< CREATERESTOREPOINT >
< End of report >


Not sure if this is a concern or not: I initially tried to use a thumb drive to transfer the info into the OTL for running the scan but I couldn't find the drive (tried both front and rear usb ports) - I believe the drive was recognized in some way because I used the "Safely remove hardware" icon in the tray before removing the device - I don't think it is of the greatest concern but I am trying to be as thorough as possible.

Thanks - I envy the knowledge or yourself and your co-workers

Attached Files


Edited by timSIM, 24 June 2010 - 02:39 PM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 PM

Posted 26 June 2010 - 11:53 AM

Hello.

Does your computer just show a black screen once you turn it on? Does Safe Mode work at all? Do you have your Windows Disk with you still (Windows XP)?

How to Boot into Safe Mode

I suggest you read over the instructions on how to boot into Safe Mode and then print these instructions out or save them in Notepad because you won't have access to this page while in Safe Mode.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use your arrow keys to navigate and highlight Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.


---

Then could you run OTL PE again and copy this into the Custom scan area and do another scan.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi /s

I see a lot of services/files missing which doesn't seem good at all.

Let me know.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi /s
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 timSIM

timSIM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 28 June 2010 - 10:36 AM

Note: I ran the scan before letting the computer boot as normal.

• XP loaded with no issues - last week all I got was a black screen, not even an XP intro screen
• my username and password were both valid (see below)
• tried running several programs and opening files and everything seemed to run as expected.
• I am very confused about this


Not sure if this is an important piece of information or not but when I was logging on to the computer in safe mode my personal UN and PW were invalid, the current administrator UN and PW were invalid but I was able to log in using the previous (original) user name and password for the administrator account.



Here is the OTL log file:


OTL logfile created on: 6/28/2010 12:15:56 PM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = E:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 78.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 64.45 Gb Total Space | 25.52 Gb Free Space | 39.60% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.93 Gb Free Space | 69.32% Space Free | Partition Type: NTFS
Drive E: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALAN
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/06/28 12:15:57 | 000,772,096 | ---- | M] () [Unknown (-1)] -- C:\WINDOWS\system32\drivers\omeuqgr.sys -- (omeuqgr)
SRV - [2010/06/09 11:01:11 | 000,116,104 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2008/08/11 12:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2008/05/06 16:42:45 | 000,696,320 | ---- | M] () [On_Demand] -- C:\ColdFusion8\db\slserver54\bin\swagent.exe -- (ColdFusion 8 ODBC Agent)
SRV - [2008/05/06 16:42:45 | 000,114,688 | ---- | M] () [On_Demand] -- C:\ColdFusion8\db\slserver54\bin\swstrtr.exe -- (ColdFusion 8 ODBC Server)
SRV - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2008/03/18 04:11:40 | 000,065,536 | ---- | M] (Macromedia Inc.) [On_Demand] -- C:\ColdFusion8\runtime\bin\jrunsvc.exe -- (ColdFusion 8 Application Server)
SRV - [2008/03/12 04:19:55 | 002,743,056 | ---- | M] (Verity, Inc.) [Auto] -- C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe -- (ColdFusion 8 Search Server)
SRV - [2007/05/15 18:09:30 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2006/12/02 06:17:54 | 002,805,000 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- -- (LVUSBSta)
DRV - File not found [Kernel | On_Demand] -- -- (lvselsus)
DRV - File not found [Kernel | On_Demand] -- -- (LVRS)
DRV - File not found [Kernel | On_Demand] -- -- (lvpopflt)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand] -- -- (FilterService)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | System] -- -- (AmdK8)
DRV - [2010/06/28 12:16:02 | 000,772,096 | ---- | M] () [Unknown (-1) | Unknown (-1)] -- C:\WINDOWS\system32\drivers\omeuqgr.sys -- (omeuqgr)
DRV - [2010/06/09 11:00:56 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled] -- C:\WINDOWS\system32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/08/11 12:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/08/11 12:41:00 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 13:36:38 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hidbatt.sys -- (HidBatt)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/22 16:37:20 | 000,113,896 | ---- | M] (QFX Software Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\keyscrambler.sys -- (KeyScrambler)
DRV - [2007/12/07 16:59:01 | 000,000,000 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\lvuvc.hs -- (LVUVC) QuickCam Orbit/Sphere AF(UVC)
DRV - [2007/08/03 16:04:42 | 000,012,192 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\radpms.sys -- (radpms)
DRV - [2006/08/23 14:12:38 | 003,959,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/07/27 14:24:28 | 001,171,464 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/05/17 11:03:24 | 000,044,544 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/06/10 15:24:12 | 000,116,480 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\p35u.sys -- (QCPro) Logitech QuickCam Pro USB(PID_D001)
DRV - [2001/08/17 12:11:30 | 000,096,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-854245398-1614895754-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-854245398-1614895754-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{B53E85E9-319C-4F66-919E-9196CEB0349C}: C:\Documents and Settings\tim\Local Settings\Application Data\{B53E85E9-319C-4F66-919E-9196CEB0349C} [2010/06/22 14:43:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/22 09:55:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/05 11:10:09 | 000,000,000 | ---D | M]

[2010/06/21 12:34:06 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/11/01 15:10:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA}
[2007/12/19 07:57:38 | 000,310,272 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

