Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijack this log on marezer.com redirect infected computer


  • This topic is locked This topic is locked
10 replies to this topic

#1 Pasadena91

Pasadena91

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 07 January 2011 - 06:24 AM

Hi, my brower is redirecting to marezer.com.

Here is my log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:36 AM, on 1/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe
O4 - HKLM\..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236292814711
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4880 bytes

BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:29 AM

Posted 11 January 2011 - 09:30 PM

Hi -

A review of your HighjackThis log did not show any major problems so we will need to look deeper, but first some housekeeping details.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a log from the GMER anti-rootkit scanner, but, first, we need to disable your CD Emulation drivers.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next, please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Once you have the above logs, click on the Add Reply button below, copy in the DDS log, and include the Attach.txt and the GMER log as attachments. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 Pasadena91

Pasadena91
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 12 January 2011 - 07:51 PM

Below and attached, x2.



DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Administrator at 8:10:22.48 on Wed 01/12/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.589 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [WLSS] c:\program files\wireless select switch\WLSS.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236292814711
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\p8qwkm8k.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {E524E616-A5CF-449F-89FA-9A99364C33CC} - c:\documents and settings\jsmith\local settings\application data\{E524E616-A5CF-449F-89FA-9A99364C33CC}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

S1 MpKsld50e8163;MpKsld50e8163;\??\c:\windows\system32\mpenginestore\mpksld50e8163.sys --> c:\windows\system32\mpenginestore\MpKsld50e8163.sys [?]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\superantispyware\sabkutil.sys --> c:\program files\superantispyware\SABKUTIL.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2009-3-25 25728]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-2-26 93968]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 OA004Afx;Provides a software interface to control audio effects of OA004 camera.;c:\windows\system32\drivers\OA004Afx.sys [2009-2-26 148056]
S3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [2009-2-26 144672]
S3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [2009-2-26 269760]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-3-25 9472]

=============== Created Last 30 ================

2011-01-08 15:47:53 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Adobe
2011-01-08 04:20:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-01-06 12:06:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-01-06 11:21:11 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2010-12-23 03:57:58 -------- d-----w- c:\program files\Windows Resource Kits
2010-12-18 22:33:54 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-18 22:33:14 45568 -c----w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:27:10 1862272 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 8:11:11.57 ===============

Attached Files


Edited by Pasadena91, 12 January 2011 - 07:54 PM.


#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:29 AM

Posted 13 January 2011 - 09:36 AM

Hi-

Thanks for the logs. Need to check on a file and do another scan.

Before we start, please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows


Please click this link-->Jotti
When the Jotti page has finished loading, click Jotti's Browse button and navigate to the following file and click the Submit file button within Jotti.

c:\windows\system32\mpenginestore\mpksld50e8163.sys

If Jotti reports that the file has been scanned before and gives you those results, click on the Scan Again button.
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Next, we need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
In your reply, please copy in the two OTL reports and let me know about the Jotti upload results.

Thanks.
Shannon

#5 Pasadena91

Pasadena91
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 13 January 2011 - 09:18 PM

Hi,

The mpksld50e8163.sys file was not present in the folder. Confirmed system is setup to display all files. Searched the computer for the file and there were not matches in any other locations.



Extras.txt:

OTL Extras logfile created on: 1/13/2011 9:10:42 PM - Run 2
OTL by OldTimer - Version 3.2.20.2 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 777.00 Mb Available Physical Memory | 77.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 300 300 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 7.08 Gb Total Space | 0.64 Gb Free Space | 8.98% Space Free | Partition Type: NTFS

