Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Trojan Infection and possible other malware


  • This topic is locked This topic is locked
28 replies to this topic

#1 JB_nw

JB_nw

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 07 August 2010 - 07:14 AM

Victim of the Trojan wars
_________________
1. PC information

OS: Windows XP Home Edition SP3
Dell Dimension 8250 with 512 MB of RAM
My PC is 7 years old and is a desktop model that I run standalone.

_______________________
2. Probable infection event

Using IE 8 Browser and was redirected to a Rogue Anti-malware webpage with pop-ups.
I suspect the most likely infection path was through old Java JRE version(s).

____________
3. Symptoms

a. PC running slower
b. Possible increase in HDD accesses while running. ( unsure )
c. PC seemingly freezing up on occasion ( Requires pushing the power button to turn off PC ).
d. Unable to run System Restore wizard in ‘Normal’ boot mode. Try to open SR wizard and ‘System Restore’ error message appears “System Restore Is not able to protect your computer. Please restart your computer, and then run System Restore again”.
In the ‘System Properties’ window, ‘System Restore’ tab, cannot use ‘Turn off System Restore’ option. Try to turn off SR and ‘System Restore’ error message appears “System Restore encountered an error trying to enable/disable one or more drives. Please restart your machine and try again”.
e. Eventually seeing error messages ‘iexplore.exe – Application Error’ with IE 8 Browser.
--------
iexplore.exe - Application error
The instruction at "0x02f373f3" referenced memory at "0x02f373f3", The memory could not be "read".
----------------------------------------------------------
AppName: iexplore.exe AppVer: 8.0.6001.18702
ModName: ntdll.dll ModVer: 5.1.2600.5755 Offset: 000101b3
-------------------------------------------------------------
Also see other error signatures for ‘iexplore.exe application errors’, for example:
---------------------------------------------------------------------
AppName: iexplore.exe AppVer: 8.0.6001.18702
ModName: unknown ModVer: 0.0.0.0 Offset: 02d473f3
----------- or --------------------------------------------------
AppName: iexplore.exe AppVer: 8.0.6001.18702
ModName: mshtml.dll ModVer: 8.0.6001.18928 Offset: 001b95d9
---------------------------------------------------------------------
Started IE 8 in ‘No Add-ons’ mode and still get ‘iexplore.exe application errors’.

f. Eventually seeing error message with 'Windows Explorer' process.
---------------------------------
Windows Explorer error
AppName: explorer.exe AppVer: 6.0.2900.5512
ModName: iifedc.dll ModVer: 1.0.2.4 Offset: 000013e0
---------------------------------
g. In the Control Panel "Add or Remove Programs" window there is an "Adware & Spyware" item which points to an URL address : http: //www.Adwareremovergold .com/?revid=31418&s=1
Remove button does not remove and tries to open browser to the above address.

h. Unable to boot into "Safe mode" or "Safe mode with networking"
( note: After 1st Sysclean scan, was able to reboot into 'Safe mode". )
Attempting to boot into "Safe mode" causes a blue screen to appear with the following text:
'A problem has been detected and Windows has been shut down to prevent damage to your computer. If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:' (Additional text was also displayed.)

________________________
4. Steps I have taken so far

a. Trend Micro Sysclean
Ran first Sysclean scan in 'Normal' boot mode. Items found: 16

Was able to reboot into "Safe mode" after 1st sysclean scan.
Ran second Sysclean scan in 'Safe' boot mode. Items found: 0

b. Malwarebytes Anti Malware - MBAM
Download and install MBAM.
While in 'Normal' boot mode, had to rename 'MBAM.exe' to 'MBAM.com' to allow it to run.
( Trojan was blocking ‘MBAM.exe’ from running. )
Clicked on the MBAM Update tab and got an error message when I tried to update.
'An error has occured. Please report this error code to our support team.'
'MBAM_ERROR_UPDATING (12029, 0, WinHttpSendRequest)'

Was able to update MBAM successfully after momentarily turning off Windows firewall.

1st scan:
While still in 'Normal' boot mode, clicked on MBAM Scanner tab and selected ‘full scan’ option.
Items found: 19

Clicked on the Remove button to quarantine the items and MBAM said "computer needs to be restarted to complete the removal process”. Restarted the computer and got an "Error message window RUNDLL" that said 'Error loading byvtrr.dll the specified module could not be found’. That was not surprising since MBAM had deleted that file on reboot.

After a couple minutes a "Windows Explorer" error message window appeared.
-------- error signature: --------
Windows Explorer error
AppName: explorer.exe AppVer: 6.0.2900.5512
ModName: iifedc.dll ModVer: 1.0.2.4 Offset: 000013e0
----------------------------------------
( This is the same error message that had appeared for several days prior. )

2nd scan:
Reboot into "Safe" mode and ran second MBAM full scan.
Items found: 7 [ Registry Values Infected: 7 ]
Clicked on the Remove button to quarantine the items.

3rd scan:
While still in "Safe" mode, ran third MBAM full scan. Items found: 0
Reboot into 'Normal' mode and no longer having a "Windows Explorer error" message appear.

4th scan:
While in "Normal" boot mode, ran fourth MBAM full scan. Items found: 0

Log files for Scans 1 and 2 are listed below.

c. Update Java JRE to latest version
Had some initial problems trying to uninstall older versions of Java JRE using the Control Panel "Add or Remove Programs" window.
Was finally able to uninstall several older Java JRE versions and then downloaded/installed Java JRE 6.0_21 ( latest version ?)

d. dds.scr
Ran ‘dds.scr’ file. The ‘DDS.txt’ file is posted below. ‘Attach.txt’ file is attached to this post

e. GMER
Ran GMER.exe 3 times and each time after approx. 3 hrs and 20 minutes, a blue screen appears.
Text displayed on the blue screen: “A problem has been detected and windows has been shut down to prevent damage to your computer. If this is the first time….
Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.
Check with your hardware Vendor for any BIOS updates.
Disable BIOS memory options such as caching or shadowing. <more text>”

After the first GMER scan there was a “CTFMON” error message displayed ( I believe ) right before the blue screen appeared.
Unable to complete a GMER scan (3 tries). No “ark.txt” file available.
___________________
5. Current PC Status

There are NOT any error messages appearing when booting up in "Normal" mode.
WinXP Operating System 'appears' to be booting up and running normally.
Internet Explorer 8 browser 'appears' to run normally without any error messages.
Have not noticed any other issues with other applications/programs so far.

Still unable to run System Restore wizard in ‘Normal’ boot mode. Still unable to ‘Turn off System Restore’ in the ‘System Properties’ window, ‘System Restore’ tab.

In the "Add or Remove Programs" window there is still an "Adware & Spyware" item.

Still unable to boot into "Safe mode with networking"

______________________
6. Reason for forum post

Seeking expert assistance with review of current PC status.
Determine what steps are needed to complete the removal of detected Malware.
Determine if there is any other undetected malware.
Get expert info about 'creating new restore point(s)' and deleting old potentially infected restore points.
Obtain expert help with any other PC issues?

Thank you.

===========
Attachments:

Attach.txt
Ark.txt - unavailable

_______________________________
DDS.txt :


DDS (Ver_10-03-17.01) - NTFSx86
Run by Joe Collier at 3:56:32.96 on Sat 08/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.153 [GMT -7:00]

AV: Windows Live OneCare *On-access scanning enabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\APC\APC PowerChute Personal Edition\systray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Joe Collier\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://qwest.live.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uDefault_Page_URL = hxxp://qwest.live.com
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = 67.159.178.199:8080
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: H - No File
uURLSearchHooks: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icqtoolbar\toolbaru.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uWindows: load=c:\oplimit\ocraware.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icqtoolbar\toolbaru.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickCare] c:\program files\qwest\quickcare\bin\sprtcmd.exe /P QuickCare
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [notepad]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [jqvruirj] c:\documents and settings\networkservice\local settings\application data\dpfwyfuhu\foxppvrtssd.exe
dRun: [qpahkhnt] c:\documents and settings\networkservice\local settings\application data\psuspfblb\qnqgaoetssd.exe
dRun: [Wgezofulohoqusi] rundll32.exe "c:\windows\ctcpcpu.dll",Startup
dRun: [notepad] rundll32.exe c:\docume~1\networ~1\ntload.dll,_IWMPEvents@0
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wusb600n\WUSB600N.exe
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
mPolicies-explorer: <NO NAME> =
mPolicies-system: EnableLUA = 0 (0x0)
IE: &ICQ Toolbar Search - c:\program files\icqtoolbar\toolbaru.dll/SEARCH.HTML
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {10000000-1000-0000-1000-000000000000} - file://c:\program files\internet explorer\update.exe
DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
LSA: Authentication Packages = msv1_0 byvtrr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joecol~1\applic~1\mozilla\firefox\profiles\xyy99245.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-7-9 26104]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\qwest\quickcare\bin\sprtsvc.exe [2010-3-10 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\qwest\quickcare\bin\tgsrvc.exe [2010-3-10 185640]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-10-2 6016]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-7-8 53168]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\joecol~1\locals~1\temp\cdrmkaun.sys --> c:\docume~1\joecol~1\locals~1\temp\cdrmkaun.sys [?]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\drivers\LwAdiHid.sys [2003-1-20 20864]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-12-14 551680]
S4 svchost32;Windows Service Manager; [x]

=============== Created Last 30 ================

2010-08-05 07:26:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 10:59:17 0 d-----w- c:\docume~1\joecol~1\applic~1\Malwarebytes
2010-08-02 16:11:07 10752 ----a-w- c:\windows\DCEBoot.exe
2010-08-01 09:52:55 73216 ---ha-w- c:\windows\system32\iifedc.dll
2010-08-01 09:26:27 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-01 09:26:27 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-08-01 09:21:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-01 09:21:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-01 09:21:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-01 09:21:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-21 16:47:35 0 d-----w- c:\program files\Western Digital Corporation

==================== Find3M ====================

2010-07-12 13:22:36 157936 ----a-w- c:\docume~1\joecol~1\applic~1\GDIPFONTCACHEV1.DAT
2003-02-25 10:11:51 0 ----a-w- c:\program files\readme.txt
2003-01-08 03:45:28 207759 ----a-w- c:\program files\INSTALL.LOG
2009-07-15 11:18:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071520090716\index.dat

============= FINISH: 3:58:31.84 ===============

_______________________________
Sysclean log - (Normal boot mode):

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2009-2010, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2010-08-02, 05:56:02, Auto-clean mode specified.
2010-08-02, 05:56:03, Initialized Rootkit Driver version 2.2.0.1004.
2010-08-02, 05:56:03, Running scanner "C:\Documents and Settings\Joe Collier\Desktop\SClean\TSC.BIN"...
2010-08-02, 05:56:42, Scanner "C:\Documents and Settings\Joe Collier\Desktop\SClean\TSC.BIN" has finished running.
2010-08-02, 05:56:42, TSC Log:

˙ţD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 2 ( B u i l d 1 0 1 6 ) ( R C M : 2 . 2 . 0 - 1 0 0 4 )
W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )
S t a r t t i m e : M o n A u g 0 2 2 0 1 0 0 5 : 5 6 : 0 8
L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ J o e C o l l i e r \ D e s k t o p \ S C l e a n \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ] L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ J o e C o l l i e r \ D e s k t o p \ S C l e a n \ t s c . p t n " ( v e r s i o n 1 0 9 2 ) [ s u c c e s s ]
C o m p l e t e t i m e : M o n A u g 0 2 2 0 1 0 0 5 : 5 6 : 4 2 E x e c u t e p a t t e r n c o u n t ( 3 0 5 1 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )
2010-08-02, 05:56:42, Running scanner "C:\Documents and Settings\Joe Collier\Desktop\SClean\VSCANTM.BIN"...
2010-08-02, 09:17:23, Scanner "C:\Documents and Settings\Joe Collier\Desktop\SClean\VSCANTM.BIN" has finished running.
2010-08-02, 09:17:23, VSCANTM Log:

2010-08-02, 09:17:23, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 8/2/2010 05:56:42
VSAPI Engine Version : 9.120-1004
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 353 (533742/533742 Patterns) (2010/07/31) (735300)

Command Line: C:\Documents and Settings\Joe Collier\Desktop\SClean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Documents and Settings\Joe Collier\Desktop\SClean\lpt$vpn.353

C:\Documents and Settings\Joe Collier\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-3090bc05 (1/5 Viruses Found)
C:\Documents and Settings\Joe Collier\Local Settings\Temp\0.5959651969799002.exe [TROJ_FAKEAV.SMES]
C:\Documents and Settings\Joe Collier\Local Settings\Temp\135.tmp [TROJ_BREDO.SMXA]
C:\Documents and Settings\Joe Collier\Local Settings\Temp\13D.tmp [TROJ_FAKELRT.SME]
C:\Documents and Settings\Joe Collier\Local Settings\Temp\2.4988143135510758E7.exe [TROJ_FAKEAV.SMMZ]
C:\Documents and Settings\Joe Collier\Local Settings\Temp\af5140d6.exe [TROJ_FAKELRT.SME]
C:\Documents and Settings\Joe Collier\Local Settings\Temp\e5107af7.exe [TROJ_FAKEAV.SMES]
C:\Documents and Settings\Joe Collier\Local Settings\Temp\eiif.exe [TROJ_FAKEAV.SMES]
C:\WINDOWS\ctcpcpu.dll [Cryp_Hiloti]
C:\WINDOWS\SYSTEM32\CHKNntry.dll [TROJ_SPYURS.A]
C:\WINDOWS\SYSTEM32\CONFIG\svchost.exe [TROJ_FAKEAV.SMBQ]
C:\WINDOWS\Temp\ setup.exe [Cryp_Hiloti]
C:\WINDOWS\Temp\0.2508839671189971.exe [TROJ_FAKEAV.SMES]
C:\WINDOWS\Temp\112.tmp [TROJ_FAKELRT.SME]
C:\WINDOWS\Temp\6fed15e0.exe [TROJ_RANSOM.FA]
C:\WINDOWS\Temp\8bd64b89.exe [TROJ_FAKELRT.SME]
310901 files have been read.
310901 files have been checked.
310258 files have been scanned.
725956 files have been scanned. (including files in archived)
16 files containing viruses.
Found 16 viruses totally.
Maybe 0 viruses totally.
Stop At: 8/2/2010 09:17:21 3 hours 20 minutes 35 seconds (12035.83 seconds) has elapsed.(38.713 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2010-08-02, 09:17:23, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 8/2/2010 05:56:42
VSAPI Engine Version : 9.120-1004
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 353 (533742/533742 Patterns) (2010/07/31) (735300)

Command Line: C:\Documents and Settings\Joe Collier\Desktop\SClean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Documents and Settings\Joe Collier\Desktop\SClean\lpt$vpn.353

310901 files have been read.
310901 files have been checked.
310258 files have been scanned.
725956 files have been scanned. (including files in archived)
16 files containing viruses.
Found 16 viruses totally.
Maybe 0 viruses totally.
Stop At: 8/2/2010 09:17:21 3 hours 20 minutes 35 seconds (12035.83 seconds) has elapsed.(38.713 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2010-08-02, 09:17:23, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 8/2/2010 05:56:42
VSAPI Engine Version : 9.120-1004
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 353 (533742/533742 Patterns) (2010/07/31) (735300)

Command Line: C:\Documents and Settings\Joe Collier\Desktop\SClean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\Documents and Settings\Joe Collier\Desktop\SClean\lpt$vpn.353

310901 files have been read.
310901 files have been checked.
310258 files have been scanned.
725956 files have been scanned. (including files in archived)
16 files containing viruses.
Found 16 viruses totally.
Maybe 0 viruses totally.
Stop At: 8/2/2010 09:17:21 3 hours 20 minutes 35 seconds (12035.83 seconds) has elapsed.(38.713 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2010-08-02, 09:17:24, Running SSAPI scanner ""...
2010-08-02, 10:03:23, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.01
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 08/02/2010 09:17:30

Detected: 0 items.

Spyware Scan Ended: 08/02/2010 10:03:23
Scan Complete. Time=2754.472412.

________________________________________
MBAM logs
1st MBAM Scan (Normal boot mode)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4384

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/3/2010 1:11:46 PM
mbam-log-2010-08-03 (13-11-46).txt

Scan type: Full scan (C:\|)
Objects scanned: 458280
Time elapsed: 2 hour(s), 26 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\byvtrr.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtapiDrv.sys (Rootkit.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapidrv (Rootkit.Agent) -> Delete on reboot.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gedbbxdrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaxyywsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sstrqrdrv (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rqpopqsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaabawdrv (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rqpopqsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaabawdrv (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\byvtrr.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\0.6764002216315209_exe.txt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\AtapiDrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

_____________________________
2nd MBAM Scan (Safe boot mode)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4384

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

8/3/2010 6:13:42 PM
mbam-log-2010-08-03 (18-13-42).txt

Scan type: Full scan (C:\|)
Objects scanned: 458415
Time elapsed: 2 hour(s), 17 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnkkkhdrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rqooonsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tutuuvdrv (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxyaabsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hgddbcdrv (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxyaabsys (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hgddbcdrv (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 PM

Posted 07 August 2010 - 08:15 AM

Hello, JB_nw.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.











Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 PM

Posted 07 August 2010 - 10:19 AM

Hi, in your PM you asked what the backdoor was. It's this:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtapiDrv.sys (Rootkit.Agent) -> Delete on reboot.

Rootkit agent. It's probably the TDSS/TDL3 rootkit.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 JB_nw

JB_nw
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 07 August 2010 - 03:52 PM

Hello Etavares

Thank you for your help and Thank you for the warnings.
This PC will be very limited with online connection times.
I plan to reformat and reinstall windows at some point in the not too distant future.


1. Found and removed one web site URL from the Trusted Zone sites,

2. ComboFix

Disabled virus scanner and then ran 'etavaresCF.exe'.
CF tried to install Recovery Console but opened an error window saying 'Unable to connect to IP address' (approximate message)

which closed quickly and opened a new window saying "Failed to create Recovery Console" (approximate message).
The main CF window said the Scan was starting anyhow, so I closed the error message window and CF continued with scan.
Should the Windows Firewall have been turned off also ?

Should I try to install recovery console using a Win XP Pro with SP 2 CD-rom ?
[ Start -- > Run --> e:\i386\winnt32.exe /cmdcons ] ?

ComboFix displayed a message about root kit detected and said to reboot.
PC rebooted and ComboFix continued until scan completed.

'ComboFix.txt' log file is shown below.

3. Symptoms/Status:
Can now open the System Restore window thru the "Start / Accessories / System Tools / System Restore"

In the "Add or Remove Programs" window there is still an "Adware & Spyware" item. ( removal is unnecessary ? )

Still unable to boot into "Safe mode with networking"
[ Note: I can not recall ever booting up into "Safe Mode with Networking" before. I can not confirm that it ever was possible on this PC. ]

I have not detected any other problems with Win XP OS or any applications.

___________________________

"ComboFix.txt" file:
-----------------------

ComboFix 10-08-06.01 - Joe Collier 08/07/2010 10:21:11.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.172 [GMT -7:00]
Running from: c:\documents and settings\Joe Collier\Desktop\etavaresCF.exe
AV: Windows Live OneCare *On-access scanning disabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\system\Color
c:\windows\system\Color\AS1220PR.ICM
c:\windows\system\Color\AS1220PT.ICM
c:\windows\system\Color\AS1220SR.ICM
c:\windows\system\Color\AS1220ST.ICM
c:\windows\system\Color\AS1220UR.ICM
c:\windows\system\Color\AS1220UT.ICM
c:\windows\system\Color\AS2400SR.ICM
c:\windows\system\Color\AS2400ST.ICM
c:\windows\system\Color\ASTA12SR.ICM
c:\windows\system\Color\ASTA12ST.ICM
c:\windows\system\Color\ASTA61PR.ICM
c:\windows\system\Color\ASTA61SR.ICM
c:\windows\system\Color\ASTRA6PR.ICM
c:\windows\system\Color\ASTRA6PT.ICM
c:\windows\system\Color\ASTRA6SR.ICM
c:\windows\system\Color\ASTRA6ST.ICM
c:\windows\system\Color\BJC240M7.ICM
c:\windows\system\Color\BJC420LC.ICM
c:\windows\system\Color\BJC42HRP.ICM
c:\windows\system\Color\BJC42HRS.ICM
c:\windows\system\Color\BJC43HRS.ICM
c:\windows\system\Color\BJC43LCS.ICM
c:\windows\system\Color\BJC4550M.ICM
c:\windows\system\Color\BJC600EM.ICM
c:\windows\system\Color\BJC600M7.ICM
c:\windows\system\Color\BJC620CP.ICM
c:\windows\system\Color\BJC800M7.ICM
c:\windows\system\Color\CLC500M7.ICM
c:\windows\system\Color\CLC550SI.ICM
c:\windows\system\Color\EPSPRO36.ICM
c:\windows\system\Color\EPSPRO72.ICM
c:\windows\system\Color\ESC360M.ICM
c:\windows\system\Color\ESC800GL.ICM
c:\windows\system\Color\ESC800IJ.ICM
c:\windows\system\Color\ESCII360.ICM
c:\windows\system\Color\ESCII720.ICM
c:\windows\system\Color\HP12CPS7.ICM
c:\windows\system\Color\HP660CIP.ICM
c:\windows\system\Color\HP870CSE.ICM
c:\windows\system\Color\HP870PIP.ICM
c:\windows\system\Color\HPCLJTPS.ICM
c:\windows\system\Color\HPCLLSJT.ICM
c:\windows\system\Color\HPCLSMM7.ICM
c:\windows\system\Color\HPCPJTM7.ICM
c:\windows\system\Color\HPDJ850W.ICM
c:\windows\system\Color\HPPS_PIP.ICM
c:\windows\system\Color\HPXL3PS7.ICM
c:\windows\system\Color\KCOLEAS1.ICM
c:\windows\system\Color\LEX1020J.ICM
c:\windows\system\Color\LEX2030J.ICM
c:\windows\system\Color\LEX2050C.ICM
c:\windows\system\Color\LEX2070J.ICM
c:\windows\system\Color\P22G18M7.ICM
c:\windows\system\Color\S12R.ICM
c:\windows\system\Color\S12SYR.ICM
c:\windows\system\Color\S12SYT.ICM
c:\windows\system\Color\S12T.ICM
c:\windows\system\Color\S6ER.ICM
c:\windows\system\Color\S6ET.ICM
c:\windows\system\Color\S6R.ICM
c:\windows\system\Color\S6T.ICM
c:\windows\system\Color\S8R.ICM
c:\windows\system\Color\S8T.ICM
c:\windows\system\Color\T630R.ICM
c:\windows\system\Color\X863PM07.ICM
c:\windows\system\Color\XL7700M7.ICM
c:\windows\system32\Data

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATAPIDRV
-------\Legacy_SVCHOST32
-------\Service_svchost32


((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
.

2010-08-05 07:26 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 10:59 . 2010-08-03 10:59 -------- d-----w- c:\documents and settings\Joe Collier\Application Data\Malwarebytes
2010-08-02 20:40 . 2010-08-02 20:40 -------- d-----w- c:\documents and settings\other\Local Settings\Application Data\SupportSoft
2010-08-02 20:35 . 2010-08-02 20:35 -------- d-sh--w- c:\documents and settings\other\IETldCache
2010-08-02 16:11 . 2010-08-02 20:12 10752 ----a-w- c:\windows\DCEBoot.exe
2010-08-01 09:52 . 2010-08-01 09:52 73216 ---ha-w- c:\windows\system32\iifedc.dll
2010-08-01 09:26 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-01 09:26 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-08-01 09:21 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-01 09:21 . 2010-08-01 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-01 09:21 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-01 09:21 . 2010-08-04 07:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-21 16:47 . 2010-07-21 16:47 -------- d-----w- c:\program files\Western Digital Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-07 17:03 . 2007-09-07 04:31 -------- d-----w- c:\documents and settings\Joe Collier\Application Data\U3
2010-08-07 16:17 . 2009-07-08 11:48 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2010-08-07 08:38 . 2006-03-31 09:05 -------- d-----w- c:\program files\Yahoo!
2010-08-07 08:29 . 2010-07-02 14:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-05 07:26 . 2007-08-21 09:19 -------- d-----w- c:\program files\Common Files\Java
2010-08-05 07:25 . 2007-08-21 09:51 -------- d-----w- c:\program files\Java
2010-08-02 20:38 . 2005-01-27 12:55 157936 ----a-w- c:\documents and settings\other\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-02 03:34 . 2004-08-17 16:49 -------- d-----w- c:\documents and settings\Joe Collier\Application Data\COREL
2010-07-02 14:05 . 2010-07-02 14:05 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-12 01:20 . 2007-07-11 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-11 07:04 . 2010-04-20 22:10 -------- d-----w- c:\program files\TeamSpeak 3 Client
2003-02-25 10:11 . 2003-02-25 10:11 0 ----a-w- c:\program files\readme.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"QuickCare"="c:\program files\Qwest\Quickcare\bin\sprtcmd.exe" [2010-01-16 206120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2003-1-20 200833]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-1-7 45056]
Wireless Network Monitor.lnk - c:\program files\Linksys\WUSB600N\WUSB600N.exe [2008-1-9 6922240]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Games\\GameSpy Arcade\\Aphex.exe"=
"c:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"c:\\Games\\Firaxis Games\\Sid Meier's Gettysburg!\\Lee.exe"=
"c:\\Games\\Total War\\Medieval - Total War\\Medieval_TW.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Games\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Games\\Roger Wilco\\mark 1 d3\\Roger Wilco\\roger.exe"=

[HKLM\~\Services\\_common\\RWVoice.exe"=]
"c:\\Games\\NeverwinterNights\\NWN\\nwupdate.exe"=
"c:\\Games\\Taldren Software Inc\\Starfleet Command Orion Pirates\\StarFleetOP.exe"=
"c:\\Games\\NeverwinterNights\\NWN\\nwmain.exe"=
"c:\\Games\\Roger Wilco\\roger.exe"=
"c:\\Games\\Roger Wilco\\mark 1 C\\Roger Wilco\\roger.exe"=
"c:\\Games\\Magic\\Program\\Manalink.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\MSN Gaming Zone\\zclient.exe"=
"c:\\Games\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Games\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Games\\Microsoft Games\\Close Combat III\\CC3.exe"=
"c:\\Games\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Games\\Infogrames Interactive\\Civilization III\\CIV3PTW\\Civilization3X.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"c:\\Games\\Microsoft Games\\Combat Flight Simulator 3\\cfs3.exe"=
"c:\\Games\\Hasbro Interactive\\Axis and Allies\\AxisAllies.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Games\\Microsoft Games\\Rise Of Legends\\legends.exe"=
"c:\\Games\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Games\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\jdk1.6.0_02\\bin\\javaw.exe"=
"c:\\Games\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"c:\\Games\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"c:\\Games\\Atari\\Axis & Allies\\Aa.exe"=
"c:\\Games\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Games\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [7/9/2009 12:15 PM 26104]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\Qwest\Quickcare\bin\sprtsvc.exe [3/10/2010 5:46 PM 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\Qwest\Quickcare\bin\tgsrvc.exe [3/10/2010 5:46 PM 185640]
R2 vnccom;vnccom;c:\windows\SYSTEM32\DRIVERS\vnccom.SYS [10/2/2007 3:02 AM 6016]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 9:50 PM 135664]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\JOECOL~1\LOCALS~1\Temp\cdrmkaun.sys --> c:\docume~1\JOECOL~1\LOCALS~1\Temp\cdrmkaun.sys [?]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\SYSTEM32\DRIVERS\LwAdiHid.sys [1/20/2003 7:48 PM 20864]
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 04:50]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 04:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com/
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = 67.159.178.199:8080
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Joe Collier\Application Data\Mozilla\Firefox\Profiles\xyy99245.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Wgezofulohoqusi - c:\windows\ctcpcpu.dll
HKU-Default-Run-notepad - c:\docume~1\NETWOR~1\ntload.dll
AddRemove-CEP patch v1.52_is1 - c:\neverwinternights\NWN\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-07 10:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-124684247-3023699142-651906896-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3496)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\wanmpsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft Windows OneCare Live\winssnotify.exe
c:\program files\APC\APC PowerChute Personal Edition\systray.exe
.
**************************************************************************
.
Completion time: 2010-08-07 10:54:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-07 17:54

Pre-Run: 7,001,706,496 bytes free
Post-Run: 7,117,574,144 bytes free

- - End Of File - - 4CF6AED494A12F8F111188ACB062B584



#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 PM

Posted 08 August 2010 - 06:12 AM

Hello, JB_nw.
OK, before we continue, let's do a few quick things. We'll also install the Recovery Console so we can repair your computer if something goes wrong.



Step 1

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.



Step 2

Download and run HAMeb_check.exe
Post the contents of the resulting log.



Step 3

Please click on the following link to go to Microsoft's website.
http://support.microsoft.com/kb/310994

At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information.
  1. Click on the Start button.
  2. Click on the Run option.
  3. type sysdm.cpl and then hit OK
  4. A screen will appear showing information about your Windows installation. Under the System category you should see your Windows version and the installed service pack. Write this down and proceed to download the correct version as above.

Once the Microsoft file has finished downloading, you should drag it on top of the ComboFix icon and let your mouse button go. This is shown in the following image.
Posted Image

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Windows Recovery Console has finished installed, ComboFix will open a prompt stating that it was installed and asking if you would like to proceed with scanning your computer, please select no to cancel the scan.





Step 4

Please uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

Adware & Spyware


Be sure to reboot when done.



Step 5


Please let me know how the above steps went, post the resulting logs and also post a fresh DDS log.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 JB_nw

JB_nw
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 08 August 2010 - 12:58 PM

Hello Etavares,

Thank you for your help.
Results of the 5 steps specified in your previous post are described below.
Note: Disconnected from Internet and then disabled virus scanner before performing steps 1 - 5.

_______
Step 1
Ran "MBRCheck.exe"
Window popped up. At the bottom of the window it said 'done' and press Enter to exit.
I pressed the 'Enter' key and window closed.

The 'MBRCheck_08.08.10_07.24.22.txt' log file is shown below.

_______
Step 2

Ran "HAMeb_check.exe"
Window popped up and then closed by itself. HAlog.log file was displayed inside a notepad window.

The 'HAlog.log' log file is shown below.

_______
Step 3

Opened browser window to Microsoft's website: http://support.microsoft.com/kb/310994

Downloaded "WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe" file directly to the desktop.
Dragged "WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe" icon on top of the ComboFix icon (etavaresCF.exe).

ComboFix window opened.
Text appeared inside the CF window: 'Creating a system restore point'.
[ note: System Restore window does not show a restore point for this day.]

A firewall window opened stating a file from etavaresCF was trying to connect to internet.
Clicked on 'Allowed file to connect' option [ Although there was no actual connection to the internet at the time, since I had disconnected from the internet prior to performing steps 1 thru 5. ]

ComboFix apparently installed the Windows Recovery Console because ComboFix opened a prompt stating that 'Recovery Console' was installed and asked if I would like to proceed with scanning the computer.
Selected "no" to cancel the scan and the ComboFix window closed.

The "CF-RC.txt" file appeared inside a notepad window.
The 'CF-RC.txt' log file is shown below.

As a test, should the Windows Recovery Console option be selected once during a boot up to verify it is installed/working properly ?

_______
Step 4

Attempt to uninstall the following program ( ? ) using 'Add or Remove Programs'.

'AdWare & SpyWare'

Opened the "Add or Remove Programs" window:
Start button > Control Panel and double-click on "Add or Remove Programs" icon.
Within the 'Add or Remove Programs' window, clicked on the 'AdWare & SpyWare' item to highlight it.
Clicked on the 'Change/Remove' button for 'AdWare & SpyWare' and the following occurred:

An Internet Explorer 8 browser window opened and had the URL address:
http: //www.adwareremovergold .com/ ?revid=31418&s=1 inside the address bar.
[ There was no actual connection to the internet at the time, since I had disconnected from the internet prior to performing steps 1 thru 5. ]

The "AdWare & SpyWare" item is still on the list of 'Currently installed programs' and has not been removed.
This is the same symptom that was reported in my original post ( item g ).

Closed the "Add or Remove Programs" window.
Rebooted the PC.
Observed that the "Recovery Console" option was available during the reboot.
( Booted into normal mode without selecting 'Recovery Console' option. )

_______
Step 5

Ran "dds.scr"
The ‘DDS.txt’ log file is shown below. ‘Attach.txt’ file is attached to this post

--------------------------------------------
Current PC Symptoms / Status:
In the "Add or Remove Programs" window there is still an "Adware & Spyware" item.
( Is removal possible or even necessary ? )

Still unable to boot into "Safe mode with networking"
[ Note: I can not recall ever booting up into "Safe Mode with Networking" before. I can not confirm that it ever was possible on this PC. ]

Have not detected any other problems with Win XP OS or any applications.