O1 HOSTS File: ([2010/06/18 16:02:38 | 000,408,449 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 expo
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 14126 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (CKeyScramblerBHO Object) - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-854245398-1614895754-725345543-500\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-854245398-1614895754-725345543-500\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [\\gateway-gt5056\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Exeburifumakul] C:\WINDOWS\okofogutudi.DLL (Sonic Solutions)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKU\S-1-5-21-854245398-1614895754-725345543-500..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnceEx: [Register Homesite+.exe] C:\Program Files\Macromedia\HomeSite+\Homesite+.exe (Macromedia, Inc.)
O4 - Startup: Error locating startup folders.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-854245398-1614895754-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1177799632126 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1177802694375 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = local.sim.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.54,93.188.161.184
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/28 17:09:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\reatogoMenu.exe -- [2005/07/16 16:36:50 | 000,240,128 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: mshtosk - (C:\WINDOWS\system32\cmsthare.dll) - C:\WINDOWS\system32\cmsthare.dll ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/28 12:07:11 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator.TRAINING-D521\IETldCache
[2010/06/23 12:51:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/06/18 14:42:43 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/06/18 10:28:14 | 000,113,896 | ---- | C] (QFX Software Corporation) -- C:\WINDOWS\System32\drivers\keyscrambler.sys
[2010/06/18 10:28:14 | 000,000,000 | ---D | C] -- C:\Program Files\KeyScrambler
[2010/06/11 03:11:52 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/06/10 13:57:25 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/28 12:18:19 | 000,772,096 | ---- | M] () -- C:\WINDOWS\System32\drivers\omeuqgr.sys
[2010/06/28 12:14:07 | 005,505,024 | ---- | M] () -- C:\Documents and Settings\Administrator.TRAINING-D521\NTUSER.DAT
[2010/06/28 12:06:47 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/28 11:19:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/23 12:52:49 | 000,081,191 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/06/23 11:55:33 | 000,229,376 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/06/23 11:55:12 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/23 11:55:08 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/23 11:55:08 | 000,000,310 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/06/23 11:55:08 | 000,000,276 | -H-- | M] () -- C:\WINDOWS\tasks\1ab71244.job
[2010/06/23 11:54:49 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Wqoviyukeb.bin
[2010/06/22 14:29:05 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3912539972-3878348150-522810629-1161UA.job
[2010/06/22 14:26:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/22 14:03:21 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3912539972-3878348150-522810629-1181UA.job
[2010/06/22 13:29:00 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3912539972-3878348150-522810629-1161Core.job
[2010/06/22 12:02:26 | 000,050,176 | ---- | M] () -- C:\WINDOWS\System32\ernel32.dll
[2010/06/21 16:02:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3912539972-3878348150-522810629-1181Core.job
[2010/06/21 13:54:44 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Mhihex.dat
[2010/06/18 16:02:38 | 000,408,449 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/18 15:47:15 | 000,000,088 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/06/17 07:21:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/16 10:31:43 | 000,046,592 | -H-- | M] () -- C:\WINDOWS\System32\cmsthare.dll
[2010/06/11 11:34:27 | 000,599,202 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/11 11:34:27 | 000,499,738 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/11 11:34:27 | 000,090,358 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/11 03:32:46 | 001,739,112 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/11 03:15:14 | 000,000,644 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/11 03:14:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/11 03:12:27 | 000,000,063 | ---- | M] () -- C:\WINDOWS\vbaddin.ini
[2010/06/09 11:42:29 | 000,063,864 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/06/09 11:00:56 | 000,083,360 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIRfsClientNP.dll
[2010/06/09 11:00:55 | 000,029,568 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIport.dll
[2010/06/09 11:00:54 | 000,087,424 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIinit.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/22 09:42:05 | 000,050,176 | ---- | C] () -- C:\WINDOWS\System32\ernel32.dll
[2010/06/22 09:42:03 | 000,000,276 | -H-- | C] () -- C:\WINDOWS\tasks\1ab71244.job
[2010/06/18 15:47:15 | 000,000,088 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/06/16 10:33:46 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Mhihex.dat
[2010/06/16 10:33:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wqoviyukeb.bin
[2010/06/16 10:31:56 | 000,772,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\omeuqgr.sys
[2010/06/16 10:31:43 | 000,046,592 | -H-- | C] () -- C:\WINDOWS\System32\cmsthare.dll
[2010/04/01 10:19:58 | 000,777,728 | ---- | C] () -- C:\WINDOWS\System32\SSLSVC.DLL
[2010/04/01 10:19:58 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2010/04/01 10:19:58 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\cfmsg.dll
[2010/04/01 10:19:58 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2010/04/01 10:19:56 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\lang_cfml.dll
[2010/04/01 10:19:56 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\xml_datagrove.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/02/26 13:46:50 | 000,042,320 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2007/11/12 17:57:22 | 000,000,768 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2007/05/15 18:18:39 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2007/04/30 14:11:56 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Administrator.TRAINING-D521\ntuser.ini
[2007/04/30 14:11:55 | 005,505,024 | ---- | C] () -- C:\Documents and Settings\Administrator.TRAINING-D521\NTUSER.DAT
[2007/04/30 14:11:55 | 000,110,592 | -H-- | C] () -- C:\Documents and Settings\Administrator.TRAINING-D521\ntuser.dat.LOG
[2007/04/28 20:58:39 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2007/04/28 20:58:39 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2007/04/28 20:58:25 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2007/04/28 20:58:24 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2007/04/28 20:58:21 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2007/04/28 20:18:12 | 000,000,463 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/28 18:23:02 | 000,262,144 | ---- | C] () -- C:\WINDOWS\system32\config\systemprofile\ntuser.dat
[2007/04/28 18:23:02 | 000,001,024 | -H-- | C] () -- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
[2007/04/28 17:26:20 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/04/28 17:26:20 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/04/28 17:26:19 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/04/28 17:26:19 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2007/04/28 17:26:19 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/04/28 17:26:19 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/04/28 17:26:18 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2007/04/28 17:12:12 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2007/04/28 17:12:11 | 000,229,376 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2007/04/28 17:12:11 | 000,016,384 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/06/23 11:55:08 | 000,000,276 | -H-- | M] () -- C:\WINDOWS\Tasks\1ab71244.job
[2010/06/23 11:55:08 | 000,000,310 | ---- | M] () -- C:\WINDOWS\Tasks\GlaryInitialize.job

========== Purity Check ==========



========== Custom Scans ==========


< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi /s >
"ErrorControl" = 1
"Group" = SCSI miniport
"Start" = 0
"Tag" = 25
"Type" = 1
"DisplayName" = Standard IDE/ESDI Hard Disk Controller
"ImagePath" = System32\DRIVERS\atapi.sys -- [2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi\Parameters]
"LegacyDetection" = 1
"GhostSlave" = SunDisk [binary data]
"UseCheckPowerForFlush" = [Binary data over 100 bytes]
"NoFlushDevice" = [Binary data over 100 bytes]
"PioOnlyDevice" = [Binary data over 100 bytes]
"NonRemovableMedia" = [Binary data over 100 bytes]
"NoPowerDownDevice" = [Binary data over 100 bytes]
"AutoEjectZipDevice" = [Binary data over 100 bytes]
"NeedIdentDevice" = QUANTUM FIREBALL [binary data]
"DefaultPioAtapiDevice" = TORiSAN DVD-ROM DRD-N216IDE-CD R/RW 2x2x24 [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi\Enum]
"0" = PCIIDE\IDEChannel\4&21479b0c&0&0
"Count" = 4
"NextInstance" = 4
"1" = PCIIDE\IDEChannel\4&21479b0c&0&1
"2" = PCIIDE\IDEChannel\4&2ad8a30a&0&0
"3" = PCIIDE\IDEChannel\4&2ad8a30a&0&1
< End of report >




#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 PM

Posted 28 June 2010 - 10:46 AM

So to get this clear, you are now ABLE to boot into Windows properly?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 timSIM

timSIM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 28 June 2010 - 10:52 AM

Yes, it booted properly - it makes no sense to me.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 PM

Posted 28 June 2010 - 11:00 AM

Hello.