Computer Name: DELLMINI | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5353:UDP" = 5353:UDP:LocalSubNet:Enabled:mDNS-SD/Bonjour
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\burst\core-new1.1.3\btdownloadheadless.exe" = C:\Program Files\burst\core-new1.1.3\btdownloadheadless.exe:*:Enabled:burst! download engine -- ()
"C:\Program Files\Nero\Nero8\Nero Home\NeroHome.exe" = C:\Program Files\Nero\Nero8\Nero Home\NeroHome.exe:*:Enabled:Nero Home
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam
"C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe" = C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe:*:Enabled:Crawler Spyware Terminator
"C:\Documents and Settings\jsmith\Local Settings\temp\usmt\migwiz.exe" = C:\Documents and Settings\jsmith\Local Settings\temp\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{065A7AFE-195D-4DFB-A4B2-A83842C0F79F}" = Wireless Select Switch
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{543A4F31-9590-416A-A621-42CEB4C6A694}" = Battery Meter
"{5590F460-8720-4003-804C-B59CF42472EE}" = PsluscinRic
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}" = Windows Resource Kit Tools - SubInAcl.exe
"{EE55714B-B67C-4D08-97AE-0CF4AC5A3A77}" = StuffIt Expander 2010
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FC8D21C8-7B29-4104-ADB0-FEE9CA1C7922}" = Folder Size for Windows
"{FEF06E73-A519-4510-8CF3-B66041B91D8A}" = EMSC
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative OA004" = Integrated Webcam Driver (1.00.03.0720)
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DVD Shrink_is1" = DVD Shrink 3.2
"Free DVD Decrypter_is1" = Free DVD Decrypter version 1.4
"Hattrick Organizer" = Hattrick Organizer (remove only)
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{065A7AFE-195D-4DFB-A4B2-A83842C0F79F}" = Wireless Select Switch
"InstallShield_{543A4F31-9590-416A-A621-42CEB4C6A694}" = Battery Meter
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.7.0 (Full)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SynTPDeinstKey" = Dell Touchpad
"VLC media player" = VLC media player 1.0.5
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/23/2010 3:17:29 AM | Computer Name = DELLMINI | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3855, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 8/23/2010 3:19:04 PM | Computer Name = DELLMINI | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3855, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 8/24/2010 9:25:30 PM | Computer Name = DELLMINI | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3855, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 8/26/2010 7:07:05 PM | Computer Name = DELLMINI | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3855, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 8/26/2010 11:12:36 PM | Computer Name = DELLMINI | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3855, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 8/26/2010 11:12:41 PM | Computer Name = DELLMINI | Source = Application Error | ID = 1001
Description = Fault bucket 1967498370.

Error - 8/26/2010 11:12:43 PM | Computer Name = DELLMINI | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3855, faulting
module xul.dll, version 1.9.2.3855, fault address 0x00771953.

Error - 8/26/2010 11:12:50 PM | Computer Name = DELLMINI | Source = Application Error | ID = 1001
Description = Fault bucket 1967755004.

Error - 8/26/2010 11:12:55 PM | Computer Name = DELLMINI | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module pctbdcore.dll, version 2.0.6.11, fault address 0x0002696b.

Error - 8/26/2010 11:12:57 PM | Computer Name = DELLMINI | Source = Application Error | ID = 1001
Description = Fault bucket 1701684072.

[ System Events ]
Error - 1/12/2011 9:09:41 AM | Computer Name = DELLMINI | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 1/12/2011 9:14:03 AM | Computer Name = DELLMINI | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 1/12/2011 8:49:13 PM | Computer Name = DELLMINI | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 1/13/2011 9:58:45 PM | Computer Name = DELLMINI | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 1/13/2011 10:02:08 PM | Computer Name = DELLMINI | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/13/2011 10:03:36 PM | Computer Name = DELLMINI | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/13/2011 10:04:52 PM | Computer Name = DELLMINI | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm SASDIFSV SASKUTIL

Error - 1/13/2011 10:05:02 PM | Computer Name = DELLMINI | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 1/13/2011 10:05:28 PM | Computer Name = DELLMINI | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 1/13/2011 10:05:35 PM | Computer Name = DELLMINI | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >






OTL.txt:

OTL logfile created on: 1/13/2011 9:10:42 PM - Run 2
OTL by OldTimer - Version 3.2.20.2 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 777.00 Mb Available Physical Memory | 77.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 300 300 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 7.08 Gb Total Space | 0.64 Gb Free Space | 8.98% Space Free | Partition Type: NTFS

Computer Name: DELLMINI | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/13 21:09:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/01/13 21:09:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2007/11/14 21:46:00 | 000,131,072 | -H-- | M] (Brio) [Auto | Stopped] -- C:\Program Files\FolderSize\FolderSizeSvc.exe -- (FolderSize)


========== Driver Services (SafeList) ==========

DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/03/08 09:41:48 | 000,220,112 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2008/10/20 01:00:06 | 000,025,728 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\androidusb.sys -- (androidusb)
DRV - [2008/10/14 22:48:38 | 001,287,552 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/10/14 22:38:10 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/07/22 16:11:46 | 000,269,760 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OA004Vid.sys -- (OA004Vid)
DRV - [2008/07/22 16:11:46 | 000,144,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OA004Ufd.sys -- (OA004Ufd)
DRV - [2008/07/22 16:11:44 | 000,148,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\OA004Afx.sys -- (OA004Afx)
DRV - [2008/07/13 22:02:12 | 000,225,664 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/07/13 19:52:08 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/07/13 19:02:52 | 000,093,968 | ---- | M] (JMicron Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\jmcr.sys -- (JMCR)
DRV - [2008/07/13 18:59:14 | 004,745,216 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/14 07:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 07:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/14 07:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/09/28 17:32:14 | 000,009,472 | ---- | M] (June Fabrics Technology) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pnetmdm.sys -- (pnetmdm)
DRV - [2001/08/17 21:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 21:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 21:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 21:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 21:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 20:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 20:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 20:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 20:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 20:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 20:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 20:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 20:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 20:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 20:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-260822909-224784467-3647513360-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-260822909-224784467-3647513360-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {E524E616-A5CF-449F-89FA-9A99364C33CC}:1.9.1

FF - HKLM\software\mozilla\Firefox\extensions\\{E524E616-A5CF-449F-89FA-9A99364C33CC}: C:\Documents and Settings\jsmith\Local Settings\Application Data\{E524E616-A5CF-449F-89FA-9A99364C33CC} [2010/07/05 11:07:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/03 05:58:18 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/22 23:09:05 | 000,000,000 | -H-D | M]

[2010/07/06 21:57:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2011/01/07 21:09:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p8qwkm8k.default\extensions
[2011/01/07 21:09:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p8qwkm8k.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/03 07:41:18 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/05 11:07:49 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\jsmith\LOCAL SETTINGS\APPLICATION DATA\{E524E616-A5CF-449F-89FA-9A99364C33CC}
[2010/02/06 19:57:31 | 000,000,000 | -H-D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

O1 HOSTS File: ([2010/01/20 20:08:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe (Dell)
O4 - HKLM..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe (Dell)
O4 - HKU\S-1-5-21-260822909-224784467-3647513360-500..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-260822909-224784467-3647513360-500..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236292814711 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\klogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 20:45:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/08 10:47:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
[2011/01/08 06:30:56 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/01/07 23:20:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/01/07 23:20:21 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/01/06 07:06:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2011/01/06 06:21:11 | 000,000,000 | ---D | C] -- C:\Program Files\GridinSoft Trojan Killer
[2010/12/22 23:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2010/12/22 23:05:03 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/12/22 22:57:58 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Resource Kits
[2010/12/18 17:33:54 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2010/12/18 17:33:14 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/13 21:09:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/01/13 21:07:08 | 000,443,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/01/13 21:07:08 | 000,072,646 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/01/13 21:03:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/13 07:48:08 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/01/12 08:17:39 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\r3m4uoqg.exe
[2011/01/12 08:16:07 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2011/01/12 08:15:39 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2011/01/12 08:14:05 | 000,003,585 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Attach.zip
[2011/01/07 23:20:34 | 000,001,680 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/18 17:44:53 | 000,166,712 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/18 17:43:13 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/12 08:17:36 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\r3m4uoqg.exe
[2011/01/12 08:16:07 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2011/01/12 08:15:39 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2011/01/12 08:14:05 | 000,003,585 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Attach.zip
[2011/01/07 23:20:34 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/01/07 08:15:12 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/07 07:17:47 | 000,000,088 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/05/12 20:07:36 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/08 15:38:51 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2010/05/08 15:38:51 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2010/05/08 15:38:51 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2010/05/08 15:38:51 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/02/14 07:20:54 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/02/14 07:20:52 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2010/02/10 21:34:24 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/03/03 12:18:04 | 000,080,416 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2009/02/26 21:58:16 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/02/26 21:55:48 | 000,001,154 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/02/26 20:57:29 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/02/26 20:35:40 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\EMSC.DLL
[2008/04/25 20:42:57 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 08:39:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