++++++++++
Attachments: Attach.txt

_________________________________

'MBRCheck_08.08.10_07.24.22.txt' log file:
------------------------


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 138):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF8B36000 \WINDOWS\system32\KDCOM.DLL
0xF8A46000 \WINDOWS\system32\BOOTVID.dll
0xF85E7000 ACPI.sys
0xF8B38000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF85D6000 pci.sys
0xF8636000 isapnp.sys
0xF8A4A000 compbatt.sys
0xF8A4E000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF8B3A000 intelide.sys
0xF88B6000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF8646000 MountMgr.sys
0xF85B7000 ftdisk.sys
0xF88BE000 PartMgr.sys
0xF8656000 VolSnap.sys
0xF859F000 atapi.sys
0xF8666000 disk.sys
0xF8676000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF857F000 fltmgr.sys
0xF856D000 sr.sys
0xF8686000 PxHelp20.sys
0xF8556000 KSecDD.sys
0xF84C9000 Ntfs.sys
0xF849C000 NDIS.sys
0xF8482000 Mup.sys
0xF8696000 agp440.sys
0xF8706000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF7F52000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
0xF7F3E000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF89BE000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF7F1A000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF89C6000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF7E0D000 \SystemRoot\System32\DRIVERS\BCMSM.sys
0xF7DEA000 \SystemRoot\System32\DRIVERS\ks.sys
0xF89CE000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7CAE000 \SystemRoot\system32\drivers\P16X.sys
0xF7C11000 \SystemRoot\system32\drivers\portcls.sys
0xF8716000 \SystemRoot\system32\drivers\drmk.sys
0xF8435000 \SystemRoot\System32\DRIVERS\gameenum.sys
0xF7BEE000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xF89D6000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF8726000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF89DE000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF8736000 \SystemRoot\System32\DRIVERS\serial.sys
0xF8431000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF7BDA000 \SystemRoot\System32\DRIVERS\parport.sys
0xF89E6000 \SystemRoot\System32\Drivers\MxlW2k.SYS
0xF8746000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF8756000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF7BC9000 \SystemRoot\System32\DRIVERS\Pcatip.sys
0xF7BB0000 \SystemRoot\System32\Drivers\pwd_2k.SYS
0xF8766000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF8B84000 \SystemRoot\system32\DRIVERS\vncdrv.sys
0xF8D51000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF8776000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF8AC6000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF7B99000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF8786000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF8796000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF89EE000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF7B88000 \SystemRoot\System32\DRIVERS\psched.sys
0xF87A6000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF89F6000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF89FE000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF8A06000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF87C6000 \SystemRoot\System32\Drivers\Pcouffin.sys
0xF87D6000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF8A0E000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF8B86000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF7A8A000 \SystemRoot\System32\DRIVERS\update.sys
0xF8A16000 \SystemRoot\System32\DRIVERS\omci.sys
0xF8AD6000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF8A1E000 \SystemRoot\System32\Drivers\mmc_2K.SYS
0xF87E6000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF87F6000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF8B8C000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF8AFA000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF8A26000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF8B0A000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF8C03000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF8C08000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF8B8E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8C0A000 \SystemRoot\System32\Drivers\Null.SYS
0xF8B90000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8A36000 \SystemRoot\System32\drivers\vga.sys
0xF8B92000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8B94000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF68E8000 \SystemRoot\System32\Drivers\cdudf_xp.SYS
0xF8A3E000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF88D6000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF68A3000 \SystemRoot\System32\Drivers\UdfReadr_xp.SYS
0xF80C8000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF6876000 \SystemRoot\system32\DRIVERS\msfwhlpr.sys
0xF683B000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF67E2000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF67BA000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF6798000 \SystemRoot\System32\drivers\afd.sys
0xF8826000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF676D000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF66FD000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF8856000 \SystemRoot\System32\Drivers\Fips.SYS
0xF66D7000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF8876000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF88A6000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF8B32000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF86D6000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xF88EE000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xF697E000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF88FE000 \SystemRoot\System32\DRIVERS\HidBatt.sys
0xF6697000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8BB0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF686A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8916000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8D65000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF895E000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xF8966000 \SystemRoot\System32\Drivers\PCASp50.sys
0xF54B6000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF4A59000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF8B88000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF8B8A000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xF8B96000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xF545E000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
0xF48EA000 \SystemRoot\System32\DRIVERS\srv.sys
0xF48D5000 \SystemRoot\system32\DRIVERS\msfwdrv.sys
0xF489D000 \SystemRoot\system32\DRIVERS\tcpip6.sys
0xF8B9E000 \??\C:\WINDOWS\System32\PfModNT.sys
0xF49F1000 \SystemRoot\System32\DRIVERS\secdrv.sys
0xF8BD4000 \SystemRoot\System32\Drivers\vnccom.SYS
0xF421C000 \SystemRoot\System32\Drivers\HTTP.sys
0xF409F000 \SystemRoot\system32\drivers\wdmaud.sys
0xF413C000 \SystemRoot\system32\drivers\sysaudio.sys
0xF3E9D000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 System
576 C:\WINDOWS\SYSTEM32\smss.exe
648 csrss.exe
672 C:\WINDOWS\SYSTEM32\winlogon.exe
716 C:\WINDOWS\SYSTEM32\services.exe
728 C:\WINDOWS\SYSTEM32\lsass.exe
876 C:\WINDOWS\SYSTEM32\svchost.exe
932 svchost.exe
968 C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
1012 C:\WINDOWS\SYSTEM32\svchost.exe
1116 svchost.exe
1140 svchost.exe
1308 C:\WINDOWS\SYSTEM32\spoolsv.exe
1384 svchost.exe
1416 C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
1436 C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
1496 C:\Program Files\Java\jre6\bin\jqs.exe
1548 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
1600 C:\WINDOWS\SYSTEM32\nvsvc32.exe
1628 C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
1640 C:\Program Files\Google\Update\GoogleUpdate.exe
1708 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
1776 C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
1848 C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
1872 C:\WINDOWS\SYSTEM32\svchost.exe
1912 C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
2040 C:\WINDOWS\wanmpsvc.exe
172 C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
212 C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
320 C:\Program Files\Microsoft Windows OneCare Live\winss.exe
1052 alg.exe
2260 C:\WINDOWS\SYSTEM32\svchost.exe
2448 wmiprvse.exe
2744 C:\WINDOWS\SYSTEM32\wscntfy.exe
2764 C:\WINDOWS\explorer.exe
2776 C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
3060 C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe
3168 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3256 C:\WINDOWS\SYSTEM32\ctfmon.exe
3284 C:\Program Files\Digital Line Detect\DLG.exe
3292 C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
3352 C:\WINDOWS\SYSTEM32\wuauclt.exe
3400 C:\Program Files\APC\APC PowerChute Personal Edition\systray.exe
2860 C:\Program Files\Messenger\msmsgs.exe
4076 C:\Documents and Settings\Joe Collier\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: WDCWD1200JB-75CRA0, Rev: 16.06V16

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

___________________

'HAlog.log' log file:
------------------------


C:\Documents and Settings\Joe Collier\Desktop\HAMeb_check.exe
Sun 08/08/2010 at 7:34:33.31

Account active No
Local Group Memberships

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~


___________________

'CF-RC.txt' log file
------------------------


WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn


___________________

'DDS.txt' log file:
------------------------



DDS (Ver_10-03-17.01) - NTFSx86
Run by Joe Collier at 9:13:42.07 on Sun 08/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.153 [GMT -7:00]

AV: Windows Live OneCare *On-access scanning disabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\APC\APC PowerChute Personal Edition\systray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Joe Collier\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://qwest.live.com/
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = 67.159.178.199:8080
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icqtoolbar\toolbaru.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ICQ Toolbar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icqtoolbar\toolbaru.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickCare] c:\program files\qwest\quickcare\bin\sprtcmd.exe /P QuickCare
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wusb600n\WUSB600N.exe
uPolicies-explorer: SpecifyDefaultButtons = 0 (0x0)
mPolicies-explorer: <NO NAME> =
IE: &ICQ Toolbar Search - c:\program files\icqtoolbar\toolbaru.dll/SEARCH.HTML
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joecol~1\applic~1\mozilla\firefox\profiles\xyy99245.default\
FF - prefs.js: network.proxy.type - 0
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-7-9 26104]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\qwest\quickcare\bin\sprtsvc.exe [2010-3-10 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\qwest\quickcare\bin\tgsrvc.exe [2010-3-10 185640]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2007-10-2 6016]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-28 135664]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\joecol~1\locals~1\temp\cdrmkaun.sys --> c:\docume~1\joecol~1\locals~1\temp\cdrmkaun.sys [?]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\drivers\LwAdiHid.sys [2003-1-20 20864]
S3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-7-8 53168]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-12-14 551680]

=============== Created Last 30 ================

2010-08-08 14:50:49 0 d-sha-r- C:\cmdcons
2010-08-07 17:09:12 98816 ----a-w- c:\windows\sed.exe
2010-08-07 17:09:12 77312 ----a-w- c:\windows\MBR.exe
2010-08-07 17:09:12 256512 ----a-w- c:\windows\PEV.exe
2010-08-07 17:09:12 161792 ----a-w- c:\windows\SWREG.exe
2010-08-05 07:26:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 10:59:17 0 d-----w- c:\docume~1\joecol~1\applic~1\Malwarebytes
2010-08-02 16:11:07 10752 ----a-w- c:\windows\DCEBoot.exe
2010-08-01 09:52:55 73216 ---ha-w- c:\windows\system32\iifedc.dll
2010-08-01 09:26:27 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-01 09:26:27 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-08-01 09:21:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-01 09:21:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-01 09:21:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-01 09:21:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-21 16:47:35 0 d-----w- c:\program files\Western Digital Corporation

==================== Find3M ====================

2010-07-12 13:22:36 157936 ----a-w- c:\docume~1\joecol~1\applic~1\GDIPFONTCACHEV1.DAT
2003-02-25 10:11:51 0 ----a-w- c:\program files\readme.txt
2009-07-15 11:18:31 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071520090716\index.dat

============= FINISH: 9:14:30.89 ===============

Attached Files



#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 PM

Posted 08 August 2010 - 08:19 PM

Hello, JB_nw.

OK, I found more info about it and the uninstall literally just launches that page. So, we need to remove it. Unfortunately, I need more info. Please run OTL and post both logs.

We need to create an OTL report,
  • Please download OTL from this link.
  • (If that link doesn't work, try this alternate link
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Select "Use Safelist" under "Extra Registry"
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT


  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply. If they are too big to paste in one reply, please split them into separate posts.
etavares

Edited by etavares, 08 August 2010 - 08:20 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 JB_nw

JB_nw
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 09 August 2010 - 05:16 AM

Hello Etavares,

Results of the OTL scan and report creation as specified in your previous post are described below.
Note: Disconnected from Internet and then disabled virus scanner before performing OTL scan.

________________
Create OTL reports

'OTL.exe' downloaded and saved to Desktop.

Ran "OTL.exe"
OTL Window appeared.
  • Clicked the "Scan All Users" checkbox. ( check mark added )
  • Selected "Use Safelist" under "Extra Registry"

Attached File  OTL_3291.jpg   68.19KB   6 downloads
  • Under the Custom Scan box pasted in the requested text.
  • Clicked the Quick Scan button.
OTL scan took approx. 15 minutes to complete.
After scan completed, closed the OTL window.

The 'OTL.Txt' log file is shown below.
The 'Extras.Txt' log file is shown below.

--------------------------------------------
Current PC Symptoms / Status:


Unchanged from last post.
In the "Add or Remove Programs" window there is still an "AdWare & SpyWare" item.

Still unable to boot into "Safe mode with networking"
[ Note: I can not recall ever booting up into "Safe Mode with Networking" before. I can not confirm that it ever was possible on this PC. ]

Have not detected any other problems with Win XP OS or any applications.

++++++++++
Attachments: OTL jpeg image

_________________________________

OTL.Txt' log file:
------------------------


OTL logfile created on: 8/9/2010 12:03:14 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Joe Collier\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 170.00 Mb Available Physical Memory | 33.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.72 Gb Total Space | 6.59 Gb Free Space | 5.90% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JBDELL
Current User Name: Joe Collier
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/08 23:11:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe Collier\Desktop\OTL.exe
PRC - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2010/01/16 14:30:16 | 000,185,640 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
PRC - [2010/01/16 14:30:10 | 000,206,120 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
PRC - [2010/01/16 14:30:02 | 000,206,120 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe
PRC - [2009/07/09 12:15:38 | 001,139,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\winss.exe
PRC - [2009/07/09 12:15:38 | 000,065,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
PRC - [2009/07/09 12:15:32 | 000,026,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
PRC - [2008/07/09 17:05:22 | 000,018,704 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/08 12:02:16 | 001,213,728 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
PRC - [2007/11/27 22:56:32 | 000,755,264 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
PRC - [2002/02/15 09:31:42 | 000,045,056 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2001/11/26 18:54:02 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe
PRC - [2001/09/28 04:51:28 | 000,409,729 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\systray.exe
PRC - [2001/09/28 04:50:50 | 000,143,491 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe


========== Modules (SafeList) ==========

MOD - [2010/08/08 23:11:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe Collier\Desktop\OTL.exe
MOD - [2010/01/16 14:30:06 | 000,116,008 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Qwest\Quickcare\bin\sprthook.dll
MOD - [2008/04/13 17:12:01 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\msvcp60.dll
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/01/16 14:31:40 | 000,382,320 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
SRV - [2010/01/16 14:30:16 | 000,185,640 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe -- (tgsrvc_quickcare) SupportSoft Repair Service (quickcare)
SRV - [2010/01/16 14:30:10 | 000,206,120 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe -- (sprtsvc_quickcare) SupportSoft Sprocket Service (quickcare)
SRV - [2009/07/09 12:15:38 | 001,139,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows OneCare Live\winss.exe -- (winss)
SRV - [2009/07/09 12:15:32 | 000,026,104 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe -- (OcHealthMon)
SRV - [2008/07/09 17:05:22 | 000,018,704 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe -- (OneCareMP)
SRV - [2008/02/16 00:32:59 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/01/08 12:02:16 | 001,213,728 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe -- (sprtlisten)
SRV - [2007/11/27 22:56:32 | 000,755,264 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe -- (msfwsvc)
SRV - [2007/03/07 16:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2004/02/20 12:10:08 | 000,421,888 | ---- | M] (Lexmark International, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\System32\lxbtcoms.exe -- (lxbt_device)
SRV - [2002/08/01 11:22:40 | 000,065,536 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\hpzipm12.exe -- (Pml Driver HPZ12)
SRV - [2002/05/03 10:29:42 | 001,118,208 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\NMSSvc.Exe -- (NMSSvc) Intel®
SRV - [2001/11/26 18:54:02 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)
SRV - [2001/09/28 04:50:50 | 000,143,491 | ---- | M] (American Power Conversion Corporation) [Auto | Running] -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\tmcomm.sys -- (tmcomm)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DDMI2.sys -- (SDDMI2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\wATV03nt.sys -- (iAimTV2)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\JOECOL~1\LOCALS~1\Temp\cdrmkaun.sys -- (cdrmkaun)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\etavaresCF\catchme.sys -- (catchme)
DRV - [2008/05/15 16:15:16 | 000,053,168 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\MpFilter.sys -- (MpFilter)
DRV - [2008/04/13 11:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\gameenum.sys -- (gameenum)
DRV - [2008/04/13 11:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 11:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 11:36:38 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\hidbatt.sys -- (HidBatt)
DRV - [2007/12/14 19:04:24 | 000,551,680 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\rt2870.sys -- (rt2870)
DRV - [2007/11/27 22:56:30 | 000,116,416 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\msfwhlpr.sys -- (MSFWHLPR)
DRV - [2007/11/27 22:56:28 | 000,091,328 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\msfwdrv.sys -- (MSFWDrv)
DRV - [2007/02/25 13:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)
DRV - [2007/02/02 03:00:00 | 000,009,464 | ---- | M] (Sonic Solutions) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/02/02 03:00:00 | 000,009,336 | ---- | M] (Sonic Solutions) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2007/01/13 23:12:28 | 000,028,256 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k)
DRV - [2006/11/28 22:46:20 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\PCASp50.sys -- (PCASp50)
DRV - [2006/10/05 17:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/08/12 01:41:46 | 000,068,960 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Pcatip.sys -- (Pcatip)
DRV - [2004/08/03 23:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 23:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 23:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 23:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 23:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 23:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 23:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 23:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 23:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 23:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/06/26 13:22:00 | 000,006,016 | ---- | M] (RDV Soft) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\vnccom.SYS -- (vnccom)
DRV - [2004/06/26 13:22:00 | 000,004,736 | ---- | M] (RDV Soft) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\vncdrv.sys -- (vncdrv)
DRV - [2003/10/06 15:16:00 | 001,550,043 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\BCMSM.sys -- (BCMModem)
DRV - [2003/01/07 20:41:14 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2002/08/30 15:29:02 | 001,293,440 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\P16X.sys -- (P16X) Creative SB Live! Series (WDM)
DRV - [2002/08/29 00:16:22 | 000,020,864 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\LwAdiHid.sys -- (LwAdiHid) Logitech WingMan Digital Devices(Auto-Detect)
DRV - [2002/07/19 09:22:08 | 000,017,153 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/05/03 10:30:08 | 000,009,868 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NMSCFG.SYS -- (NMSCFG)
DRV - [2002/04/10 16:01:12 | 000,024,554 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/04/10 16:01:00 | 000,029,638 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2002/04/10 16:00:44 | 000,117,898 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2002/04/10 15:48:04 | 000,236,032 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/04/10 15:45:16 | 000,206,336 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2001/09/27 09:58:20 | 000,028,396 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 15:02:32 | 000,008,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\hidgame.sys -- (hidgame)
DRV - [2001/08/17 13:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 13:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 13:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 13:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 13:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 12:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 12:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 12:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 12:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 12:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 12:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 12:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 12:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 12:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 12:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 12:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 11:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)
DRV - [1999/12/17 00:00:00 | 000,006,752 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\PFMODNT.SYS -- (PfModNT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = [String data over 1000 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [String data over 1000 bytes]