Okay, as long as it's booted up properly that's good news and now we will run different tool to take a look at your system.

Please first run DDS for me...

Download and run OTL
  1. Download OTL by OldTimer and save it to your desktop.
  2. Double click on the icon on your desktop. If you are using Vista, please right-click and select run as administrator
  3. Click the "Scan All Users" checkbox.
  4. Push the button.
  5. It will now begin to scan, please be paitent while it scans.
  6. Two reports will open once it's done.
  7. Please copy and paste them in your next reply:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 timSIM

timSIM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 28 June 2010 - 11:26 AM

Rebooted the computer (I've been keeping it off and disconnected from the outside world) - no issues
opened firefox - no issues
went to bleepingcomputer and pop-ups were appearing.

Window 1:
A username and password is needed for ad2.netshelter.net happened 8 time as your site was loading (I clicked cancel)

Window 2:
same as above with the address track.netshelter.net (clicked cancel again)

Window 3:
(XP pop-up window) Data Execution Prevention

To Protect your computer windows has closed this program.

Name: Windows Explorer
Publisher: Microsoft

Window 4:
Explorer .ex application error
The instruction at "0x71ab2a6f" referenced memory at "0x71ab2a6f" the memory could not be written
Click OK to Terminate
Click Cancel to Debug

As I was typing the stuff above these two came up

• I also received a pop-up from Log Me In Guardian that there is an error with the application on that computer should I send an error report?

• Authentication pop up like the ones above address: ftp.halifax.rwth-aachen.de (have not hit cancel yet because of concerns about the Data Execution Prevention Window)


I have left the computer on with all of the pop-ups up waiting to see how I should proceed. - I am currently on a different machine.

Thx

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 PM

Posted 28 June 2010 - 07:33 PM

Hello.

Okay, let's deal with some of these stuff out side the Operating System.

Please boot back to the OTLPE environment and in the custom scan/fixes box, please copy and paste the following into it. I suggest you save it into a text document and then transfer it onto your usb and the copy and paste it there so you have access in the OTLPE environment.

CODE
:services
omeuqgr
:files
C:\WINDOWS\system32\drivers\omeuqgr.sys
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GlaryInitialize.job
C:\WINDOWS\tasks\1ab71244.job
C:\WINDOWS\Wqoviyukeb.bin
C:\WINDOWS\Mhihex.dat
C:\WINDOWS\System32\ernel32.dll
:OTL
SRV - [2010/06/28 12:15:57 | 000,772,096 | ---- | M] () [Unknown (-1)] -- C:\WINDOWS\system32\drivers\omeuqgr.sys -- (omeuqgr)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.54,93.188.161.184
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [Exeburifumakul] C:\WINDOWS\okofogutudi.DLL (Sonic Solutions)
O36 - AppCertDlls: mshtosk - (C:\WINDOWS\system32\cmsthare.dll) - C:\WINDOWS\system32\cmsthare.dll ()


Then click the Run Fix button and let it fix.

Once done, save the log onto your USB and then transfer it to your other working machine and post the log for me to see.

Boot back to Normal mode and let me know if you can download that OTL program now.

Edited by extremeboy, 28 June 2010 - 07:34 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 timSIM

timSIM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 29 June 2010 - 11:21 AM

I was able to run the fix from the OTLPE environment succesfully and was able to download the OTL and also run that successfully in the XP environment. All log files will be labeled accordingly

Nothing too bad for pop-ups just he ad1.netshelter and track.netshelter like I had mentioned before; I did have a new window open without my knowledge (ironically it was for a horoscope)

OTL Log file from the OTLPE environment:
OTL logfile created on: 6/28/2010 12:15:56 PM - Run
OTLPE by OldTimer - Version 3.1.39.0 Folder = E:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 78.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 64.45 Gb Total Space | 25.52 Gb Free Space | 39.60% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.93 Gb Free Space | 69.32% Space Free | Partition Type: NTFS
Drive E: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ALAN
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2010/06/28 12:15:57 | 000,772,096 | ---- | M] () [Unknown (-1)] -- C:\WINDOWS\system32\drivers\omeuqgr.sys -- (omeuqgr)
SRV - [2010/06/09 11:01:11 | 000,116,104 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2008/08/11 12:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2008/05/06 16:42:45 | 000,696,320 | ---- | M] () [On_Demand] -- C:\ColdFusion8\db\slserver54\bin\swagent.exe -- (ColdFusion 8 ODBC Agent)
SRV - [2008/05/06 16:42:45 | 000,114,688 | ---- | M] () [On_Demand] -- C:\ColdFusion8\db\slserver54\bin\swstrtr.exe -- (ColdFusion 8 ODBC Server)
SRV - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2008/03/18 04:11:40 | 000,065,536 | ---- | M] (Macromedia Inc.) [On_Demand] -- C:\ColdFusion8\runtime\bin\jrunsvc.exe -- (ColdFusion 8 Application Server)
SRV - [2008/03/12 04:19:55 | 002,743,056 | ---- | M] (Verity, Inc.) [Auto] -- C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe -- (ColdFusion 8 Search Server)
SRV - [2007/05/15 18:09:30 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2006/12/02 06:17:54 | 002,805,000 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand] -- -- (LVUSBSta)
DRV - File not found [Kernel | On_Demand] -- -- (lvselsus)
DRV - File not found [Kernel | On_Demand] -- -- (LVRS)
DRV - File not found [Kernel | On_Demand] -- -- (lvpopflt)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand] -- -- (FilterService)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | System] -- -- (AmdK8)
DRV - [2010/06/28 12:16:02 | 000,772,096 | ---- | M] () [Unknown (-1) | Unknown (-1)] -- C:\WINDOWS\system32\drivers\omeuqgr.sys -- (omeuqgr)
DRV - [2010/06/09 11:00:56 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled] -- C:\WINDOWS\system32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/08/11 12:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/08/11 12:41:00 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 13:36:38 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hidbatt.sys -- (HidBatt)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/22 16:37:20 | 000,113,896 | ---- | M] (QFX Software Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\keyscrambler.sys -- (KeyScrambler)
DRV - [2007/12/07 16:59:01 | 000,000,000 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\lvuvc.hs -- (LVUVC) QuickCam Orbit/Sphere AF(UVC)
DRV - [2007/08/03 16:04:42 | 000,012,192 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\radpms.sys -- (radpms)
DRV - [2006/08/23 14:12:38 | 003,959,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/07/27 14:24:28 | 001,171,464 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/05/17 11:03:24 | 000,044,544 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/06/10 15:24:12 | 000,116,480 | ---- | M] (Logitech Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\p35u.sys -- (QCPro) Logitech QuickCam Pro USB(PID_D001)
DRV - [2001/08/17 12:11:30 | 000,096,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-854245398-1614895754-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-854245398-1614895754-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{B53E85E9-319C-4F66-919E-9196CEB0349C}: C:\Documents and Settings\tim\Local Settings\Application Data\{B53E85E9-319C-4F66-919E-9196CEB0349C} [2010/06/22 14:43:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/22 09:55:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/05 11:10:09 | 000,000,000 | ---D | M]