< End of report >

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:29 AM

Posted 14 January 2011 - 09:31 AM

Hi-

Could you rerun OTL in Normal mode instead of Safe mode? Note - you will only get one report.

Need to try to send another file to Jotti.

Please click this link-->Jotti
When the Jotti page has finished loading, click Jotti's Browse button and navigate to the following file and click the Submit file button within Jotti.

C:\Config.Msi

If Jotti reports that the file has been scanned before and gives you those results, click on the Scan Again button.
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

In your reply, please copy in the OTL report and let me know about Jotti.

Thanks.

Edited by Shannon2012, 14 January 2011 - 09:56 AM.

Shannon

#7 Pasadena91

Pasadena91
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 15 January 2011 - 07:50 AM

Hi, thank you.

On my machine, this is an empty folder rather than a file. So I could not submit it to Jotti.
C:\Config.Msi

OTL logfile created on: 1/15/2011 7:43:19 AM - Run 1
OTL by OldTimer - Version 3.2.20.2 Folder = C:\Documents and Settings\jsmith\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 612.00 Mb Available Physical Memory | 60.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 300 300 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 7.08 Gb Total Space | 0.60 Gb Free Space | 8.45% Space Free | Partition Type: NTFS

Computer Name: DELLMINI | User Name: jsmith | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/15 07:42:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jsmith\Desktop\OTL.exe
PRC - [2010/01/11 15:21:52 | 000,490,216 | -H-- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2008/07/11 15:15:32 | 000,492,840 | -H-- | M] (Dell) -- C:\Program Files\Wireless Select Switch\WLSS.exe
PRC - [2008/07/11 12:15:46 | 000,537,896 | -H-- | M] (Dell) -- C:\Program Files\Battery Meter\BTMeter.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/14 21:46:00 | 000,131,072 | -H-- | M] (Brio) -- C:\Program Files\FolderSize\FolderSizeSvc.exe


========== Modules (SafeList) ==========

MOD - [2011/01/15 07:42:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jsmith\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2007/11/14 21:46:00 | 000,131,072 | -H-- | M] (Brio) [Auto | Running] -- C:\Program Files\FolderSize\FolderSizeSvc.exe -- (FolderSize)