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://qwest.live.com/
IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = [String data over 1000 bytes]
IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [String data over 1000 bytes]
IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (ICQ Inc.)
IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 67.159.178.199:8080

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/31 22:45:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/05 00:26:05 | 000,000,000 | ---D | M]

[2009/01/04 23:33:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe Collier\Application Data\Mozilla\Extensions
[2010/07/29 03:16:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe Collier\Application Data\Mozilla\Firefox\Profiles\xyy99245.default\extensions
[2010/07/29 03:16:06 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Joe Collier\Application Data\Mozilla\Firefox\Profiles\xyy99245.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/05 00:26:07 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/05 00:26:07 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/08/07 10:41:35 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (ICQ Toolbar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (ICQ Inc.)
O3 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..\Toolbar\ShellBrowser: (ICQ Toolbar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (ICQ Inc.)
O3 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..\Toolbar\WebBrowser: (ICQ Toolbar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (ICQ Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickCare] C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKU\S-1-5-21-124684247-3023699142-651906896-1006..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB600N\WUSB600N.exe (Linksys)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: SpecifyDefaultButtons = 0
O7 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Search = 0
O7 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &ICQ Toolbar Search - C:\Program Files\ICQToolbar\toolbaru.dll (ICQ Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe File not found
O9 - Extra 'Tools' menuitem : ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe File not found
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe (ICQ, Inc.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe (ICQ, Inc.)
O9 - Extra Button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe File not found
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe File not found
O12 - Plugin for: .mid - C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll (Apple Computer, Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (Intertrust Technologies, Inc.)
O12 - Plugin for: .tga - C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll (Apple Computer, Inc.)
O15 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 07:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.ctmp3 - C:\WINDOWS\SYSTEM32\ctmp3.acm (Creative Technology Ltd.)
Drivers32: msacm.iac2 - C:\WINDOWS\SYSTEM32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\SYSTEM32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lhacm - C:\WINDOWS\System32\lhacm.acm (Microsoft Corporation)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\MSG711.ACM (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\MSG723.ACM (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\MSGSM32.ACM (Microsoft Corporation)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\TSSOFT32.ACM (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\IR32_32.DLL ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\IR32_32.DLL ()
Drivers32: VIDC.IV41 - C:\WINDOWS\System32\IR41_32.DLL (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: VIDC.MP42 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)
Drivers32: VIDC.MPG4 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\IYVU9_32.DLL ()
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\SERWVDRV.DLL (Microsoft Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\MSACM32.DRV (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902053519425536)

========== Files/Folders - Created Within 90 Days ==========

[2010/08/08 23:11:29 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Joe Collier\Desktop\OTL.exe
[2010/08/08 07:50:49 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/07 12:54:39 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/08/07 10:09:12 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/07 10:09:12 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/07 10:09:12 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/07 10:08:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/07 10:07:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/05 21:48:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\Bleeping computer forum docs
[2010/08/05 17:02:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\bc Logs
[2010/08/05 00:26:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/08/04 06:58:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\gmer
[2010/08/04 05:23:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\Vundo trojan help info
[2010/08/03 14:15:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\New PC info
[2010/08/03 03:59:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Application Data\Malwarebytes
[2010/08/01 20:35:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\My Documents\Corel User Files
[2010/08/01 02:21:53 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/01 02:21:48 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/01 02:21:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/08/01 02:21:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/01 02:16:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\hijackThis
[2010/08/01 01:32:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\avast_free
[2010/08/01 01:15:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\MBAM
[2010/08/01 00:25:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\SClean
[2010/07/21 16:08:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\2010 PSVC hunt test
[2010/07/21 09:47:35 | 000,000,000 | ---D | C] -- C:\Program Files\Western Digital Corporation
[2010/07/21 09:24:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\Western Digital diagnostic
[2010/07/21 09:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\My Documents\Downloads
[2010/07/19 18:48:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\IE 8 app error
[2010/07/16 01:41:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\Dennis Vector Calc
[2010/07/10 22:38:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\Civ 4 BTS shortcuts to save files
[2010/07/09 06:52:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\_email photos
[2010/07/02 07:04:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/02 07:03:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/01 22:26:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\email Graduation
[2010/07/01 21:35:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\Email Ivy puppy photos May 2010
[2010/06/28 18:03:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/28 18:01:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/27 18:28:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\global warming stuff
[2010/06/26 21:11:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\2010 August PSVC Specialty info
[2010/06/24 20:58:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\2010 PSVC dues invoices
[2010/06/16 17:18:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\Psvc 2010 Membership app form docs
[2010/05/17 01:07:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2003/01/07 20:39:19 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/08/08 23:13:00 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/08 23:11:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe Collier\Desktop\OTL.exe
[2010/08/08 23:08:28 | 000,000,429 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.ics
[2010/08/08 22:37:57 | 016,777,216 | -H-- | M] () -- C:\Documents and Settings\Joe Collier\NTUSER.DAT
[2010/08/08 21:51:42 | 000,000,892 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/08 21:51:38 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/08 21:51:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/08/08 21:51:30 | 535,871,488 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/08 12:15:06 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Joe Collier\NTUSER.INI
[2010/08/08 07:50:58 | 000,000,281 | RHS- | M] () -- C:\BOOT.INI
[2010/08/08 04:27:08 | 000,485,896 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\HAMeb_check.exe
[2010/08/08 04:26:16 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\MBRCheck.exe
[2010/08/08 01:00:59 | 000,083,968 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/07 10:41:51 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/07 10:41:35 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts
[2010/08/07 09:14:27 | 000,000,716 | ---- | M] () -- C:\WINDOWS\OPLIMIT.INI
[2010/08/07 01:29:42 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/06 18:37:13 | 003,816,456 | R--- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\etavaresCF.exe
[2010/08/04 06:49:59 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\dds.scr
[2010/08/02 13:12:46 | 000,010,752 | ---- | M] () -- C:\WINDOWS\DCEBoot.exe
[2010/08/01 20:34:51 | 000,061,678 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Application Data\PFP100JPR.{PB
[2010/08/01 20:34:51 | 000,012,358 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Application Data\PFP100JCM.{PB
[2010/08/01 07:47:51 | 000,063,759 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\report.pdf
[2010/08/01 07:25:45 | 003,717,202 | -H-- | M] () -- C:\Documents and Settings\Joe Collier\Local Settings\Application Data\IconCache.db
[2010/08/01 02:52:57 | 000,073,216 | -H-- | M] ($t@t!c_V()1D) -- C:\WINDOWS\System32\iifedc.dll
[2010/07/29 02:03:58 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/07/16 17:19:06 | 000,268,455 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\Newsletter Summer 10.pdf
[2010/07/12 06:22:36 | 000,157,936 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Application Data\GDIPFONTCACHEV1.DAT
[2010/07/07 20:35:21 | 000,167,985 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\OKC 8_20_2010 Agility Premium.pdf
[2010/07/02 07:05:29 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/07/01 05:05:23 | 000,063,392 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\PSVC June_2010 report.pdf
[2010/06/24 18:07:23 | 000,432,796 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2010/06/24 18:07:23 | 000,067,370 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2010/06/24 18:07:22 | 000,488,566 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/22 23:57:37 | 000,205,017 | ---- | M] () -- C:\Documents and Settings\Joe Collier\My Documents\ts3_clientui-win32-11315-2010-06-22 23_57_24.484375.dmp
[2010/06/11 15:51:58 | 000,494,664 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/11 04:33:26 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/08 01:05:17 | 000,084,374 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\Kieron art work.bmp
[2010/06/01 09:26:16 | 000,064,025 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\PSVC_May_2010 website report.pdf
[2010/05/17 01:17:55 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[9 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/08 09:49:43 | 535,871,488 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/08 07:50:58 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/08 07:50:53 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/08 04:27:03 | 000,485,896 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\HAMeb_check.exe
[2010/08/08 04:26:15 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\MBRCheck.exe
[2010/08/07 10:09:12 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/07 10:09:12 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/07 10:09:12 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/07 10:09:12 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/07 10:09:12 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/06 18:37:13 | 003,816,456 | R--- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\etavaresCF.exe
[2010/08/04 06:49:45 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\dds.scr
[2010/08/02 09:11:07 | 000,010,752 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2010/08/01 20:34:51 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Application Data\PFP100JPR.{PB
[2010/08/01 20:34:51 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Application Data\PFP100JCM.{PB
[2010/08/01 07:47:51 | 000,063,759 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\report.pdf
[2010/08/01 02:52:55 | 000,073,216 | -H-- | C] ($t@t!c_V()1D) -- C:\WINDOWS\System32\iifedc.dll
[2010/07/16 17:19:06 | 000,268,455 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\Newsletter Summer 10.pdf
[2010/07/07 20:35:21 | 000,167,985 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\OKC 8_20_2010 Agility Premium.pdf
[2010/07/02 07:05:29 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/02 07:05:29 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/07/01 05:05:23 | 000,063,392 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\PSVC June_2010 report.pdf
[2010/06/22 23:57:24 | 000,205,017 | ---- | C] () -- C:\Documents and Settings\Joe Collier\My Documents\ts3_clientui-win32-11315-2010-06-22 23_57_24.484375.dmp
[2010/06/08 01:05:17 | 000,084,374 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\Kieron art work.bmp
[2010/06/01 09:26:16 | 000,064,025 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\PSVC_May_2010 website report.pdf
[2010/05/17 01:17:55 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2008/11/22 15:28:50 | 000,018,626 | ---- | C] () -- C:\WINDOWS\hplj1300.ini
[2008/11/10 02:49:31 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXPRMON.DLL
[2008/11/10 02:49:31 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\LXPMONUI.DLL
[2008/11/10 02:46:23 | 000,126,976 | R--- | C] () -- C:\WINDOWS\System32\lxbtsnls.dll
[2008/11/10 02:46:22 | 000,139,264 | R--- | C] () -- C:\WINDOWS\System32\lxbtcoin.dll
[2008/11/10 02:33:53 | 000,001,832 | R--- | C] () -- C:\WINDOWS\System32\lxbtprod.ini
[2008/11/10 02:33:17 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbtvs.dll
[2008/11/10 02:33:14 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\lxbthwdf.dll
[2008/08/05 15:02:12 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/08/05 14:59:04 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/08/05 14:59:04 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/08/05 14:58:14 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/02/06 19:13:36 | 000,000,235 | ---- | C] () -- C:\WINDOWS\photopnt.INI
[2006/07/13 07:36:36 | 001,167,360 | ---- | C] () -- C:\WINDOWS\System32\acAuth.dll
[2005/05/11 02:05:11 | 000,003,296 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2004/02/11 03:10:47 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\IYVU9_32.DLL
[2004/02/07 22:09:58 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2004/01/09 04:58:22 | 000,000,115 | ---- | C] () -- C:\WINDOWS\ppdrv.ini
[2004/01/09 04:11:27 | 000,000,716 | ---- | C] () -- C:\WINDOWS\OPLIMIT.INI
[2004/01/09 04:10:51 | 000,000,602 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2004/01/09 04:03:22 | 000,000,189 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2004/01/09 04:03:22 | 000,000,095 | ---- | C] () -- C:\WINDOWS\vista32.ini
[2004/01/09 04:03:22 | 000,000,036 | ---- | C] () -- C:\WINDOWS\umaxdrv.ini
[2004/01/09 04:03:17 | 000,047,616 | ---- | C] () -- C:\WINDOWS\ucmsp_32.dll
[2004/01/09 04:03:09 | 000,030,208 | ---- | C] () -- C:\WINDOWS\uxmail32.dll
[2004/01/09 04:03:08 | 000,150,560 | ---- | C] () -- C:\WINDOWS\vud32.dll
[2004/01/09 04:03:08 | 000,068,608 | ---- | C] () -- C:\WINDOWS\vufile32.dll
[2004/01/09 04:01:49 | 000,000,512 | ---- | C] () -- C:\WINDOWS\ALBUM.INI
[2004/01/09 04:01:49 | 000,000,103 | ---- | C] () -- C:\WINDOWS\PAEDIT.INI
[2004/01/09 04:01:10 | 000,001,764 | ---- | C] () -- C:\WINDOWS\IF40LE.INI
[2004/01/09 04:01:10 | 000,000,289 | ---- | C] () -- C:\WINDOWS\PEXPLORE.INI
[2004/01/09 04:00:37 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2004/01/09 04:00:37 | 000,000,410 | ---- | C] () -- C:\WINDOWS\umxaddin.ini
[2003/10/06 15:16:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\nvcod.dll
[2003/10/01 20:23:00 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/06/20 01:07:10 | 000,000,021 | ---- | C] () -- C:\WINDOWS\DVDSentry.ini
[2003/06/17 21:08:56 | 000,000,286 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2003/04/20 02:40:22 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2003/02/12 22:08:22 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2003/01/31 11:02:21 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2003/01/24 21:43:15 | 000,002,580 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2003/01/22 05:16:51 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2003/01/20 19:41:49 | 000,000,679 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2003/01/20 19:35:28 | 000,108,992 | ---- | C] () -- C:\WINDOWS\System32\SH34W32.DLL
[2003/01/20 19:35:28 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\IFORCE2.dll
[2003/01/17 09:47:12 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/01/07 20:50:38 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/01/07 20:42:07 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2003/01/07 20:42:06 | 000,000,626 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/01/07 20:39:41 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2003/01/07 20:39:20 | 000,039,936 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll
[2003/01/07 20:39:20 | 000,002,092 | ---- | C] () -- C:\WINDOWS\System32\P16X.ini
[2003/01/07 20:39:20 | 000,000,026 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2003/01/07 20:39:19 | 000,006,175 | ---- | C] () -- C:\WINDOWS\MIXDEF.INI
[2003/01/07 20:39:19 | 000,005,917 | ---- | C] () -- C:\WINDOWS\SBMIXDEF.INI
[2003/01/07 20:39:19 | 000,000,064 | ---- | C] () -- C:\WINDOWS\P16x.ini
[2003/01/07 20:38:56 | 000,000,245 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2003/01/07 20:35:34 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/01/07 20:15:06 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2002/02/06 08:04:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\NMSInst.dll
[2002/01/21 14:17:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PROInst.dll
[2001/07/31 02:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[1999/01/22 11:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2007/01/12 04:35:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
[2003/01/07 20:38:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2010/03/15 02:45:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Qwest
[2003/02/12 22:56:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2010/03/10 17:45:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2005/06/30 00:15:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/07/29 16:51:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe Collier\Application Data\ICQ
[2005/03/15 15:05:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe Collier\Application Data\ICQLite
[2003/03/10 16:56:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe Collier\Application Data\InterTrust
[2004/07/12 06:03:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe Collier\Application Data\Kana Solution
[2004/02/05 23:25:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe Collier\Application Data\Leadertech
[2010/05/19 23:28:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe Collier\Application Data\TS3Client
[2003/10/11 00:57:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe Collier\Application Data\winshow
[2005/01/27 05:56:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\other\Application Data\ICQ
[2005/01/27 05:56:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\other\Application Data\winshow

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.sys /90 >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2002/09/03 07:47:18 | 000,094,208 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.SAV
[2002/09/03 07:47:18 | 000,602,112 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.SAV
[2002/09/03 07:47:18 | 000,380,928 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.SAV