[2010/06/21 12:34:06 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/11/01 15:10:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA}
[2007/12/19 07:57:38 | 000,310,272 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

O1 HOSTS File: ([2010/06/18 16:02:38 | 000,408,449 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 expo
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 14126 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (CKeyScramblerBHO Object) - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-854245398-1614895754-725345543-500\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-854245398-1614895754-725345543-500\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [\\gateway-gt5056\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Exeburifumakul] C:\WINDOWS\okofogutudi.DLL (Sonic Solutions)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKU\S-1-5-21-854245398-1614895754-725345543-500..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKLM..\RunOnceEx: [Register Homesite+.exe] C:\Program Files\Macromedia\HomeSite+\Homesite+.exe (Macromedia, Inc.)
O4 - Startup: Error locating startup folders.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-854245398-1614895754-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1177799632126 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1177802694375 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = local.sim.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.54,93.188.161.184
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/28 17:09:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\reatogoMenu.exe -- [2005/07/16 16:36:50 | 000,240,128 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: mshtosk - (C:\WINDOWS\system32\cmsthare.dll) - C:\WINDOWS\system32\cmsthare.dll ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/28 12:07:11 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator.TRAINING-D521\IETldCache
[2010/06/23 12:51:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/06/18 14:42:43 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/06/18 10:28:14 | 000,113,896 | ---- | C] (QFX Software Corporation) -- C:\WINDOWS\System32\drivers\keyscrambler.sys
[2010/06/18 10:28:14 | 000,000,000 | ---D | C] -- C:\Program Files\KeyScrambler
[2010/06/11 03:11:52 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/06/10 13:57:25 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/28 12:18:19 | 000,772,096 | ---- | M] () -- C:\WINDOWS\System32\drivers\omeuqgr.sys
[2010/06/28 12:14:07 | 005,505,024 | ---- | M] () -- C:\Documents and Settings\Administrator.TRAINING-D521\NTUSER.DAT
[2010/06/28 12:06:47 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/28 11:19:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/23 12:52:49 | 000,081,191 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/06/23 11:55:33 | 000,229,376 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/06/23 11:55:12 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/23 11:55:08 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/23 11:55:08 | 000,000,310 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/06/23 11:55:08 | 000,000,276 | -H-- | M] () -- C:\WINDOWS\tasks\1ab71244.job
[2010/06/23 11:54:49 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Wqoviyukeb.bin
[2010/06/22 14:29:05 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3912539972-3878348150-522810629-1161UA.job
[2010/06/22 14:26:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/22 14:03:21 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3912539972-3878348150-522810629-1181UA.job
[2010/06/22 13:29:00 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3912539972-3878348150-522810629-1161Core.job
[2010/06/22 12:02:26 | 000,050,176 | ---- | M] () -- C:\WINDOWS\System32\ernel32.dll
[2010/06/21 16:02:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3912539972-3878348150-522810629-1181Core.job
[2010/06/21 13:54:44 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Mhihex.dat
[2010/06/18 16:02:38 | 000,408,449 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/18 15:47:15 | 000,000,088 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/06/17 07:21:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/16 10:31:43 | 000,046,592 | -H-- | M] () -- C:\WINDOWS\System32\cmsthare.dll
[2010/06/11 11:34:27 | 000,599,202 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/11 11:34:27 | 000,499,738 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/11 11:34:27 | 000,090,358 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/11 03:32:46 | 001,739,112 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/11 03:15:14 | 000,000,644 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/11 03:14:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/11 03:12:27 | 000,000,063 | ---- | M] () -- C:\WINDOWS\vbaddin.ini
[2010/06/09 11:42:29 | 000,063,864 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/06/09 11:00:56 | 000,083,360 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIRfsClientNP.dll
[2010/06/09 11:00:55 | 000,029,568 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIport.dll
[2010/06/09 11:00:54 | 000,087,424 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIinit.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/22 09:42:05 | 000,050,176 | ---- | C] () -- C:\WINDOWS\System32\ernel32.dll
[2010/06/22 09:42:03 | 000,000,276 | -H-- | C] () -- C:\WINDOWS\tasks\1ab71244.job
[2010/06/18 15:47:15 | 000,000,088 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/06/16 10:33:46 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Mhihex.dat
[2010/06/16 10:33:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wqoviyukeb.bin
[2010/06/16 10:31:56 | 000,772,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\omeuqgr.sys
[2010/06/16 10:31:43 | 000,046,592 | -H-- | C] () -- C:\WINDOWS\System32\cmsthare.dll
[2010/04/01 10:19:58 | 000,777,728 | ---- | C] () -- C:\WINDOWS\System32\SSLSVC.DLL
[2010/04/01 10:19:58 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2010/04/01 10:19:58 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\cfmsg.dll
[2010/04/01 10:19:58 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2010/04/01 10:19:56 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\lang_cfml.dll
[2010/04/01 10:19:56 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\xml_datagrove.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/02/26 13:46:50 | 000,042,320 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2007/11/12 17:57:22 | 000,000,768 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2007/05/15 18:18:39 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2007/04/30 14:11:56 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Administrator.TRAINING-D521\ntuser.ini
[2007/04/30 14:11:55 | 005,505,024 | ---- | C] () -- C:\Documents and Settings\Administrator.TRAINING-D521\NTUSER.DAT
[2007/04/30 14:11:55 | 000,110,592 | -H-- | C] () -- C:\Documents and Settings\Administrator.TRAINING-D521\ntuser.dat.LOG
[2007/04/28 20:58:39 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2007/04/28 20:58:39 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2007/04/28 20:58:25 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2007/04/28 20:58:24 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2007/04/28 20:58:21 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2007/04/28 20:18:12 | 000,000,463 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/28 18:23:02 | 000,262,144 | ---- | C] () -- C:\WINDOWS\system32\config\systemprofile\ntuser.dat
[2007/04/28 18:23:02 | 000,001,024 | -H-- | C] () -- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
[2007/04/28 17:26:20 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/04/28 17:26:20 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/04/28 17:26:19 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/04/28 17:26:19 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2007/04/28 17:26:19 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/04/28 17:26:19 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/04/28 17:26:18 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2007/04/28 17:12:12 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini
[2007/04/28 17:12:11 | 000,229,376 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2007/04/28 17:12:11 | 000,016,384 | -H-- | C] () -- C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/06/23 11:55:08 | 000,000,276 | -H-- | M] () -- C:\WINDOWS\Tasks\1ab71244.job
[2010/06/23 11:55:08 | 000,000,310 | ---- | M] () -- C:\WINDOWS\Tasks\GlaryInitialize.job