========== Driver Services (SafeList) ==========

DRV - [2010/03/08 09:41:48 | 000,220,112 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/10/20 01:00:06 | 000,025,728 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\androidusb.sys -- (androidusb)
DRV - [2008/10/14 22:48:38 | 001,287,552 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2008/10/14 22:38:10 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/07/22 16:11:46 | 000,269,760 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA004Vid.sys -- (OA004Vid)
DRV - [2008/07/22 16:11:46 | 000,144,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA004Ufd.sys -- (OA004Ufd)
DRV - [2008/07/22 16:11:44 | 000,148,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OA004Afx.sys -- (OA004Afx)
DRV - [2008/07/13 22:02:12 | 000,225,664 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/07/13 19:52:08 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/07/13 19:02:52 | 000,093,968 | ---- | M] (JMicron Technology Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\jmcr.sys -- (JMCR)
DRV - [2008/07/13 18:59:14 | 004,745,216 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/14 07:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 07:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/14 07:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/09/28 17:32:14 | 000,009,472 | ---- | M] (June Fabrics Technology) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pnetmdm.sys -- (pnetmdm)
DRV - [2001/08/17 21:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 21:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 21:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 21:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 21:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 20:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 20:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 20:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 20:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 20:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 20:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 20:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 20:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 20:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 20:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-260822909-224784467-3647513360-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-260822909-224784467-3647513360-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: {9d1f059c-cada-4111-9696-41a62d64e3ba}:0.5.3.4
FF - prefs.js..extensions.enabledItems: htAddon@hat-com.com:2.5.3.4
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: okim@okcupid.com:1.2.2
FF - prefs.js..extensions.enabledItems: {7E77F5DF-8022-40e3-9122-F03DEBEFC43B}:1.0.25
FF - prefs.js..extensions.enabledItems: {E524E616-A5CF-449F-89FA-9A99364C33CC}:1.9.1
FF - prefs.js..extensions.foxtrick.prefs.module.YouthSkillHideUnknown.HideMaximalKeyWord.enabled: false

FF - HKLM\software\mozilla\Firefox\extensions\\{E524E616-A5CF-449F-89FA-9A99364C33CC}: C:\Documents and Settings\jsmith\Local Settings\Application Data\{E524E616-A5CF-449F-89FA-9A99364C33CC} [2010/07/05 11:07:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/03 05:58:18 | 000,000,000 | -H-D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/22 23:09:05 | 000,000,000 | -H-D | M]

[2009/03/17 20:45:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jsmith\Application Data\Mozilla\Extensions
[2011/01/03 07:41:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\jsmith\Application Data\Mozilla\Firefox\Profiles\db8lhqfq.default\extensions
[2010/12/12 22:18:16 | 000,000,000 | ---D | M] (PsicoTSI) -- C:\Documents and Settings\jsmith\Application Data\Mozilla\Firefox\Profiles\db8lhqfq.default\extensions\{7E77F5DF-8022-40e3-9122-F03DEBEFC43B}
[2010/12/23 16:03:23 | 000,000,000 | ---D | M] ("FoxTrick") -- C:\Documents and Settings\jsmith\Application Data\Mozilla\Firefox\Profiles\db8lhqfq.default\extensions\{9d1f059c-cada-4111-9696-41a62d64e3ba}
[2010/12/23 16:03:20 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\jsmith\Application Data\Mozilla\Firefox\Profiles\db8lhqfq.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/07/23 23:20:17 | 000,000,000 | ---D | M] (HatCom Addon) -- C:\Documents and Settings\jsmith\Application Data\Mozilla\Firefox\Profiles\db8lhqfq.default\extensions\htAddon@hat-com.com
[2010/03/13 21:05:57 | 000,000,000 | ---D | M] ("OkCupid Toolbar") -- C:\Documents and Settings\jsmith\Application Data\Mozilla\Firefox\Profiles\db8lhqfq.default\extensions\okim@okcupid.com
[2011/01/03 07:41:18 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/05 11:07:49 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\jsmith\LOCAL SETTINGS\APPLICATION DATA\{E524E616-A5CF-449F-89FA-9A99364C33CC}
[2010/02/06 19:57:31 | 000,000,000 | -H-D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