< %SYSTEMDRIVE%\*.* >
[2002/09/03 07:59:58 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/04/25 12:47:30 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/08/08 07:50:58 | 000,000,281 | RHS- | M] () -- C:\BOOT.INI
[2002/09/03 07:38:46 | 000,000,512 | -HS- | M] () -- C:\BOOTSECT.DOS
[2010/08/08 07:50:58 | 000,000,327 | ---- | M] () -- C:\CF-RC.txt
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2002/09/03 07:59:58 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/07/07 23:32:07 | 000,000,130 | ---- | M] () -- C:\debug.txt
[2006/05/27 21:29:04 | 000,000,216 | ---- | M] () -- C:\DebugTrace-RockallDLL.log
[2003/01/07 20:18:46 | 000,004,663 | RH-- | M] () -- C:\DELL.SDR
[2008/12/15 03:42:41 | 000,000,051 | ---- | M] () -- C:\DVDPATH.TXT
[2010/08/08 21:51:30 | 535,871,488 | -HS- | M] () -- C:\hiberfil.sys
[2004/06/06 22:42:20 | 000,009,582 | ---- | M] () -- C:\install.cab
[2002/09/03 07:59:58 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2003/01/07 20:41:27 | 000,000,335 | -H-- | M] () -- C:\IPH.PH
[2008/11/10 02:34:12 | 000,000,200 | ---- | M] () -- C:\lxbt.log
[2002/09/03 07:59:58 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2004/11/11 20:04:51 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/07/15 03:26:53 | 000,250,048 | RHS- | M] () -- C:\NTLDR
[2010/08/08 21:51:25 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2003/01/30 00:06:37 | 000,002,776 | ---- | M] () -- C:\s2ic.29e
[2003/05/20 06:34:04 | 000,488,699 | ---- | M] () -- C:\s2ok.27n
[2002/09/16 00:00:04 | 000,016,617 | ---- | M] () -- C:\UpdateDynDNS.vbs
[2008/08/10 16:15:49 | 000,066,198 | ---- | M] () -- C:\YServer.txt

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\filterpipelineprintproc.dll
[2003/01/07 10:04:10 | 000,062,976 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\HPPRN05.DLL
[2004/02/12 08:09:02 | 000,075,264 | ---- | M] () -- C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\LXBTPP5C.DLL

< %systemroot%\*. /mp /s >


< MD5 for: AGP440.SYS >
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:AGP440.sys
[2009/07/15 03:19:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp3.cab:AGP440.sys
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2009/07/15 03:19:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\i386\AGP440.SYS
[2001/08/17 12:58:00 | 000,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\I386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2002/08/29 04:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\I386\sp1.cab:atapi.sys
[2002/08/29 04:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp1.cab:atapi.sys
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:atapi.sys
[2009/07/15 03:19:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp3.cab:atapi.sys
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2009/07/15 03:19:02 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2002/10/16 16:31:10 | 000,087,040 | ---- | M] (Microsoft Corporation) MD5=3DF589B9A15FF9EF4AA499F98C1C16D5 -- C:\I386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SYSTEM32\eventlog.dll
[2004/08/04 01:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2002/08/29 04:00:00 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\I386\EVENTLOG.DLL

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SYSTEM32\netlogon.dll
[2002/08/29 04:00:00 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\I386\NETLOGON.DLL
[2004/08/04 01:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 01:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2002/08/29 04:00:00 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\I386\SCECLI.DLL
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SYSTEM32\scecli.dll

< MD5 for: USER32.DLL >
[2005/03/02 11:19:56 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=1800F293BCCC8EDE8A70E12B88D80036 -- C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
[2002/11/01 16:26:46 | 000,528,896 | ---- | M] (Microsoft Corporation) MD5=68E1F4EF02DF52CA9C5E157045D23582 -- C:\WINDOWS\$NtUninstallKB824141$\user32.dll
[2007/03/08 08:48:36 | 000,578,048 | ---- | M] (Microsoft Corporation) MD5=7AA4F6C00405DFC4B70ED4214E7D687B -- C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
[2008/04/13 17:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\ERDNT\cache\user32.dll
[2008/04/13 17:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\ServicePackFiles\i386\user32.dll
[2008/04/13 17:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\SYSTEM32\user32.dll
[2007/03/08 08:36:28 | 000,577,536 | ---- | M] (Microsoft Corporation) MD5=B409909F6E2E8A7067076ED748ABF1E7 -- C:\WINDOWS\$NtServicePackUninstall$\user32.dll
[2004/08/04 01:56:48 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=C72661F8552ACE7C5C85E16A3CF505C4 -- C:\WINDOWS\$NtUninstallKB890859$\user32.dll
[2002/08/29 04:00:00 | 000,560,128 | ---- | M] (Microsoft Corporation) MD5=DD9269230C21EE8FB7FD3FCCC3B1CFCB -- C:\I386\USER32.DLL
[2002/08/29 04:00:00 | 000,560,128 | ---- | M] (Microsoft Corporation) MD5=DD9269230C21EE8FB7FD3FCCC3B1CFCB -- C:\WINDOWS\$NtUninstallQ328310$\user32.dll
[2005/03/02 11:09:30 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=DE2DB164BBB35DB061AF0997E4499054 -- C:\WINDOWS\$NtUninstallKB925902$\user32.dll

< MD5 for: WS2_32.DLL >
[2008/04/13 17:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\ERDNT\cache\ws2_32.dll
[2008/04/13 17:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
[2008/04/13 17:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\SYSTEM32\ws2_32.dll
[2004/08/04 01:56:48 | 000,082,944 | ---- | M] (Microsoft Corporation) MD5=2ED0B7F12A60F90092081C50FA0EC2B2 -- C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
[2002/08/29 04:00:00 | 000,075,264 | ---- | M] (Microsoft Corporation) MD5=8529C295DF59B564D37A73B5629162B1 -- C:\I386\WS2_32.DLL

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
< End of report >

___________________

'Extras.Txt' log file:
------------------------


OTL Extras logfile created on: 8/9/2010 12:03:14 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Joe Collier\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 170.00 Mb Available Physical Memory | 33.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.72 Gb Total Space | 6.59 Gb Free Space | 5.90% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JBDELL
Current User Name: Joe Collier
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Qwest\QuickConnect\QuickConnect.exe" = C:\Program Files\Qwest\QuickConnect\QuickConnect.exe:*:Enabled:QuickConnect -- (Qwest Communications International Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Games\GameSpy Arcade\Aphex.exe" = C:\Games\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade -- (IGN Entertainment, Inc.)
"C:\WINDOWS\SYSTEM32\dplaysvr.exe" = C:\WINDOWS\SYSTEM32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Games\Firaxis Games\Sid Meier's Gettysburg!\Lee.exe" = C:\Games\Firaxis Games\Sid Meier's Gettysburg!\Lee.exe:*:Enabled:Lee -- ()
"C:\Games\Total War\Medieval - Total War\Medieval_TW.exe" = C:\Games\Total War\Medieval - Total War\Medieval_TW.exe:*:Enabled:Medieval_TW -- (Creative Assembly)
"C:\Games\Microsoft Games\Age of Mythology\aomx.exe" = C:\Games\Microsoft Games\Age of Mythology\aomx.exe:*:Enabled:Age of Mythology - The Titans Expansion -- (Ensemble Studios)
"C:\Games\Roger Wilco\mark 1 d3\Roger Wilco\roger.exe" = C:\Games\Roger Wilco\mark 1 d3\Roger Wilco\roger.exe:*:Enabled:Roger Wilco -- (GameSpy Industries)
"C:\Games\GameSpy Arcade\Services\_common\RWVoice.exe" = C:\Games\GameSpy Arcade\Services\_common\RWVoice.exe:*:Enabled:RogerWilco Lite for GameSpy Arcade -- (GameSpy Industries)
"C:\Games\NeverwinterNights\NWN\nwupdate.exe" = C:\Games\NeverwinterNights\NWN\nwupdate.exe:*:Enabled:NWN Update Program -- (BioWare Corp.)
"C:\Games\Taldren Software Inc\Starfleet Command Orion Pirates\StarFleetOP.exe" = C:\Games\Taldren Software Inc\Starfleet Command Orion Pirates\StarFleetOP.exe:*:Enabled:Starfleet Command - Orion Pirates -- (Interplay Productions)
"C:\Games\NeverwinterNights\NWN\nwmain.exe" = C:\Games\NeverwinterNights\NWN\nwmain.exe:*:Enabled:Neverwinter Nights -- (BioWare)
"C:\Games\Roger Wilco\roger.exe" = C:\Games\Roger Wilco\roger.exe:*:Enabled:roger -- ()
"C:\Games\Roger Wilco\mark 1 C\Roger Wilco\roger.exe" = C:\Games\Roger Wilco\mark 1 C\Roger Wilco\roger.exe:*:Enabled:roger -- ()
"C:\Games\Magic\Program\Manalink.exe" = C:\Games\Magic\Program\Manalink.exe:*:Enabled:manalink -- (MicroProse Software, Inc.)
"C:\WINDOWS\SYSTEM32\dpvsetup.exe" = C:\WINDOWS\SYSTEM32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\MSN Gaming Zone\zclient.exe" = C:\Program Files\MSN Gaming Zone\zclient.exe:*:Enabled:Zone Datafile -- ()
"C:\Games\Microsoft Games\Age of Empires II\age2_x1\age2_x1.icd" = C:\Games\Microsoft Games\Age of Empires II\age2_x1\age2_x1.icd:*:Enabled:Age of Empires II Expansion -- (Microsoft Corporation)
"C:\Games\Microsoft Games\Age of Empires II\EMPIRES2.ICD" = C:\Games\Microsoft Games\Age of Empires II\EMPIRES2.ICD:*:Enabled:Age of Empires II -- (Microsoft Corporation)
"C:\Games\Microsoft Games\Close Combat III\CC3.exe" = C:\Games\Microsoft Games\Close Combat III\CC3.exe:*:Enabled:Microsoft® Close Combat™III: The Russian Front -- (Microsoft Corporation and Atomic Games, Inc.)
"C:\Games\Microsoft Games\Age of Empires III\age3.exe" = C:\Games\Microsoft Games\Age of Empires III\age3.exe:*:Enabled:Age of Empires 3 -- (Ensemble Studios)
"C:\Games\Infogrames Interactive\Civilization III\CIV3PTW\Civilization3X.exe" = C:\Games\Infogrames Interactive\Civilization III\CIV3PTW\Civilization3X.exe:*:Enabled:Civilization3Xd -- (Firaxis)
"C:\WINDOWS\SYSTEM32\dpnsvr.exe" = C:\WINDOWS\SYSTEM32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server -- (Microsoft Corporation)
"C:\Games\Microsoft Games\Combat Flight Simulator 3\cfs3.exe" = C:\Games\Microsoft Games\Combat Flight Simulator 3\cfs3.exe:*:Enabled:Microsoft® Combat Flight Simulator 3 -- (Microsoft Corp.)
"C:\Games\Hasbro Interactive\Axis and Allies\AxisAllies.exe" = C:\Games\Hasbro Interactive\Axis and Allies\AxisAllies.exe:*:Enabled:AxisAllies -- ()
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Games\Microsoft Games\Rise Of Legends\legends.exe" = C:\Games\Microsoft Games\Rise Of Legends\legends.exe:*:Enabled:Rise Of Legends -- (Big Huge Games, Inc.)
"C:\Games\Microsoft Games\Age of Empires III\age3x.exe" = C:\Games\Microsoft Games\Age of Empires III\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs -- (Ensemble Studios)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\WINDOWS\SYSTEM32\java.exe" = C:\WINDOWS\SYSTEM32\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Games\Microsoft Games\Age of Empires III\age3y.exe" = C:\Games\Microsoft Games\Age of Empires III\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties -- (Microsoft Corporation)
"C:\Program Files\Teamspeak2_RC2\server_windows.exe" = C:\Program Files\Teamspeak2_RC2\server_windows.exe:*:Enabled:Server -- ()
"C:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE" = C:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE:*:Enabled:Microsoft Office FrontPage -- (Microsoft Corporation)
"C:\Program Files\ICQ6\ICQ.exe" = C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6 -- (ICQ, Inc.)
"C:\jdk1.6.0_02\bin\javaw.exe" = C:\jdk1.6.0_02\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Games\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Civilization4.exe" = C:\Games\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4 Gold -- (Firaxis Games)
"C:\Games\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Warlords\Civ4Warlords.exe" = C:\Games\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Warlords\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4: Warlords -- (Firaxis Games)
"C:\Games\Atari\Axis & Allies\Aa.exe" = C:\Games\Atari\Axis & Allies\Aa.exe:*:Enabled:Aa -- ()
"C:\Games\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Beyond the Sword\Civ4BeyondSword.exe" = C:\Games\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword -- (Firaxis Games)
"C:\Games\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Beyond the Sword\Civ4BeyondSword_PitBoss.exe" = C:\Games\2K Games\Firaxis Games\Sid Meier's Civilization 4 Gold\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss -- (Firaxis Games)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Qwest\QuickConnect\QuickConnect.exe" = C:\Program Files\Qwest\QuickConnect\QuickConnect.exe:*:Enabled:QuickConnect -- (Qwest Communications International Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{01A4AEDE-F219-49A2-B855-16A016EAF9A4}" = Intel® PROSet II
"{06E6E30D-B498-442F-A943-07DE41D7F785}" = Microsoft Search Enhancement Pack
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}" = Civilization III
"{0ECB59D5-A3FC-4D61-AD3B-6CE679B3F852}" = Java DB 10.2.2.0
"{102E4D60-5A93-4A3C-8105-FE390427C60D}" = Sid Meier's Alpha Centauri 2000/XP Compatibility Update
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{1485B7CD-4CBD-4039-8EAE-5A22993D7F54}" = hp LaserJet 1150 / 1300
"{151C555A-A9E7-4A2E-B6D7-165D04A3C956}" = Dell Picture Studio - Dell Image Expert
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs
"{1E26327C-5168-43B3-BEC1-4E3AA945C711}" = QuickConnect
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 21
"{29D88826-2AB9-11D5-8854-00902761A46D}" = WordPerfect Office 2002
"{2A9A40C7-6670-4D5F-8F41-D12E2E08B48B}" = Star Wars®: Knights of the Old Republic ™
"{32A3A4F4-B792-11D6-A78A-00B0D0160020}" = Java™ SE Development Kit 6 Update 2
"{32E4F0D2-C135-475E-A841-1D59A0D22989}" = Sid Meier's Civilization 4 - Beyond the Sword
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3851147E-5A91-4469-BA4D-13FFFCC8A920}" = Microsoft Windows OneCare Live v2.5.2900.24 Idcrl Install
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Dell Modem-On-Hold
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45893FEB-30FD-4034-8661-3BA4238FE67A}" = Britannica Ready Reference
"{45EBDA59-D33B-433A-956E-B2F236468B56}" = MUSICMATCH® Jukebox
"{472ABCE2-5B2E-4D29-ABF4-94E1097558A6}" = Diplomacy
"{47836B39-2465-4F39-9D7E-52F70A1C3D72}" = Axis & Allies
"{4998FF95-709A-430A-B104-92A009ABB848}" = QuickConnect
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{519C4DB6-B53B-4F5C-8297-89B2BE949FA5}_is1" = Data Lifeguard Diagnostic for Windows 1.21
"{55502C49-F061-428C-BF26-06ECDFB3AC29}" = Sid Meier's Civilization 4 Gold
"{5660022E-F3F2-4126-8CC5-9726C47150EB}" = Microsoft Windows Live OneCare Resources v2.5.2900.28
"{58628459-F393-4EBA-AA8B-990E92DA8AC4}" = AdWare & SpyWare
"{5A0C892E-FD1C-4203-941E-0956AED20A6A}" = APC PowerChute Personal Edition
"{5E749AEB-5A19-43BA-BB20-3CBB37539FE4}" = Paint.NET v3.10
"{5EC86106-2B0A-4595-B03C-15E2241C1AC5}_is1" = Community Expansion Pack version 1.00
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6513E869-647F-40FD-A55D-CFC92579B9BA}" = PX Engine
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{764C0C8F-B1B1-49BF-AEDC-4E48E857A667}" = Lexmark Fax Solutions
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{85CFDC2D-710E-49D5-B799-F3743CA506BA}" = Microsoft Protection Service
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8B21B9EF-6DBF-4F63-8CC7-9F6A56D1EE8E}" = GTOneCare
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_WordR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_WordR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_WordR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_WordR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_WordR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_WordR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{90EC11E4-854E-4C0F-9B4C-76D6C7CF7C68}" = Linksys WUSB600N Dual-Band Wireless-N USB Network Adapter
"{91120000-001B-0000-0000-0000000FF1CE}" = Microsoft Office Word 2007
"{91120000-001B-0000-0000-0000000FF1CE}_WordR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-001B-0000-0000-0000000FF1CE}_WordR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard
"{91170409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office FrontPage 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9692FD03-6662-4E62-B08C-30DFF51651E1}" = Actiontec Gateway
"{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}" = Sound Blaster Live!
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{98DF85D9-96C0-4F57-A92E-C3539477EF5E}" = DVDSentry
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E816F70-50E9-4BF0-B3CD-BB140EAC3171}" = Microsoft Combat Flight Simulator 3 Mission Pack
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4C10EEF-D26C-410D-82E7-73370C6FD812}" = Neverwinter Nights Gold Edition
"{A63E18AC-B504-4045-AFE6-A279BBABB988}" = Qwest QuickAssist Desktop Tools
"{A8AD990E-355A-4413-8647-A9B168978423}_is1" = UltraVNC v1.0.2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-0000-BA7E-000000000003}" = Adobe Acrobat 8 Standard
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.3
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{B5E66589-11D4-4DE5-90F3-1AD5E98ABD3E}" = Civilization III - Play the World v1.27F
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties
"{C6522325-92ED-4312-A45A-04E45896C130}" = WLTB Custom Buttons
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CADDE354-C78C-46CB-A006-E2B178EFC271}" = Rise Of Legends
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D07A8E7E-D324-4945-BA8C-E532AD008FF3}" = Microsoft Windows OneCare Live v2.5.2900.28
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint Plus
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7
"{D94A8E22-DF2B-4107-9E51-608A60A7671D}" = Personal Ancestral File 5
"{E26B83D1-C0BB-41BC-8F44-31D5354DD6AF}" = Microsoft Windows OneCare Live AntiSpyware and AntiVirus
"{E3436EE2-D5CB-4249-840B-3A0140CC34C3}" = Classic PhoneTools
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E8650C8D-CCB2-496E-816C-ECC54A7EE411}" = Civilization III Play the World
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"Ad-aware 6 Personal" = Ad-aware 6 Personal
"Adobe Acrobat 8 Standard" = Adobe Acrobat 8.2.3 Standard
"Adobe Acrobat 8 Standard_823" = Adobe Acrobat 8.2.3 - CPSID_83708
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Age of Empires 2.0" = Microsoft Age of Empires II
"Age of Empires II: The Conquerors Expansion 1.0" = Microsoft Age of Empires II: The Conquerors Expansion
"Age of Mythology 1.0" = Age of Mythology
"Age of Mythology Expansion Pack 1.0" = Age of Mythology - The Titans Expansion
"America Online us" = America Online
"AolCoach" = AOL Coach Version 1.0(Build:20011028.1)
"Audacity_is1" = Audacity 1.2.4
"Axis and Allies" = Axis and Allies
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"BlindWrite 5_is1" = BlindWrite5
"Civil War Bull Run" = Civil War Bull Run
"Close Combat 3.00" = Microsoft Close Combat III
"Combat Flight Simulator 3.0" = Microsoft Combat Flight Simulator 3.0
"DVD Decrypter" = DVD Decrypter (Remove Only)
"Europa Universalis" = Europa Universalis
"Fighting Steel" = Fighting Steel
"GameSpy Arcade" = GameSpy Arcade
"GME v1.0 Release" = GME v1.0 Release
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"if40leUninstall" = Presto! ImageFolio LE
"InstallShield_{102E4D60-5A93-4A3C-8105-FE390427C60D}" = Sid Meier's Alpha Centauri 2000/XP Compatibility Update
"InstallShield_{1C08A24C-B168-407E-A826-68FAF5F20710}" = Age of Empires III - The WarChiefs
"InstallShield_{764C0C8F-B1B1-49BF-AEDC-4E48E857A667}" = Lexmark Fax Solutions
"InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}" = Age of Empires III
"InstallShield_{90EC11E4-854E-4C0F-9B4C-76D6C7CF7C68}" = Linksys Dual-Band Wireless-N USB Network Adapter
"InstallShield_{C43C1415-3DFC-4089-9A32-0BECF28A6046}" = Age of Empires III - The Asian Dynasties
"InstallShield_{CADDE354-C78C-46CB-A006-E2B178EFC271}" = Rise Of Legends
"InterActual Player" = InterActual Player
"IrfanView" = IrfanView (remove only)
"Lexmark 5200 Series" = Lexmark 5200 Series
"Logitech WingMan Software" = Logitech WingMan Software
"LucasArts' Balance of Power" = LucasArts' Balance of Power
"LucasArts' X-Wing vs. TIE Fighter" = LucasArts' X-Wing vs. TIE Fighter
"Magic The Gathering®" = Magic : The Gathering®
"Magic: The Gathering" = Magic: The Gathering
"Magic: The Gathering "Manalink"" = Magic: The Gathering "Manalink"
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Medieval Total War" = Medieval Total War
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"Microsoft Internet Gaming Zone" = MSN Gaming Zone
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"NetPerSec" = NetPerSec
"Neverwinter Nights - Infinite Dungeons" = BioWare Premium Module: Neverwinter Nights - Infinite Dungeons
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"NVIDIA Display Driver" = NVIDIA Display Driver
"PageManager" = Presto! PageManager
"PageType" = Presto! PageType
"PAUninstall" = Presto! PhotoAlbum
"PROSet" = Intel® PRO Ethernet Adapter and Software
"Quicken 2002 New User Edition" = Quicken 2002 New User Edition
"QuickTime" = QuickTime
"QwestQuickCare_is1" = Qwest Quickcare 2.7
"RealPlayer 6.0" = RealPlayer Basic
"Roger Wilco" = Roger Wilco
"Shockwave" = Shockwave
"Shogun Total War" = Shogun Total War
"Sid Meier's Alpha Centauri" = Sid Meier's Alpha Centauri
"Sid Meier's Gettysburg!" = Sid Meier's Gettysburg!
"Starfleet Command II" = Starfleet Command II
"Starfleet Command II Patcher" = Starfleet Command II Patcher
"Starfleet Command III Patcher" = Starfleet Command III Patcher
"Starfleet Command Orion Pirates" = Starfleet Command Orion Pirates
"TeamSpeak 2 RC2_is1" = TeamSpeak 2 RC2
"TeamSpeak 2 Server_is1" = TeamSpeak 2 Server RC2
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"ToolbarICQToolbar.ICQToolbarObjectIEToolbar" = ICQ Toolbar
"TripleAVersion0_9_1_0" = TripleA Version 0_9_1_0
"TripleAVersion1_0_1_4" = TripleA Version 1_0_1_4
"TripleAVersion1_0_3_0" = TripleA Version 1_0_3_0
"TripleAVersion1_1_2_0" = TripleA Version 1_1_2_0
"TripleAVersion1_2_0_0" = TripleA Version 1_2_0_0
"ViewpointMediaPlayer" = Viewpoint Media Player (Remove Only)
"WIC" = Windows Imaging Component
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WinSS" = Windows Live OneCare
"WinZip" = WinZip
"WordPerfect Office 2002" = WordPerfect Office 2002
"WordR" = Microsoft Office Word 2007
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
"YInstHelper" = Yahoo! Install Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/7/2010 3:18:51 PM | Computer Name = JBDELL | Source = Google Update | ID = 20
Description =