========== Purity Check ==========



========== Custom Scans ==========


< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi /s >
"ErrorControl" = 1
"Group" = SCSI miniport
"Start" = 0
"Tag" = 25
"Type" = 1
"DisplayName" = Standard IDE/ESDI Hard Disk Controller
"ImagePath" = System32\DRIVERS\atapi.sys -- [2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi\Parameters]
"LegacyDetection" = 1
"GhostSlave" = SunDisk [binary data]
"UseCheckPowerForFlush" = [Binary data over 100 bytes]
"NoFlushDevice" = [Binary data over 100 bytes]
"PioOnlyDevice" = [Binary data over 100 bytes]
"NonRemovableMedia" = [Binary data over 100 bytes]
"NoPowerDownDevice" = [Binary data over 100 bytes]
"AutoEjectZipDevice" = [Binary data over 100 bytes]
"NeedIdentDevice" = QUANTUM FIREBALL [binary data]
"DefaultPioAtapiDevice" = TORiSAN DVD-ROM DRD-N216IDE-CD R/RW 2x2x24 [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi\Enum]
"0" = PCIIDE\IDEChannel\4&21479b0c&0&0
"Count" = 4
"NextInstance" = 4
"1" = PCIIDE\IDEChannel\4&21479b0c&0&1
"2" = PCIIDE\IDEChannel\4&2ad8a30a&0&0
"3" = PCIIDE\IDEChannel\4&2ad8a30a&0&1
< End of report >




OTL Log file from the XP environment:


OTL logfile created on: 6/29/2010 12:19:09 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 64.45 Gb Total Space | 25.41 Gb Free Space | 39.42% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.93 Gb Free Space | 69.32% Space Free | Partition Type: NTFS
Drive E: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 93.90 Mb Total Space | 26.41 Mb Free Space | 28.13% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 50.00 Gb Total Space | 34.67 Gb Free Space | 69.34% Space Free | Partition Type: NTFS
Drive P: | 100.00 Gb Total Space | 4.80 Gb Free Space | 4.80% Space Free | Partition Type: NTFS
Drive S: | 114.32 Gb Total Space | 64.93 Gb Free Space | 56.80% Space Free | Partition Type: NTFS

Computer Name: ALAN
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/29 12:13:56 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator\Desktop\OTL.exe
PRC - [2010/06/22 09:42:03 | 000,050,176 | ---- | M] () -- C:\Documents and Settings\tim\Application Data\1ab71244.exe
PRC - [2010/06/09 11:01:11 | 000,116,104 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2010/06/09 11:00:53 | 000,378,248 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2010/04/05 11:09:56 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/10/15 02:04:34 | 000,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2008/08/11 12:41:00 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2008/08/11 12:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/12 04:20:11 | 003,040,496 | ---- | M] (Verity, Inc.) -- C:\ColdFusion8\verity\k2\_nti40\bin\k2server.exe
PRC - [2008/03/12 04:20:03 | 001,332,344 | ---- | M] (Verity, Inc.) -- C:\ColdFusion8\verity\k2\_nti40\bin\k2index.exe
PRC - [2008/03/12 04:19:55 | 002,743,056 | ---- | M] (Verity, Inc.) -- C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe
PRC - [2006/07/27 14:19:00 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe


========== Modules (SafeList) ==========

MOD - [2010/06/29 12:13:56 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/06/09 11:01:11 | 000,116,104 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2008/08/11 12:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2008/05/06 16:42:45 | 000,696,320 | ---- | M] () [On_Demand | Stopped] -- C:\ColdFusion8\db\slserver54\bin\swagent.exe -- (ColdFusion 8 ODBC Agent)
SRV - [2008/05/06 16:42:45 | 000,114,688 | ---- | M] () [On_Demand | Stopped] -- C:\ColdFusion8\db\slserver54\bin\swstrtr.exe -- (ColdFusion 8 ODBC Server)
SRV - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/13 19:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2008/03/18 04:11:40 | 000,065,536 | ---- | M] (Macromedia Inc.) [On_Demand | Stopped] -- C:\ColdFusion8\runtime\bin\jrunsvc.exe -- (ColdFusion 8 Application Server)
SRV - [2008/03/12 04:19:55 | 002,743,056 | ---- | M] (Verity, Inc.) [Auto | Running] -- C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.exe -- (ColdFusion 8 Search Server)
SRV - [2007/05/15 18:09:30 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2006/12/02 06:17:54 | 002,805,000 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)