O1 HOSTS File: ([2010/01/20 20:08:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\S-1-5-21-260822909-224784467-3647513360-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe (Dell)
O4 - HKLM..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe (Dell)
O4 - HKU\S-1-5-21-260822909-224784467-3647513360-1006..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] File not found
O4 - HKU\S-1-5-21-260822909-224784467-3647513360-1006..\Run: [msnmsgr] File not found
O4 - HKLM..\RunServices: [UpdateSUPERAntiSpyware] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-260822909-224784467-3647513360-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-260822909-224784467-3647513360-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236292814711 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\klogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\jsmith\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\jsmith\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 20:45:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-260822909-224784467-3647513360-1006\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/01/15 07:42:26 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\jsmith\Desktop\OTL.exe
[2011/01/07 23:20:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/01/07 23:20:21 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/01/06 07:06:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2011/01/06 06:21:11 | 000,000,000 | ---D | C] -- C:\Program Files\GridinSoft Trojan Killer
[2011/01/01 19:25:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jsmith\Desktop\hrf
[2011/01/01 19:19:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jsmith\Desktop\old_desktop
[2011/01/01 19:08:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jsmith\Desktop\bookmarks
[2010/12/22 23:43:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2010/12/22 23:05:03 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/12/22 22:57:58 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Resource Kits
[2010/12/18 17:33:54 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2010/12/18 17:33:14 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/15 07:42:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jsmith\Desktop\OTL.exe
[2011/01/15 07:30:53 | 000,443,944 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/01/15 07:30:53 | 000,073,068 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/01/15 07:26:31 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/15 07:26:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/14 05:30:14 | 000,015,464 | ---- | M] () -- C:\Documents and Settings\jsmith\My Documents\2011-01-14.hrf
[2011/01/14 05:28:56 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/01/09 10:34:13 | 000,015,435 | ---- | M] () -- C:\Documents and Settings\jsmith\My Documents\2011-01-09.hrf
[2011/01/07 23:20:34 | 000,001,680 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/01/05 22:02:43 | 000,016,835 | ---- | M] () -- C:\Documents and Settings\jsmith\My Documents\2011-01-05.hrf
[2011/01/03 00:20:05 | 000,016,865 | ---- | M] () -- C:\Documents and Settings\jsmith\My Documents\2011-01-03.hrf
[2011/01/02 10:46:59 | 000,016,352 | ---- | M] () -- C:\Documents and Settings\jsmith\My Documents\2011-01-02.hrf
[2010/12/22 23:43:24 | 000,000,953 | ---- | M] () -- C:\Documents and Settings\jsmith\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/12/18 17:44:53 | 000,166,712 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/18 17:43:13 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/14 05:30:14 | 000,015,464 | ---- | C] () -- C:\Documents and Settings\jsmith\My Documents\2011-01-14.hrf
[2011/01/09 10:34:13 | 000,015,435 | ---- | C] () -- C:\Documents and Settings\jsmith\My Documents\2011-01-09.hrf
[2011/01/07 23:20:34 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/01/07 08:15:12 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/01/05 22:02:43 | 000,016,835 | ---- | C] () -- C:\Documents and Settings\jsmith\My Documents\2011-01-05.hrf
[2011/01/03 00:20:05 | 000,016,865 | ---- | C] () -- C:\Documents and Settings\jsmith\My Documents\2011-01-03.hrf
[2011/01/02 10:46:59 | 000,016,352 | ---- | C] () -- C:\Documents and Settings\jsmith\My Documents\2011-01-02.hrf
[2010/12/22 23:43:24 | 000,000,953 | ---- | C] () -- C:\Documents and Settings\jsmith\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/12/22 22:44:21 | 000,088,772 | ---- | C] () -- C:\Documents and Settings\jsmith\Local Settings\Application Data\FASTWiz.log
[2010/07/07 07:17:47 | 000,000,088 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/05/12 20:07:36 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/08 15:38:51 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2010/05/08 15:38:51 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll
[2010/05/08 15:38:51 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2010/05/08 15:38:51 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2010/02/14 07:20:54 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2010/02/14 07:20:52 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2010/02/10 21:34:24 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/02/10 21:24:43 | 000,000,050 | ---- | C] () -- C:\Documents and Settings\jsmith\Application Data\default.pls
[2009/10/03 09:59:59 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\jsmith\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/14 22:00:31 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\jsmith\Application Data\wklnhst.dat
[2009/03/03 12:18:04 | 000,080,416 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2009/02/26 21:58:16 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/02/26 21:55:48 | 000,001,154 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/02/26 20:57:29 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/02/26 20:35:40 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\EMSC.DLL
[2008/04/25 20:42:57 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 08:39:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

< End of report >

Edited by Pasadena91, 15 January 2011 - 07:51 AM.