Error - 8/7/2010 9:18:57 PM | Computer Name = JBDELL | Source = Google Update | ID = 20
Description =

Error - 8/8/2010 1:45:00 AM | Computer Name = JBDELL | Source = Google Update | ID = 20
Description =

Error - 8/8/2010 6:54:18 AM | Computer Name = JBDELL | Source = Google Update | ID = 20
Description =

Error - 8/8/2010 12:50:08 PM | Computer Name = JBDELL | Source = Google Update | ID = 20
Description =

Error - 8/8/2010 12:55:44 PM | Computer Name = JBDELL | Source = Google Update | ID = 20
Description =

Error - 8/9/2010 12:52:03 AM | Computer Name = JBDELL | Source = Google Update | ID = 20
Description =

Error - 8/9/2010 1:02:21 AM | Computer Name = JBDELL | Source = Google Update | ID = 20
Description =

Error - 8/9/2010 2:02:21 AM | Computer Name = JBDELL | Source = Google Update | ID = 20
Description =

Error - 8/9/2010 3:02:21 AM | Computer Name = JBDELL | Source = Google Update | ID = 20
Description =

[ MSFWSVC Events ]
Error - 5/26/2010 4:52:39 PM | Computer Name = JBDELL | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

Error - 5/29/2010 4:57:05 AM | Computer Name = JBDELL | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

Error - 6/1/2010 10:47:41 PM | Computer Name = JBDELL | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

Error - 7/20/2010 9:14:29 AM | Computer Name = JBDELL | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

Error - 7/29/2010 5:08:42 AM | Computer Name = JBDELL | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

Error - 8/1/2010 12:51:59 AM | Computer Name = JBDELL | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

Error - 8/2/2010 11:52:21 PM | Computer Name = JBDELL | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

Error - 8/4/2010 1:17:37 AM | Computer Name = JBDELL | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

Error - 8/7/2010 1:04:28 PM | Computer Name = JBDELL | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

Error - 8/7/2010 4:12:11 PM | Computer Name = JBDELL | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

[ System Events ]
Error - 8/8/2010 1:44:56 AM | Computer Name = JBDELL | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/8/2010 1:44:56 AM | Computer Name = JBDELL | Source = Service Control Manager | ID = 7000
Description = The tmcomm service failed to start due to the following error: %%2

Error - 8/8/2010 1:52:15 AM | Computer Name = JBDELL | Source = ipnathlp | ID = 30005
Description = The DHCP allocator has detected a DHCP server with IP address 192.168.0.1
on
the same network as the interface with IP address 192.168.0.2. The allocator has
disabled itself on the interface in order to avoid confusing DHCP clients.

Error - 8/8/2010 11:53:06 AM | Computer Name = JBDELL | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/8/2010 11:53:06 AM | Computer Name = JBDELL | Source = Service Control Manager | ID = 7000
Description = The tmcomm service failed to start due to the following error: %%2

Error - 8/8/2010 11:53:50 AM | Computer Name = JBDELL | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NVSvc service.

Error - 8/8/2010 12:50:00 PM | Computer Name = JBDELL | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/8/2010 12:50:00 PM | Computer Name = JBDELL | Source = Service Control Manager | ID = 7000
Description = The tmcomm service failed to start due to the following error: %%2

Error - 8/9/2010 12:52:08 AM | Computer Name = JBDELL | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 8/9/2010 12:52:08 AM | Computer Name = JBDELL | Source = Service Control Manager | ID = 7000
Description = The tmcomm service failed to start due to the following error: %%2

[ Windows OneCare Events ]
Error - 1/26/2010 7:38:27 PM | Computer Name = JBDELL | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.

Error - 1/26/2010 10:21:16 PM | Computer Name = JBDELL | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.

Error - 1/27/2010 2:19:49 AM | Computer Name = JBDELL | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.

Error - 1/30/2010 8:29:27 PM | Computer Name = JBDELL | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.

Error - 2/3/2010 5:42:01 AM | Computer Name = JBDELL | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.

Error - 2/3/2010 10:56:40 AM | Computer Name = JBDELL | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.

Error - 2/5/2010 8:45:14 PM | Computer Name = JBDELL | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.

Error - 2/5/2010 11:02:59 PM | Computer Name = JBDELL | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.

Error - 2/8/2010 6:51:56 PM | Computer Name = JBDELL | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.

Error - 2/9/2010 11:13:45 AM | Computer Name = JBDELL | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.


< End of report >




#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 PM

Posted 09 August 2010 - 06:13 PM

Hello, JB_nw.
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{58628459-F393-4EBA-AA8B-990E92DA8AC4}]
Driver::
cdrmkaun
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 JB_nw

JB_nw
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 09 August 2010 - 10:50 PM

Hello Etavares,

Results of the ComboFix execution and report creation as specified in your previous post are described below.
Note: Disconnected from Internet and then disabled virus scanner before starting ComboFix.

________________________________
ComboFix execution and report creation



1. Opened notepad and copied the specified text ( from the quotebox ) into notepad and then saved as "CFScript.txt" ( in the same location as 'ComboFix.exe' ).

2. Closed all browsers.

3. Closed or disabled all anti virus and anti malware programs (so they do not interfere with the running of ComboFix).

4. Dragged the 'CFScript.txt' icon on to the "ComboFix.exe" icon.

ComboFix window appeared.
ComboFix ran for approx. 15 minutes before it did an automatic reboot.
After the reboot ( Selected the same user account as before ), had to close two application windows (that open automatically at start up), to allow ComboFix to continue.
After a few minutes, the ComboFix window closed and then the log file was displayed inside a notepad window.

Log file was found at: C:\ComboFix.txt
The CFScript.txt file disappeared from the desktop.

The 'ComboFix.txt' log file is shown below.


--------------------------------------------
Current PC Symptoms / Status:


Changed from last post.
In the "Add or Remove Programs" window, the "AdWare & SpyWare" item has been removed.

Unchanged from last post.
Still unable to boot into "Safe mode with networking"
[ Note: Can not recall ever booting up into "Safe Mode with Networking" before. Can not confirm that it ever was possible on this PC. ]

Have not detected any other problems with Win XP OS or any applications.

++++++++++
Attachments: - none

_________________________________

'ComboFix.txt' log file:
------------------------



ComboFix 10-08-06.01 - Joe Collier 08/09/2010 18:28:30.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.165 [GMT -7:00]
Running from: c:\documents and settings\Joe Collier\Desktop\etavaresCF.exe
Command switches used :: c:\documents and settings\Joe Collier\Desktop\CFScript.txt
AV: Windows Live OneCare *On-access scanning disabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDRMKAUN
-------\Service_cdrmkaun


((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))
.

2010-08-05 07:26 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 10:59 . 2010-08-03 10:59 -------- d-----w- c:\documents and settings\Joe Collier\Application Data\Malwarebytes
2010-08-02 20:40 . 2010-08-02 20:40 -------- d-----w- c:\documents and settings\other\Local Settings\Application Data\SupportSoft
2010-08-02 20:35 . 2010-08-02 20:35 -------- d-sh--w- c:\documents and settings\other\IETldCache
2010-08-02 16:11 . 2010-08-02 20:12 10752 ----a-w- c:\windows\DCEBoot.exe
2010-08-01 09:52 . 2010-08-01 09:52 73216 ---ha-w- c:\windows\system32\iifedc.dll
2010-08-01 09:26 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-01 09:26 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2010-08-01 09:21 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-01 09:21 . 2010-08-01 09:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-01 09:21 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-01 09:21 . 2010-08-04 07:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-21 16:47 . 2010-07-21 16:47 -------- d-----w- c:\program files\Western Digital Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-07 16:17 . 2009-07-08 11:48 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2010-08-07 08:38 . 2006-03-31 09:05 -------- d-----w- c:\program files\Yahoo!
2010-08-07 08:29 . 2010-07-02 14:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-05 07:26 . 2007-08-21 09:19 -------- d-----w- c:\program files\Common Files\Java
2010-08-05 07:25 . 2007-08-21 09:51 -------- d-----w- c:\program files\Java
2010-08-02 20:38 . 2005-01-27 12:55 157936 ----a-w- c:\documents and settings\other\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-02 03:34 . 2004-08-17 16:49 -------- d-----w- c:\documents and settings\Joe Collier\Application Data\COREL
2010-07-02 14:05 . 2010-07-02 14:05 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-12 01:20 . 2007-07-11 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-11 07:04 . 2010-04-20 22:10 -------- d-----w- c:\program files\TeamSpeak 3 Client
2003-02-25 10:11 . 2003-02-25 10:11 0 ----a-w- c:\program files\readme.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"QuickCare"="c:\program files\Qwest\Quickcare\bin\sprtcmd.exe" [2010-01-16 206120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2003-1-20 200833]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-1-7 45056]
Wireless Network Monitor.lnk - c:\program files\Linksys\WUSB600N\WUSB600N.exe [2008-1-9 6922240]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Games\\GameSpy Arcade\\Aphex.exe"=
"c:\\WINDOWS\\SYSTEM32\\dplaysvr.exe"=
"c:\\Games\\Firaxis Games\\Sid Meier's Gettysburg!\\Lee.exe"=
"c:\\Games\\Total War\\Medieval - Total War\\Medieval_TW.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Games\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Games\\Roger Wilco\\mark 1 d3\\Roger Wilco\\roger.exe"=