========== Driver Services (SafeList) ==========

DRV - [2010/06/09 11:00:56 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/08/11 12:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/08/11 12:41:00 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 13:36:38 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hidbatt.sys -- (HidBatt)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/22 16:37:20 | 000,113,896 | ---- | M] (QFX Software Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\keyscrambler.sys -- (KeyScrambler)
DRV - [2007/12/07 16:59:01 | 000,000,000 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.hs -- (LVUVC) QuickCam Orbit/Sphere AF(UVC)
DRV - [2007/08/03 16:04:42 | 000,012,192 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\radpms.sys -- (radpms)
DRV - [2006/08/23 14:12:38 | 003,959,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/07/27 14:24:28 | 001,171,464 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/05/17 11:03:24 | 000,044,544 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/06/10 15:24:12 | 000,116,480 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\p35u.sys -- (QCPro) Logitech QuickCam Pro USB(PID_D001)
DRV - [2001/08/17 12:11:30 | 000,096,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3912539972-3878348150-522810629-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-3912539972-3878348150-522810629-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3912539972-3878348150-522810629-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 84 02 C0 D7 E2 C9 CA 01 [binary data]
IE - HKU\S-1-5-21-3912539972-3878348150-522810629-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA}:5.0.13
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B53E85E9-319C-4F66-919E-9196CEB0349C}:1.9.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{B53E85E9-319C-4F66-919E-9196CEB0349C}: C:\Documents and Settings\tim\Local Settings\Application Data\{B53E85E9-319C-4F66-919E-9196CEB0349C} [2010/06/22 14:43:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/22 09:55:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/05 11:10:09 | 000,000,000 | ---D | M]

[2010/06/22 09:55:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator\Application Data\Mozilla\Extensions
[2010/06/29 12:17:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\wftw3ebj.default\extensions
[2010/06/29 12:17:45 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\administrator\Application Data\Mozilla\Firefox\Profiles\wftw3ebj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/28 11:29:37 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/11/01 15:10:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA}
[2007/12/19 07:57:38 | 000,310,272 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

O1 HOSTS File: ([2010/06/18 16:02:38 | 000,408,449 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 expo
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 14126 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (CKeyScramblerBHO Object) - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKU\S-1-5-21-3912539972-3878348150-522810629-500\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [\\gateway-gt5056\EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\RunOnceEx: [Register Homesite+.exe] C:\Program Files\Macromedia\HomeSite+\Homesite+.exe (Macromedia, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3912539972-3878348150-522810629-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra 'Tools' menuitem : &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1177799632126 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1177802694375 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.1.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = local.sim.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.54,93.188.161.184
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/28 17:09:33 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/29 12:15:00 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\administrator\Desktop\OTL.exe
[2010/06/23 12:51:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/06/22 09:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator\Local Settings\Application Data\Mozilla
[2010/06/22 09:55:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator\Application Data\Mozilla
[2010/06/22 09:54:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator\Local Settings\Application Data\Apple Computer
[2010/06/22 09:54:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\administrator\Local Settings\Application Data\LogMeIn
[2010/06/18 14:42:43 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/06/18 14:42:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/06/18 10:28:14 | 000,113,896 | ---- | C] (QFX Software Corporation) -- C:\WINDOWS\System32\drivers\keyscrambler.sys
[2010/06/18 10:28:14 | 000,000,000 | ---D | C] -- C:\Program Files\KeyScrambler
[2010/06/11 03:11:52 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/06/10 13:57:25 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/29 12:18:22 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/29 12:18:22 | 000,000,310 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/06/29 12:18:22 | 000,000,276 | -H-- | M] () -- C:\WINDOWS\tasks\1ab71244.job
[2010/06/29 12:17:01 | 000,081,191 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/06/29 12:16:59 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/29 12:13:56 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator\Desktop\OTL.exe
[2010/06/29 12:12:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\egayikovuviyaki.dll
[2010/06/29 12:09:09 | 000,050,176 | ---- | M] () -- C:\WINDOWS\System32\ernel32.dll
[2010/06/29 12:08:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/29 12:08:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/29 10:01:36 | 005,242,880 | -H-- | M] () -- C:\Documents and Settings\administrator\NTUSER.DAT
[2010/06/29 09:39:05 | 000,772,096 | ---- | M] () -- C:\WINDOWS\System32\drivers\omeuqgr.sys
[2010/06/29 09:29:00 | 000,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3912539972-3878348150-522810629-1161UA.job
[2010/06/29 09:26:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/29 09:03:03 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3912539972-3878348150-522810629-1181UA.job
[2010/06/28 16:03:03 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3912539972-3878348150-522810629-1181Core.job
[2010/06/28 13:29:00 | 000,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3912539972-3878348150-522810629-1161Core.job
[2010/06/28 12:37:55 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Wqoviyukeb.bin
[2010/06/22 10:20:49 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\administrator\ntuser.ini
[2010/06/22 10:20:44 | 004,836,550 | -H-- | M] () -- C:\Documents and Settings\administrator\Local Settings\Application Data\IconCache.db
[2010/06/22 09:42:03 | 000,050,176 | ---- | M] () -- C:\Documents and Settings\administrator\Application Data\4ea16b92.exe
[2010/06/21 13:54:44 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Mhihex.dat
[2010/06/18 16:02:38 | 000,408,449 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/18 15:47:15 | 000,000,088 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/06/17 07:21:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/16 10:31:43 | 000,046,592 | -H-- | M] () -- C:\WINDOWS\System32\cmsthare.dll
[2010/06/11 11:34:27 | 000,599,202 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/11 11:34:27 | 000,499,738 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/11 11:34:27 | 000,090,358 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/11 03:32:46 | 001,739,112 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/11 03:15:14 | 000,000,644 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/11 03:14:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/11 03:12:27 | 000,000,063 | ---- | M] () -- C:\WINDOWS\vbaddin.ini
[2010/06/09 11:42:29 | 000,063,864 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/06/09 11:00:56 | 000,083,360 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIRfsClientNP.dll
[2010/06/09 11:00:55 | 000,029,568 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIport.dll
[2010/06/09 11:00:54 | 000,087,424 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\System32\LMIinit.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/29 12:12:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\egayikovuviyaki.dll
[2010/06/22 09:55:22 | 000,050,176 | ---- | C] () -- C:\Documents and Settings\administrator\Application Data\4ea16b92.exe
[2010/06/22 09:42:05 | 000,050,176 | ---- | C] () -- C:\WINDOWS\System32\ernel32.dll
[2010/06/22 09:42:03 | 000,000,276 | -H-- | C] () -- C:\WINDOWS\tasks\1ab71244.job
[2010/06/18 15:47:15 | 000,000,088 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/06/16 10:33:46 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Mhihex.dat
[2010/06/16 10:33:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wqoviyukeb.bin
[2010/06/16 10:31:56 | 000,772,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\omeuqgr.sys
[2010/06/16 10:31:43 | 000,046,592 | -H-- | C] () -- C:\WINDOWS\System32\cmsthare.dll
[2010/04/01 10:19:58 | 000,777,728 | ---- | C] () -- C:\WINDOWS\System32\SSLSVC.DLL
[2010/04/01 10:19:58 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\xmltok.dll
[2010/04/01 10:19:58 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\cfmsg.dll
[2010/04/01 10:19:58 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\xmlparse.dll
[2010/04/01 10:19:56 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\lang_cfml.dll
[2010/04/01 10:19:56 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\xml_datagrove.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/02/26 13:46:50 | 000,042,320 | ---- | C] () -- C:\WINDOWS\System32\xfcodec.dll
[2007/11/12 17:57:22 | 000,000,768 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2007/05/15 18:18:39 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2007/04/28 20:58:39 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2007/04/28 20:58:39 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2007/04/28 20:58:25 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2007/04/28 20:58:24 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2007/04/28 20:58:21 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2007/04/28 20:18:12 | 000,000,463 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/28 17:26:20 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/04/28 17:26:20 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/04/28 17:26:19 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/04/28 17:26:19 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2007/04/28 17:26:19 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/04/28 17:26:19 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/04/28 17:26:18 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >


Extras Log file from the XP environment:

OTL Extras logfile created on: 6/29/2010 12:19:09 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 64.45 Gb Total Space | 25.41 Gb Free Space | 39.42% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.93 Gb Free Space | 69.32% Space Free | Partition Type: NTFS
Drive E: | 433.24 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 93.90 Mb Total Space | 26.41 Mb Free Space | 28.13% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 50.00 Gb Total Space | 34.67 Gb Free Space | 69.34% Space Free | Partition Type: NTFS
Drive P: | 100.00 Gb Total Space | 4.80 Gb Free Space | 4.80% Space Free | Partition Type: NTFS
Drive S: | 114.32 Gb Total Space | 64.93 Gb Free Space | 56.80% Space Free | Partition Type: NTFS

Computer Name: ALAN
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UacDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"5370:TCP" = 5370:TCP:LocalSubNet:Disabled:Jaxer
"5371:TCP" = 5371:TCP:LocalSubNet:Disabled:Jaxer
"5374:TCP" = 5374:TCP:LocalSubNet:Disabled:Jaxer
"5375:TCP" = 5375:TCP:LocalSubNet:Disabled:Jaxer
"5376:TCP" = 5376:TCP:LocalSubNet:Disabled:Jaxer
"5377:TCP" = 5377:TCP:LocalSubNet:Disabled:Jaxer
"5378:TCP" = 5378:TCP:LocalSubNet:Disabled:Jaxer
"5379:TCP" = 5379:TCP:LocalSubNet:Disabled:Jaxer
"5380:TCP" = 5380:TCP:LocalSubNet:Disabled:Jaxer
"5381:TCP" = 5381:TCP:LocalSubNet:Disabled:Jaxer
"5382:TCP" = 5382:TCP:LocalSubNet:Disabled:Jaxer
"5383:TCP" = 5383:TCP:LocalSubNet:Disabled:Jaxer
"8081:TCP" = 8081:TCP:LocalSubNet:Disabled:Apache

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\WinHTTrack\WinHTTrack.exe" = C:\Program Files\WinHTTrack\WinHTTrack.exe:*:Disabled:WinHTTrack Website Copier, Web Site mirroring for professional and private purposes -- (HTTrack)
"C:\Program Files\Adobe\Adobe Flash CS3\Flash.exe" = C:\Program Files\Adobe\Adobe Flash CS3\Flash.exe:*:Disabled:Adobe Flash CS3 -- (Adobe Systems Incorporated.)
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe" = C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Disabled:avgamsvr.exe -- File not found
"C:\Program Files\Grisoft\AVG7\avgcc.exe" = C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Disabled:avgcc.exe -- File not found
"C:\Program Files\Grisoft\AVG7\avginet.exe" = C:\Program Files\Grisoft\AVG7\avginet.exe:*:Disabled:avginet.exe -- File not found
"C:\Program Files\eclipse\eclipse.exe" = C:\Program Files\eclipse\eclipse.exe:*:Disabled:eclipse -- ()
"C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\ftpte.exe" = C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\ftpte.exe:*:Disabled:FTP Transfer Engine -- (GlobalSCAPE Texas, LP.)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Disabled:Google Talk -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes -- (Apple Inc.)
"C:\Program Files\Adobe\Flex Builder 3\jre\bin\javaw.exe" = C:\Program Files\Adobe\Flex Builder 3\jre\bin\javaw.exe:*:Disabled:Java™ 2 Platform Standard Edition binary -- File not found
"C:\WINDOWS\system32\java.exe" = C:\WINDOWS\system32\java.exe:*:Disabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe" = C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe:*:Disabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Java\jre1.6.0_03\bin\java.exe" = C:\Program Files\Java\jre1.6.0_03\bin\java.exe:*:Disabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE" = C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE:*:Disabled:SAgent4 -- (SEIKO EPSON CORPORATION)
"C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\ssmsee.exe" = C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\ssmsee.exe:*:Disabled:SQL Server Management Studio Express -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Disabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Xfire\xfire.exe" = C:\Program Files\Xfire\xfire.exe:*:Disabled:Xfire -- File not found
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE" = C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE:*:Enabled:SAgent4 -- (SEIKO EPSON CORPORATION)
"C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\ftpte.exe" = C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\ftpte.exe:*:Enabled:FTP Transfer Engine -- (GlobalSCAPE Texas, LP.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Adobe\Flex Builder 3\jre\bin\javaw.exe" = C:\Program Files\Adobe\Flex Builder 3\jre\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{09E2111C-16B1-4DDF-BF0D-F994C9A12350}" = Adobe Setup
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{11C10759-3BCC-4BF4-8EE6-9B545CB00E32}" = Adobe Setup
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1DD463C0-A50A-4394-B7E4-5895C02F9E0D}" = Microsoft SQL Server 2005 Tools
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20608BFA-6068-48FE-A410-400F2A124C27}" = Microsoft SQL Server Management Studio Express
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 19
"{2764CA82-DFB9-4498-AF85-719340BF5305}" = Dell Resource CD
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{3248F0A8-6813-11D6-A77B-00B0D0150130}" = J2SE Runtime Environment 5.0 Update 13
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{32A3A4F4-B792-11D6-A78A-00B0D0150130}" = J2SE Development Kit 5.0 Update 13
"{34F93E31-E1A0-421C-8E86-BCF7C4193A91}" = LogMeIn
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36DD7006-7BFE-4E3D-AF6E-FA734BC879B7}" = SQLXML4
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}" = Google Earth
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69880C00-08DD-4385-B752-9C62656F6D1E}" = Microsoft SQL Server 2005 Backward compatibility
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3
"{7EDEDC17-A174-2A41-71B2-1A76BB51FCE0}" = SWFObject 2 generator v1.2 AIR
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8D3562E7-C795-4B5D-A091-6DAA3FF0DF3B}" = Macromedia HomeSite+
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{91F34319-08DE-457a-99C0-0BCDFAC145B9}" = CuteFTP 8 Professional
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}" = Broadcom 440x 10/100 Integrated Controller
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A67BB21E-D419-45BB-AB86-7D87D14BBCE2}" = Safari
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.6
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B7F560B3-6EFF-4026-A982-843895A41149}" = Adobe BridgeTalk Plugin CS3
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C25EF637-BE7A-4761-9B45-9069989C319F}" = Microsoft Visual Studio 2005 Premier Partner Edition - ENU
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D1C18EDD-571A-4BDD-BE7B-1DD86027D7FF}" = Adobe Creative Suite 3 Design Premium
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E1B2DF7C-A176-4A1D-9D32-3CEC5037A524}" = Apple Application Support
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}" = iTunes
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
"{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}" = Adobe Contribute CS3
"Adobe Acrobat 8 Professional" = Adobe Acrobat 8.1.6 Professional
"Adobe Acrobat 8 Professional_816" = Adobe Acrobat 8.1.6 - CPSID_49167
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"Adobe_c14ac4070fd9614ffe63f4bb533db2c" = Add or Remove Adobe Creative Suite 3 Design Premium
"Adobe_c4c00451d35772e88ad87152169b2f3" = Adobe Contribute CS3
"Free M4a to MP3 Converter_is1" = Free M4a to MP3 Converter 6.1
"Glary Utilities_is1" = Glary Utilities 2.10.0.622
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"KeyScrambler" = KeyScrambler
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2000" = Microsoft SQL Server 2000
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"TopStyle Lite (Version 3.0)" = TopStyle Lite (Version 3.0)
"Uninstall Adobe ColdFusion 8" = Adobe ColdFusion 8
"Unyte" = WebDialogs Unyte
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinHTTrack Website Copier_is1" = WinHTTrack Website Copier 3.43-7
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/29/2010 4:19:07 AM | Computer Name = ALAN | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007003a). The specified server cannot perform the requested
operation. Enrollment will not be performed.