#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:29 AM

Posted 15 January 2011 - 11:47 AM

Hi-

Thanks for the new OTL log. I missed seeing that the "file" was a folder.

It is time to clean up a few things.

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Next, we need to run an OTL Fix.
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
:otl
FF - HKLM\software\mozilla\Firefox\extensions\\{E524E616-A5CF-449F-89FA-9A99364C33CC}: C:\Documents and Settings\jsmith\Local Settings\Application Data\{E524E616-A5CF-449F-89FA-9A99364C33CC} [2010/07/05 11:07:49 | 000,000,000 | ---D | M]
[2010/07/05 11:07:49 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\jsmith\LOCAL SETTINGS\APPLICATION DATA\{E524E616-A5CF-449F-89FA-9A99364C33CC}
O3 - HKU\S-1-5-21-260822909-224784467-3647513360-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKU\S-1-5-21-260822909-224784467-3647513360-1006..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] File not found
O4 - HKU\S-1-5-21-260822909-224784467-3647513360-1006..\Run: [msnmsgr] File not found
O4 - HKLM..\RunServices: [UpdateSUPERAntiSpyware] File not found
O20 - Winlogon\Notify\avgrsstarter: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\klogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found
O37 - HKU\S-1-5-21-260822909-224784467-3647513360-1006\...exe [@ = exefile] -- Reg Error: Key error. File not found?
:commands
[emptytemp]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If you have to reboot, once back up, open the C:\_OTL\MovedFiles folder and copy the newest log into your next reply.

Your Java runtimes are out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version here - Java Runtime Environment (JRE) Version 6
  • Scroll down to where it says "JDK 6 Update 23 (JRE) ...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
In your reply, please copy in the OTL Fix report and let me know how your computer is doing.
Shannon

#9 Pasadena91

Pasadena91
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 18 January 2011 - 02:58 AM

Java has been updated.


OTL log is below:
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{E524E616-A5CF-449F-89FA-9A99364C33CC} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E524E616-A5CF-449F-89FA-9A99364C33CC}\ not found.
File C:\Documents and Settings\jsmith\Local Settings\Application Data\{E524E616-A5CF-449F-89FA-9A99364C33CC} not found.
Folder C:\DOCUMENTS AND SETTINGS\jsmith\LOCAL SETTINGS\APPLICATION DATA\{E524E616-A5CF-449F-89FA-9A99364C33CC}\ not found.
Registry value HKEY_USERS\S-1-5-21-260822909-224784467-3647513360-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_USERS\S-1-5-21-260822909-224784467-3647513360-1006\Software\Microsoft\Windows\CurrentVersion\Run\\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} not found.
Registry value HKEY_USERS\S-1-5-21-260822909-224784467-3647513360-1006\Software\Microsoft\Windows\CurrentVersion\Run\\msnmsgr not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\\UpdateSUPERAntiSpyware not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}\ not found.
Registry key HKEY_USERS\S-1-5-21-260822909-224784467-3647513360-1006_Classes\.exe\ not found.
Registry key HKEY_USERS\S-1-5-21-260822909-224784467-3647513360-1006_Classes\exefile\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: jsmith
->Temp folder emptied: 736946 bytes
->Temporary Internet Files folder emptied: 1678274 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2.00 mb


OTL by OldTimer - Version 3.2.20.2 log created on 01182011_025357

Files\Folders moved on Reboot...
C:\Documents and Settings\jsmith\Local Settings\Temporary Internet Files\Content.IE5\PTU0G5GJ\page__p__2092864[1].htm moved successfully.

Registry entries deleted on Reboot...

#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:29 AM

Posted 18 January 2011 - 07:55 AM

Hi-

How is your computer doing? Do you still have the redirect problem?
Shannon

#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:29 AM

Posted 28 January 2011 - 12:28 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users