[HKLM\~\Services\\_common\\RWVoice.exe"=]
"c:\\Games\\NeverwinterNights\\NWN\\nwupdate.exe"=
"c:\\Games\\Taldren Software Inc\\Starfleet Command Orion Pirates\\StarFleetOP.exe"=
"c:\\Games\\NeverwinterNights\\NWN\\nwmain.exe"=
"c:\\Games\\Roger Wilco\\roger.exe"=
"c:\\Games\\Roger Wilco\\mark 1 C\\Roger Wilco\\roger.exe"=
"c:\\Games\\Magic\\Program\\Manalink.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"c:\\Program Files\\MSN Gaming Zone\\zclient.exe"=
"c:\\Games\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\Games\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Games\\Microsoft Games\\Close Combat III\\CC3.exe"=
"c:\\Games\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Games\\Infogrames Interactive\\Civilization III\\CIV3PTW\\Civilization3X.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"c:\\Games\\Microsoft Games\\Combat Flight Simulator 3\\cfs3.exe"=
"c:\\Games\\Hasbro Interactive\\Axis and Allies\\AxisAllies.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Games\\Microsoft Games\\Rise Of Legends\\legends.exe"=
"c:\\Games\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Games\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\jdk1.6.0_02\\bin\\javaw.exe"=
"c:\\Games\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"=
"c:\\Games\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"=
"c:\\Games\\Atari\\Axis & Allies\\Aa.exe"=
"c:\\Games\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Games\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [7/9/2009 12:15 PM 26104]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\Qwest\Quickcare\bin\sprtsvc.exe [3/10/2010 5:46 PM 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\Qwest\Quickcare\bin\tgsrvc.exe [3/10/2010 5:46 PM 185640]
R2 vnccom;vnccom;c:\windows\SYSTEM32\DRIVERS\vnccom.SYS [10/2/2007 3:02 AM 6016]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 9:50 PM 135664]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\SYSTEM32\DRIVERS\LwAdiHid.sys [1/20/2003 7:48 PM 20864]
.
Contents of the 'Scheduled Tasks' folder

2010-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 04:50]

2010-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 04:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com/
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = 67.159.178.199:8080
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Joe Collier\Application Data\Mozilla\Firefox\Profiles\xyy99245.default\
FF - prefs.js: network.proxy.type - 0
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 18:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-124684247-3023699142-651906896-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1712)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\wanmpsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\windows\system32\wscntfy.exe
c:\program files\Microsoft Windows OneCare Live\winssnotify.exe
c:\program files\APC\APC PowerChute Personal Edition\systray.exe
.
**************************************************************************
.
Completion time: 2010-08-09 18:58:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-10 01:57
ComboFix2.txt 2010-08-07 17:54

Pre-Run: 7,043,543,040 bytes free
Post-Run: 7,050,743,808 bytes free

- - End Of File - - 51D83E7BB36B819440309D548ABB0D19


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 PM

Posted 11 August 2010 - 05:48 PM

Hello, JB_nw.

OK, let's come back to safe mode in a bit. It could be unrelated to the malware.





Step 1

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.

Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 2


Your Java SDK is out of date. I suggest you unstinall it and download the most recent version from java.



Step 3

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :OTL
    DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\tmcomm.sys -- (tmcomm)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DDMI2.sys -- (SDDMI2)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\wATV03nt.sys -- (iAimTV2)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\JOECOL~1\LOCALS~1\Temp\cdrmkaun.sys -- (cdrmkaun)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\etavaresCF\catchme.sys -- (catchme)
    SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
    IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
    O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    :Commands
    [EmptyTemp]
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....
  9. Click the "Scan All Users" checkbox.
  10. Push the button.
  11. A report will open, copy and paste it in a reply here.



Step 4

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 JB_nw

JB_nw
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 12 August 2010 - 02:18 PM

Hello Etavares,

Results of the 4 steps specified in your previous post are described below.

_________
Step 1

Uninstall Adobe Reader and install newest version


Opened the "Add or Remove Programs" window:
Start button > Control Panel and open the "Add or Remove Programs" icon.
Within the 'Add or Remove Programs' window, clicked on the 'Adobe Reader 8.2.3' item to highlight it.
Clicked on the 'Remove' button for 'Adobe Reader 8.2.3' and the following occurred:

Window opens and text inside says "Please wait while windows configures Adobe Reader 8.2.3"
The progress bar extended to the right about 75% complete and then a new window appeared.
'User SYSTEM has previously initiated an installation for product Microsoft Office 2000 SR-1 Professional. That user will need to run that installation again before using that product. Your current installation will now continue."

Clicked 'OK' and then a new window appeared.
'Error 1704. An installation for Microsoft Office 2000 SR-1 Professional is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes?' ( Yes or No )
Clicked on the 'Yes' button. 'Adobe Reader 8.2.3' completed the uninstall.
The 'Adobe Reader 8.2.3' item was deleted from the 'Add or Remove Programs' window.

Uninstalled 'Adobe Acrobat 5.0' also.
--------
Install newest version of Adobe Reader:

Opened IE 8 browser to this web page: http://get.adobe.com/reader/

Downloaded and installed version 'Adobe Reader 9.3.3'
New window appeared saying the IE 8 browser window should be closed before continuing the Installation.
Closed IE 8 browser and then clicked on the 'Retry' button.
Completed installation of 'Adobe Reader 9.3.3'

Ran Adobe Reader 9.3.3 and selected 'Check for Updates' from the 'Help' pull down menu.
The 'Adobe Reader Updater' window appears and displayed text: 'No Updates available'

_________
Step 2

Uninstall Java SDK and install newest version


Within the 'Add or Remove Programs' window, clicked on the 'Java SE Development Kit 6 Update 2' item to highlight it.
Clicked on the 'Remove' button for 'Java SE Development Kit 6 Update 2' and the following occurred:

A window opens and text inside says "Please wait while windows configures Java SE Development Kit 6 Update 2"
The progress bar extended to the right side 3 times before the window closed.
The 'Java SE Development Kit 6 update 2' item was deleted from the 'Add or Remove Programs' window.

Also Removed/Uninstalled 'Java DB 10.2.2.0' item.
--------
Install newest version of Java SDK:

Opened IE 8 browser to this webpage:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java Platform, Standard Edition - JDK 6 Update 21 (JDK or JRE)
Clicked on Download 'JDK' button.

New web page displayed:
http://www.oracle.com/technetwork/java/jav...jsp-136632.html

Java SE Downloads
Download Java SE Development Kit 6u21
Clicked on 'Download' button.

New web page displayed
https://cds.sun.com/is-bin/INTERSHOP.enfini...S-CDS_Developer

Entered required information: Platform : 'Windows'
Click on 'continue' button takes browser to this page:
https://cds.sun.com/is-bin/INTERSHOP.enfini...ationTypeFilter
This page appears to be the same as the previous page.

Click on 'continue' button takes browser to the same page:
https://cds.sun.com/is-bin/INTERSHOP.enfini...ationTypeFilter

Apparently inside an infinite loop with this Oracle webpage.
Decided to postpone installation of Java SE Development Kit 6u21 until needed or until alternate download website located.


_________
Step 3

Run OTL script and then run OTL scan



Ran "OTL.exe"
OTL Window appeared.

Pasted the requested code into the Custom Scans/Fixes box at the bottom.

Attached File  OTL_runfix.jpg   90.41KB   2 downloads

Clicked the 'Run Fix' button at the top.
When OTL indicated it was done, rebooted PC.

The 'OTL_Run Fix.Txt' log file is shown below.

Ran "OTL.exe" again.
OTL Window appeared.

Clicked the "Scan All Users" checkbox. ( check mark added )
note: "Extra Registry" is set to 'None'.
Clicked the 'Run Scan' button.
After scan completed, closed the OTL window.

The 'OTL.Txt' log file is shown below.


_________
Step 4

Run ESET Online scan


Open a new Browser window and enter the address: http://www.eset.com/online-scanner
Closed all other open applications.
Set 'Scan archives' to ON.
Clicked on 'Start' button. ( Temporarily turned OFF the firewall to allow download of the definitions file and scan engine. )
Note: Disabled virus scanner before performing ESET scan.

Scan took 2 hours and 20 minutes.
Log file was saved to the desktop.

The 'ESETScan.txt' log file is shown below.


--------------------------------------------
Current PC Symptoms / Status:


Unchanged from last post.
Still unable to boot into "Safe mode with networking"

Have not detected any other problems with Win XP OS or any applications.

++++++++++
Attachments: - OTL window jpeg image

_________________________________

OTL_Run Fix.Txt' log file:
------------------------


All processes killed
========== OTL ==========
Service tmcomm stopped successfully!
Service tmcomm deleted successfully!
File C:\WINDOWS\System32\drivers\tmcomm.sys not found.
Service SDDMI2 stopped successfully!
Service SDDMI2 deleted successfully!
File C:\WINDOWS\System32\DDMI2.sys not found.
Service iAimTV2 stopped successfully!
Service iAimTV2 deleted successfully!
File C:\WINDOWS\System32\DRIVERS\wATV03nt.sys not found.
Error: No service named cdrmkaun was found to stop!
Service\Driver key cdrmkaun not found.
File C:\DOCUME~1\JOECOL~1\LOCALS~1\Temp\cdrmkaun.sys not found.
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\etavaresCF\catchme.sys not found.
Service AppMgmt stopped successfully!
Service AppMgmt deleted successfully!
File C:\WINDOWS\System32\appmgmts.dll not found.
Registry value HKEY_USERS\S-1-5-21-124684247-3023699142-651906896-1006\Software\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
File Animation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab not found.
Starting removal of ActiveX control DirectAnimation Java Classes
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 8517120 bytes
->Temporary Internet Files folder emptied: 1256566 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56504 bytes

User: Joe Collier
->Temp folder emptied: 2406766 bytes
->Temporary Internet Files folder emptied: 28015734 bytes
->Java cache emptied: 10141426 bytes
->FireFox cache emptied: 45831412 bytes
->Flash cache emptied: 1288 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 1487504 bytes
->Flash cache emptied: 603 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 31321 bytes

User: other
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 458110 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 50222 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 2162401 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 96.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08122010_022942

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


___________________

OTL.Txt' log file:
------------------------


OTL logfile created on: 8/12/2010 3:03:52 AM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Joe Collier\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 359.00 Mb Available Physical Memory | 70.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.72 Gb Total Space | 6.43 Gb Free Space | 5.75% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JBDELL
Current User Name: Joe Collier
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/08 23:11:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe Collier\Desktop\OTL.exe
PRC - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2010/01/16 14:30:16 | 000,185,640 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
PRC - [2010/01/16 14:30:10 | 000,206,120 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
PRC - [2010/01/16 14:30:02 | 000,206,120 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe
PRC - [2009/07/09 12:15:38 | 001,139,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\winss.exe
PRC - [2009/07/09 12:15:38 | 000,065,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
PRC - [2009/07/09 12:15:32 | 000,026,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
PRC - [2008/07/09 17:05:22 | 000,018,704 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/09 06:44:20 | 006,922,240 | ---- | M] (Linksys) -- C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
PRC - [2008/01/08 12:02:16 | 001,213,728 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
PRC - [2007/11/27 22:56:32 | 000,755,264 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
PRC - [2002/02/15 09:31:42 | 000,045,056 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2001/11/26 18:54:02 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\wanmpsvc.exe
PRC - [2001/09/28 04:51:28 | 000,409,729 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\systray.exe
PRC - [2001/09/28 04:50:50 | 000,143,491 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe


========== Modules (SafeList) ==========

MOD - [2010/08/08 23:11:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe Collier\Desktop\OTL.exe
MOD - [2010/01/16 14:30:06 | 000,116,008 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Qwest\Quickcare\bin\sprthook.dll
MOD - [2008/04/13 17:12:01 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\msvcp60.dll
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/01/16 14:31:40 | 000,382,320 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
SRV - [2010/01/16 14:30:16 | 000,185,640 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe -- (tgsrvc_quickcare) SupportSoft Repair Service (quickcare)
SRV - [2010/01/16 14:30:10 | 000,206,120 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe -- (sprtsvc_quickcare) SupportSoft Sprocket Service (quickcare)
SRV - [2009/07/09 12:15:38 | 001,139,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows OneCare Live\winss.exe -- (winss)
SRV - [2009/07/09 12:15:32 | 000,026,104 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe -- (OcHealthMon)
SRV - [2008/07/09 17:05:22 | 000,018,704 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe -- (OneCareMP)
SRV - [2008/02/16 00:32:59 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/01/08 12:02:16 | 001,213,728 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe -- (sprtlisten)
SRV - [2007/11/27 22:56:32 | 000,755,264 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe -- (msfwsvc)
SRV - [2007/03/07 16:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2004/02/20 12:10:08 | 000,421,888 | ---- | M] (Lexmark International, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\System32\lxbtcoms.exe -- (lxbt_device)
SRV - [2002/08/01 11:22:40 | 000,065,536 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\hpzipm12.exe -- (Pml Driver HPZ12)
SRV - [2002/05/03 10:29:42 | 001,118,208 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\NMSSvc.Exe -- (NMSSvc) Intel®
SRV - [2001/11/26 18:54:02 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINDOWS\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)
SRV - [2001/09/28 04:50:50 | 000,143,491 | ---- | M] (American Power Conversion Corporation) [Auto | Running] -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)


========== Driver Services (SafeList) ==========

DRV - [2008/05/15 16:15:16 | 000,053,168 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MpFilter.sys -- (MpFilter)
DRV - [2008/04/13 11:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\gameenum.sys -- (gameenum)
DRV - [2008/04/13 11:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 11:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 11:36:38 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\hidbatt.sys -- (HidBatt)
DRV - [2007/12/14 19:04:24 | 000,551,680 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\rt2870.sys -- (rt2870)
DRV - [2007/11/27 22:56:30 | 000,116,416 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\msfwhlpr.sys -- (MSFWHLPR)
DRV - [2007/11/27 22:56:28 | 000,091,328 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\msfwdrv.sys -- (MSFWDrv)
DRV - [2007/02/25 13:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)
DRV - [2007/02/02 03:00:00 | 000,009,464 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/02/02 03:00:00 | 000,009,336 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2007/01/13 23:12:28 | 000,028,256 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k)
DRV - [2006/11/28 22:46:20 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\PCASp50.sys -- (PCASp50)
DRV - [2006/10/05 17:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/08/12 01:41:46 | 000,068,960 | ---- | M] (VSO Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Pcatip.sys -- (Pcatip)
DRV - [2004/08/03 23:29:50 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 23:29:48 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 23:29:46 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 23:29:44 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 23:29:44 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 23:29:42 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 23:29:38 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 23:29:38 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 23:29:38 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 23:29:38 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/06/26 13:22:00 | 000,006,016 | ---- | M] (RDV Soft) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\vnccom.SYS -- (vnccom)
DRV - [2004/06/26 13:22:00 | 000,004,736 | ---- | M] (RDV Soft) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\vncdrv.sys -- (vncdrv)
DRV - [2003/10/06 15:16:00 | 001,550,043 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv)
DRV - [2003/08/29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\BCMSM.sys -- (BCMModem)
DRV - [2003/01/07 20:41:14 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2002/08/30 15:29:02 | 001,293,440 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\P16X.sys -- (P16X) Creative SB Live! Series (WDM)
DRV - [2002/08/29 00:16:22 | 000,020,864 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\LwAdiHid.sys -- (LwAdiHid) Logitech WingMan Digital Devices(Auto-Detect)
DRV - [2002/07/19 09:22:08 | 000,017,153 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002/05/03 10:30:08 | 000,009,868 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NMSCFG.SYS -- (NMSCFG)
DRV - [2002/04/10 16:01:12 | 000,024,554 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/04/10 16:01:00 | 000,029,638 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2002/04/10 16:00:44 | 000,117,898 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2002/04/10 15:48:04 | 000,236,032 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/04/10 15:45:16 | 000,206,336 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2001/09/27 09:58:20 | 000,028,396 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 15:02:32 | 000,008,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\hidgame.sys -- (hidgame)
DRV - [2001/08/17 13:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 13:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 13:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 13:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 13:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 12:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 12:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 12:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 12:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 12:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 12:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 12:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 12:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 12:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 12:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 12:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 11:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)
DRV - [1999/12/17 00:00:00 | 000,006,752 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\PFMODNT.SYS -- (PfModNT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = [String data over 1000 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [String data over 1000 bytes]


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dellnet.com
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://qwest.live.com/
IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = [String data over 1000 bytes]
IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [String data over 1000 bytes]
IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..\URLSearchHook: {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (ICQ Inc.)
IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-124684247-3023699142-651906896-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 67.159.178.199:8080