Error - 6/29/2010 4:57:45 AM | Computer Name = ALAN | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The RPC server
is unavailable. ). Group Policy processing aborted.

Error - 6/29/2010 5:22:57 AM | Computer Name = ALAN | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The RPC server
is unavailable. ). Group Policy processing aborted.

Error - 6/29/2010 6:57:59 AM | Computer Name = ALAN | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The RPC server
is unavailable. ). Group Policy processing aborted.

Error - 6/29/2010 7:14:12 AM | Computer Name = ALAN | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The RPC server
is unavailable. ). Group Policy processing aborted.

Error - 6/29/2010 8:58:14 AM | Computer Name = ALAN | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The RPC server
is unavailable. ). Group Policy processing aborted.

Error - 6/29/2010 9:15:55 AM | Computer Name = ALAN | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The RPC server
is unavailable. ). Group Policy processing aborted.

Error - 6/29/2010 1:08:55 PM | Computer Name = ALAN | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 6/29/2010 1:08:57 PM | Computer Name = ALAN | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 6/29/2010 1:09:07 PM | Computer Name = ALAN | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

[ System Events ]
Error - 6/28/2010 1:25:10 PM | Computer Name = ALAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 6/28/2010 1:26:16 PM | Computer Name = ALAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 6/28/2010 1:26:50 PM | Computer Name = ALAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 6/28/2010 1:37:11 PM | Computer Name = ALAN | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain SIM due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 6/28/2010 1:38:05 PM | Computer Name = ALAN | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 6/28/2010 12:20:28 PM | Computer Name = ALAN | Source = Service Control Manager | ID = 7022
Description = The Simple Mail Transfer Protocol (SMTP) service hung on starting.

Error - 6/28/2010 2:23:43 PM | Computer Name = ALAN | Source = Schannel | ID = 36871
Description = A fatal error occurred while creating an SSL server credential.

Error - 6/28/2010 10:03:07 PM | Computer Name = ALAN | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain SIM due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 6/29/2010 1:08:55 PM | Computer Name = ALAN | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain SIM due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 6/29/2010 1:11:41 PM | Computer Name = ALAN | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.


< End of report >


Thank you for all of your assistance.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 PM

Posted 29 June 2010 - 09:40 PM

In the XP environment you only posted the extras.txt not the OTL.txt

Anyhow, could you run malwarebytes scan...

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Thanks. smile.gif

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 timSIM

timSIM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 30 June 2010 - 09:52 AM

The first time I tried navigating to the bleeping computer website (typed in the URL and selected the exact link from my history) from the infected computer to get the directions and links for downloading I received a 404 not found - when I just typed in the top level domain (no directories) still a 404 error, went to Google no issue tried tying into the URL to get here 404, did a search for bleeping computer clicked the result and I got here.

I tried using both links that you had provided and was not able to download MBAM - the link to malwarebytes.org caused a pop-up that was asking for user identification username and password when I clicked cancel I got a blank screen with odd characters in the upper left. The link to majorgeeks just resulted in a 404 error. In both cases I also tried just going to the top level domain with teh same results, even using google to search and use the link in the search result page yielded the same result. I found that cnet had a download available and I trust them so that is where I got it from.

I was not able to get an update - the auto update failed with this error: MBAM_ERROR_Updateing(12007,0,WinHttpSendRequest) I tried manually updating in the MBAM interface with the update tab and got the same error. When I tried using the link provided in your post I got the same pop-up as above requesting a username and password and then ended up with the odd characters.

I ran the scan with out the update - the version I downloaded from cnet said it was a version from April of 2010.

Here is the contents of the MBAM Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/30/2010 9:45:12 AM
mbam-log-2010-06-30 (09-45-12).txt

Scan type: Quick scan
Objects scanned: 194099
Time elapsed: 11 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e337e0b0-9138-42be-9dab-59f190f1a1c2}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.54,93.188.161.184 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users