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/31 22:45:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/11 19:35:12 | 000,000,000 | ---D | M]

[2009/01/04 23:33:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe Collier\Application Data\Mozilla\Extensions
[2010/07/29 03:16:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe Collier\Application Data\Mozilla\Firefox\Profiles\xyy99245.default\extensions
[2010/07/29 03:16:06 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Joe Collier\Application Data\Mozilla\Firefox\Profiles\xyy99245.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/05 00:26:07 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/05 00:26:07 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/08/09 18:45:26 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (ICQ Toolbar) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (ICQ Inc.)
O3 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..\Toolbar\ShellBrowser: (ICQ Toolbar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (ICQ Inc.)
O3 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..\Toolbar\WebBrowser: (ICQ Toolbar) - {855F3B16-6D32-4FE6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (ICQ Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickCare] C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKU\S-1-5-21-124684247-3023699142-651906896-1006..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB600N\WUSB600N.exe (Linksys)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: SpecifyDefaultButtons = 0
O7 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Btn_Search = 0
O7 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &ICQ Toolbar Search - C:\Program Files\ICQToolbar\toolbaru.dll (ICQ Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe File not found
O9 - Extra 'Tools' menuitem : ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe File not found
O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe (ICQ, Inc.)
O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe (ICQ, Inc.)
O9 - Extra Button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe File not found
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe File not found
O12 - Plugin for: .mid - C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll (Apple Computer, Inc.)
O12 - Plugin for: .tga - C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll (Apple Computer, Inc.)
O15 - HKU\S-1-5-21-124684247-3023699142-651906896-1006\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 07:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/12 02:29:42 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/08/11 19:16:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/08/11 19:15:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/08/11 19:07:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/08/11 18:53:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\acrobat reader removal info
[2010/08/11 01:23:52 | 000,288,654 | ---- | C] ( ) -- C:\Documents and Settings\Joe Collier\Desktop\SafeBootKeyRepair.exe
[2010/08/10 23:39:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\OKC agility trial aug 2010 info
[2010/08/09 19:19:13 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/08/09 18:27:17 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/08 23:11:29 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Joe Collier\Desktop\OTL.exe
[2010/08/08 07:50:49 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/07 10:09:12 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/07 10:09:12 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/07 10:09:12 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/07 10:08:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/07 10:07:35 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/05 21:48:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\Bleeping computer forum docs
[2010/08/05 17:02:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\bc Logs
[2010/08/05 00:26:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/08/05 00:26:04 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/08/05 00:26:04 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/05 00:26:04 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/05 00:26:04 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/04 06:58:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\gmer
[2010/08/04 05:23:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\Vundo trojan help info
[2010/08/03 14:15:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\New PC info
[2010/08/03 03:59:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Application Data\Malwarebytes
[2010/08/01 20:35:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\My Documents\Corel User Files
[2010/08/01 02:26:27 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\hidserv.dll
[2010/08/01 02:21:53 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/01 02:21:48 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/01 02:21:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/08/01 02:21:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/01 02:16:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\hijackThis
[2010/08/01 01:32:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\avast_free
[2010/08/01 01:15:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\MBAM
[2010/08/01 00:25:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\SClean
[2010/07/21 16:08:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\2010 PSVC hunt test
[2010/07/21 09:47:35 | 000,000,000 | ---D | C] -- C:\Program Files\Western Digital Corporation
[2010/07/21 09:24:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\Western Digital diagnostic
[2010/07/21 09:22:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\My Documents\Downloads
[2010/07/19 18:48:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\IE 8 app error
[2010/07/16 01:41:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe Collier\Desktop\Dennis Vector Calc
[2003/01/07 20:39:19 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll

========== Files - Modified Within 30 Days ==========

[2010/08/12 02:36:36 | 000,000,892 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/12 02:34:58 | 000,000,430 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.ics
[2010/08/12 02:34:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/12 02:34:27 | 535,871,488 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/12 02:34:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/08/12 02:33:31 | 016,777,216 | -H-- | M] () -- C:\Documents and Settings\Joe Collier\NTUSER.DAT
[2010/08/12 02:33:25 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Joe Collier\NTUSER.INI
[2010/08/12 02:29:00 | 000,092,578 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\OTL_runfix.jpg
[2010/08/12 02:13:00 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/11 01:23:59 | 000,288,654 | ---- | M] ( ) -- C:\Documents and Settings\Joe Collier\Desktop\SafeBootKeyRepair.exe
[2010/08/10 02:29:27 | 000,086,016 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/09 18:45:52 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/09 18:45:26 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts
[2010/08/08 23:11:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe Collier\Desktop\OTL.exe
[2010/08/08 07:50:58 | 000,000,281 | RHS- | M] () -- C:\BOOT.INI
[2010/08/08 04:27:08 | 000,485,896 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\HAMeb_check.exe
[2010/08/08 04:26:16 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\MBRCheck.exe
[2010/08/07 09:14:27 | 000,000,716 | ---- | M] () -- C:\WINDOWS\OPLIMIT.INI
[2010/08/07 01:29:42 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/06 18:37:13 | 003,816,456 | R--- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\etavaresCF.exe
[2010/08/04 06:49:59 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\dds.scr
[2010/08/02 13:12:46 | 000,010,752 | ---- | M] () -- C:\WINDOWS\DCEBoot.exe
[2010/08/01 20:34:51 | 000,061,678 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Application Data\PFP100JPR.{PB
[2010/08/01 20:34:51 | 000,012,358 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Application Data\PFP100JCM.{PB
[2010/08/01 07:47:51 | 000,063,759 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\report.pdf
[2010/08/01 07:25:45 | 003,717,202 | -H-- | M] () -- C:\Documents and Settings\Joe Collier\Local Settings\Application Data\IconCache.db
[2010/08/01 02:52:57 | 000,073,216 | -H-- | M] ($t@t!c_V()1D) -- C:\WINDOWS\System32\iifedc.dll
[2010/07/29 02:03:58 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/07/17 05:00:12 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/07/17 05:00:12 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/07/17 05:00:10 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/17 02:42:29 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/16 17:19:06 | 000,268,455 | ---- | M] () -- C:\Documents and Settings\Joe Collier\Desktop\Newsletter Summer 10.pdf

========== Files Created - No Company Name ==========

[2010/08/12 02:29:00 | 000,092,578 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\OTL_runfix.jpg
[2010/08/09 19:56:28 | 535,871,488 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/08 07:50:58 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/08 07:50:53 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/08 04:27:03 | 000,485,896 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\HAMeb_check.exe
[2010/08/08 04:26:15 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\MBRCheck.exe
[2010/08/07 10:09:12 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/07 10:09:12 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/07 10:09:12 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/07 10:09:12 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/07 10:09:12 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/06 18:37:13 | 003,816,456 | R--- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\etavaresCF.exe
[2010/08/04 06:49:45 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\dds.scr
[2010/08/02 09:11:07 | 000,010,752 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2010/08/01 20:34:51 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Application Data\PFP100JPR.{PB
[2010/08/01 20:34:51 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Application Data\PFP100JCM.{PB
[2010/08/01 07:47:51 | 000,063,759 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\report.pdf
[2010/08/01 02:52:55 | 000,073,216 | -H-- | C] ($t@t!c_V()1D) -- C:\WINDOWS\System32\iifedc.dll
[2010/07/16 17:19:06 | 000,268,455 | ---- | C] () -- C:\Documents and Settings\Joe Collier\Desktop\Newsletter Summer 10.pdf
[2008/11/22 15:28:50 | 000,018,626 | ---- | C] () -- C:\WINDOWS\hplj1300.ini
[2008/11/10 02:49:31 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXPRMON.DLL
[2008/11/10 02:49:31 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\LXPMONUI.DLL
[2008/11/10 02:46:23 | 000,126,976 | R--- | C] () -- C:\WINDOWS\System32\lxbtsnls.dll
[2008/11/10 02:46:22 | 000,139,264 | R--- | C] () -- C:\WINDOWS\System32\lxbtcoin.dll
[2008/11/10 02:33:53 | 000,001,832 | R--- | C] () -- C:\WINDOWS\System32\lxbtprod.ini
[2008/11/10 02:33:17 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbtvs.dll
[2008/11/10 02:33:14 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\lxbthwdf.dll
[2008/08/05 15:02:12 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/08/05 14:59:04 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/08/05 14:59:04 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/08/05 14:58:14 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/02/06 19:13:36 | 000,000,235 | ---- | C] () -- C:\WINDOWS\photopnt.INI
[2006/07/13 07:36:36 | 001,167,360 | ---- | C] () -- C:\WINDOWS\System32\acAuth.dll
[2005/05/11 02:05:11 | 000,003,296 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2004/02/11 03:10:47 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\IYVU9_32.DLL
[2004/02/07 22:09:58 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2004/01/09 04:58:22 | 000,000,115 | ---- | C] () -- C:\WINDOWS\ppdrv.ini
[2004/01/09 04:11:27 | 000,000,716 | ---- | C] () -- C:\WINDOWS\OPLIMIT.INI
[2004/01/09 04:10:51 | 000,000,602 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2004/01/09 04:03:22 | 000,000,189 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2004/01/09 04:03:22 | 000,000,095 | ---- | C] () -- C:\WINDOWS\vista32.ini
[2004/01/09 04:03:22 | 000,000,036 | ---- | C] () -- C:\WINDOWS\umaxdrv.ini
[2004/01/09 04:03:17 | 000,047,616 | ---- | C] () -- C:\WINDOWS\ucmsp_32.dll
[2004/01/09 04:03:09 | 000,030,208 | ---- | C] () -- C:\WINDOWS\uxmail32.dll
[2004/01/09 04:03:08 | 000,150,560 | ---- | C] () -- C:\WINDOWS\vud32.dll
[2004/01/09 04:03:08 | 000,068,608 | ---- | C] () -- C:\WINDOWS\vufile32.dll
[2004/01/09 04:01:49 | 000,000,512 | ---- | C] () -- C:\WINDOWS\ALBUM.INI
[2004/01/09 04:01:49 | 000,000,103 | ---- | C] () -- C:\WINDOWS\PAEDIT.INI
[2004/01/09 04:01:10 | 000,001,764 | ---- | C] () -- C:\WINDOWS\IF40LE.INI
[2004/01/09 04:01:10 | 000,000,289 | ---- | C] () -- C:\WINDOWS\PEXPLORE.INI
[2004/01/09 04:00:37 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2004/01/09 04:00:37 | 000,000,410 | ---- | C] () -- C:\WINDOWS\umxaddin.ini
[2003/10/06 15:16:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\nvcod.dll
[2003/10/01 20:23:00 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/06/20 01:07:10 | 000,000,021 | ---- | C] () -- C:\WINDOWS\DVDSentry.ini
[2003/06/17 21:08:56 | 000,000,286 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2003/04/20 02:40:22 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2003/02/12 22:08:22 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2003/01/31 11:02:21 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2003/01/24 21:43:15 | 000,002,580 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2003/01/22 05:16:51 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2003/01/20 19:41:49 | 000,000,679 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2003/01/20 19:35:28 | 000,108,992 | ---- | C] () -- C:\WINDOWS\System32\SH34W32.DLL
[2003/01/20 19:35:28 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\IFORCE2.dll
[2003/01/17 09:47:12 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/01/07 20:50:38 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/01/07 20:42:07 | 000,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2003/01/07 20:42:06 | 000,000,626 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/01/07 20:39:41 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2003/01/07 20:39:20 | 000,039,936 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll
[2003/01/07 20:39:20 | 000,002,092 | ---- | C] () -- C:\WINDOWS\System32\P16X.ini
[2003/01/07 20:39:20 | 000,000,026 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2003/01/07 20:39:19 | 000,006,175 | ---- | C] () -- C:\WINDOWS\MIXDEF.INI
[2003/01/07 20:39:19 | 000,005,917 | ---- | C] () -- C:\WINDOWS\SBMIXDEF.INI
[2003/01/07 20:39:19 | 000,000,064 | ---- | C] () -- C:\WINDOWS\P16x.ini
[2003/01/07 20:38:56 | 000,000,245 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2003/01/07 20:35:34 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/01/07 20:15:06 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2002/02/06 08:04:14 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\NMSInst.dll
[2002/01/21 14:17:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PROInst.dll
[2001/07/31 02:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[1999/01/22 11:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
< End of report >


___________________

ESETScan.txt' log file:
------------------------


C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mouclass.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001469.sys Win32/Olmarik.ZC trojan cleaned - quarantined



#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 PM

Posted 12 August 2010 - 05:58 PM

Hello, JB_nw.

Hmmm...weird re: Adobe uninstall and the Java loop. Let me know if you need an alternate download site.

The ESET results were fine...only found what we had already taken care of.

Let's work on the 7B stop error you get in Safe Mode with Networking.

Please download and run this, then try to boot in safe mode with network.
SafeBootKeyRepair

I don't think this will work, but it's worth a shot. Next up is a hard drive diagnostic.


etavares

Edited by etavares, 12 August 2010 - 05:58 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 JB_nw

JB_nw
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 13 August 2010 - 05:33 AM

Hello Etavares,

Results of the 'SafeBootKeyRepair.exe' program execution as specified in your previous post are described below.

_________
Download 'SafeBootKeyRepair.exe' and run it


Downloaded the 'SafeBootKeyRepair.exe' file to the desktop using the provided link.

Ran "SafeBootKeyRepair.exe"
DOS type Window appeared and displayed text; 'Wait for program to complete' (approximate).

The 'SafeBootKeyRepair.exe' program ran for about 5 minutes or so and then a 'Blue Screen of Death' appeared.

===============
'A problem has been detected and Windows has been shut down to prevent damage to your computer.

IRQL_NOT_LESS_OR_EQUAL

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:
Check to make sure any new hardware or software is properly installed.
If this is a new installation, ask your hardware or software manufacturer for any windows updates you might need.
If problems continue, disable or remove any newly installed hardware or software.
Disable BIOS memory options such as caching or shadowing.
If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical information:
*** STOP: 0x0000000A (0x0A08000D, 0x00000002, 0x00000000, 0x804ED312)

Beginning dump of physical memory. Physical memory dump complete.
Contact your system administrator or technical support group for further assistance.

==============

After a reboot using 'Normal' boot mode, a 'Microsoft Windows' window appeared.
" The system has recovered from a serious error."
" A log of this error has been created. Please tell Microsoft about this problem. We have created an error report that you can send..."

I looked at the error signature:
BCCode: 1000000a BCP1: 0A08000D BCP2: 00000002 BCP3: 00000000 BCP4: 804ED312
OSVer: 5_1_2600 SP: 3_0 Product: 768_1

After sending the report to Microsoft, the IE 8 browser opened and displayed this page:
http://wer.microsoft.com/responses/Respons...64-9eff2210347a

The web page was titled: "Microsoft Windows Error Reporting"
At the top of the page: "Troubleshoot a problem with a device driver"
'You received this message because a device driver installed on your computer caused Windows to stop unexpectedly. This type of error is referred to as a "stop error." A stop error requires you to restart your computer.' This was followed by information about troubleshooting the issue.


_________
Open Registry Editor to look at Safeboot Keys


Opened the Registry Editor: START -> RUN : regedit

Looked at the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\safeboot\Minimal

Before running 'SafeBootKeyRepair.exe' there were 31 folders listed under 'Minimal' folder.
After running 'SafeBootKeyRepair.exe' there were 11 additional folders listed under 'Minimal' folder (for a total of 42).

Also looked at the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\safeboot\Network

Before running 'SafeBootKeyRepair.exe' there were ZERO folders listed under 'Network' folder.
After running 'SafeBootKeyRepair.exe' there were 80 new folders listed under 'Network' folder.


_________
Reboot into Safe Modes


Closed all open windows and rebooted PC.
Pressed F8 and selected "Safe Mode with Networking"

Desktop appeared and everything now seems to be working in 'Safe Mode with Networking'.
Opened an IE8 browser window and visited a couple websites with no problems.
[ 'SafeBootKeyRepair' appears to have worked despite some doubts ]

Again closed all open windows and rebooted PC.
Pressed F8 and selected "Safe Mode"

Desktop appeared and everything still seems to be working in basic 'Safe Mode'.


--------------------------------------------
Current PC Symptoms / Status:


Changed from last post.
Can 'apparently' now boot into "Safe mode with networking" thumbup2.gif

Have not detected any other problems with Win XP OS or any applications.

++++++++++
Attachments: - none

_________________________________

No log files listed:
------------------------


#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 PM

Posted 13 August 2010 - 02:53 PM

Hello, JB_nw.

Great! Ok, please post one final OTL QuicK Scan log before we clean up. Everything appears to be good on your end, correct?

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users