Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smart Internet Protection 2011 Infection


  • This topic is locked This topic is locked
21 replies to this topic

#1 LarryDS

LarryDS

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nevada-USA
  • Local time:03:55 AM

Posted 04 February 2011 - 08:12 PM

I am asking for help in determining if I have successfully removed all the infections on a computer. I started with a computer that definitely had Smart Internet Proctection 2011 among other infections. I removed it with the latest Malwarebytes in safe mode. I am sorry that I do not have a complete history of all the infections. I only started taking notes after realizing I was reinfected. At the time I started this process of making this help request the only sign of infection is the fact that XP Security Center reports that I am running two firewalls one of which is Smart Internet Proctection 2011 firewall. Currently Microsoft Essentials, Malwarebytes and IO Bit Security 360 complete scans ok.
After I started taking notes I found the following in Microsoft Essentials history:

Pup.Dealio
Roque:win32/FakeVimes
Trojan Downloader:HTML/Remos.R
Exploit:Java/CVF-2010-0840.AA

I also know there were at least two search engine redirects. Findgala.com and Lappili.com.

Again there were other infections that Malwarebytes removed but I failed to document them.
Again I would appreciate any and all help.



DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 17:34:14.62 on Thu 02/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2199 [GMT -8:00]

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Smart Internet Protection 2011 *Enabled/Updated* {B1FFC698-C832-4176-81E5-535050FCBBF4}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Smart Internet Protection 2011 *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Upromise\dca-ua.exe
C:\Program Files\Upromise\UpromiseTray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\mswinext.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Upromise\UpromiseGlobalCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:25465
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: DCA BHO: {b49699fc-1665-4414-a1cb-c4a2a4a13eec} - c:\program files\upromise\dca-bho.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Upromise TurboSaver: {edc0f17f-f4b7-47e4-b73e-887faeb376fa} - c:\program files\upromise\upromisetoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Upromise TurboSaver: {06e58e5e-f8cb-4049-991e-a41c03bd419e} - c:\program files\upromise\upromisetoolbar.dll
TB: @c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2380.0\npwinext.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [Upromise Update] c:\program files\upromise\dca-ua.exe
uRun: [Upromise Tray] c:\program files\upromise\UpromiseTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [PMX Daemon] ICO.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [HPHUPD04] "c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe"
mRun: [Picture Easy Download] c:\program files\kodak digital science\picture easy software\program\PezDownload.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [Bing Bar] "c:\program files\msn toolbar\platform\6.3.2380.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {06E58E5E-F8CB-4049-991E-A41C03BD419E} - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - c:\program files\upromise\upromisetoolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
IFEO: image file execution options - svchost.exe

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl59348451;MpKsl59348451;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2c6bf0a0-2a81-4a4d-bd5b-5171a92f17ae}\MpKsl59348451.sys [2011-2-3 28752]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-3-12 600944]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-3-12 600944]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2011-2-3 312152]
S1 MpKsl29ce37d8;MpKsl29ce37d8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{473ba8c4-6bff-4daf-8a8c-fa8ac293a68b}\mpksl29ce37d8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{473ba8c4-6bff-4daf-8a8c-fa8ac293a68b}\MpKsl29ce37d8.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-1 135664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2011-02-04 01:05:56 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{2c6bf0a0-2a81-4a4d-bd5b-5171a92f17ae}\MpKsl59348451.sys
2011-02-04 00:40:43 356352 ----a-w- c:\windows\system32\NVUNINST.EXE
2011-02-04 00:40:40 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2011-02-04 00:40:40 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2011-02-04 00:40:40 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2011-02-04 00:40:40 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2011-02-04 00:40:40 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2011-02-04 00:40:34 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2011-02-04 00:40:34 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2011-02-04 00:40:14 167936 ----a-w- c:\windows\system32\nvwrszht.dll
2011-02-04 00:40:14 163840 ----a-w- c:\windows\system32\nvwrszhc.dll
2011-02-04 00:40:13 225280 ----a-w- c:\windows\system32\nvrszhc.dll
2011-02-04 00:40:13 122880 ----a-w- c:\windows\system32\nvrszht.dll
2011-02-04 00:39:33 -------- d-----w- C:\Intel
2011-02-04 00:11:47 -------- d-----w- c:\windows\NV22562152.TMP
2011-02-04 00:06:54 -------- d-----w- c:\windows\NV572984.TMP
2011-02-03 23:58:47 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{2c6bf0a0-2a81-4a4d-bd5b-5171a92f17ae}\mpengine.dll
2011-02-03 23:58:43 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-02-03 23:57:58 -------- d-----w- c:\program files\MSN Toolbar
2011-02-03 23:57:11 -------- d-----w- c:\program files\Bing Bar Installer
2011-02-03 23:55:44 -------- d-----w- c:\windows\system32\winrm
2011-02-03 23:55:38 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-02-01 01:19:49 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-01 00:37:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-01 00:37:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-01 00:24:34 -------- d-----w- c:\docume~1\owner\applic~1\IObit
2011-01-30 23:23:51 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-30 23:17:56 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Sunbelt Software
2011-01-30 22:58:41 8576 ----a-w- c:\windows\system32\drivers\wwrbuewxcndv.sys
2011-01-30 22:57:01 8576 ----a-w- c:\windows\system32\drivers\wcepiekvrhos.sys
2011-01-30 22:53:14 -------- d-----w- c:\documents and settings\owner\Pavark
2011-01-30 21:54:01 -------- d-----w- c:\docume~1\owner\applic~1\upromise
2011-01-30 21:54:00 -------- d-----w- c:\program files\Upromise
2011-01-29 05:37:01 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\SIWSP
2011-01-29 05:36:11 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\2fac2e
2011-01-16 21:26:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\FreeApp

==================== Find3M ====================

2010-12-11 02:29:30 64864 ----a-w- c:\windows\system32\sqlctr90.dll
2010-12-11 02:29:30 2248032 ----a-w- c:\windows\system32\sqlncli.dll
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

============= FINISH: 17:35:22.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:06:55 AM

Posted 07 February 2011 - 05:00 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.


Why we request you disable CD Emulation when receiving Malware Removal Advice

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Best Regards,
oneof4.

Best Regards,
oneof4.


#3 LarryDS

LarryDS
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nevada-USA
  • Local time:03:55 AM

Posted 10 February 2011 - 04:05 PM

Thank you oneof4 for the reply and appreciate the assistance. I have another computer available so have not been fretting about response time and would not be concerned anyway. I do volunteer work in another field myself. First email defined the problem. Computer has been off since then. Received email on another comuter. Turned this computer on received 10 microsoft updates, installed rebooted. Then received Adobed update - rebooted. Noted that Microsoft Essential updated OK. Started following instuctions. Failed to read ahead and ran OTL while online with AV on. After it completed the I got offline. Shutdown Essentials, Iobit 360, Advanced system care3. If Malwarebytes has an active compenent then I failed to shut it down. Ran OLT again - did not take very long 2nd time. Getting ready to post both sets of results. Just downloaded gmer. If I understand the instruction correctly I am now suppose to post the txt files now. Get off-line defeat av again then post gmer result latter. Sorry if I am not following instructions correctly.
Larry

OTL FIRST

OTL logfile created on: 2/10/2011 12:10:20 PM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 74.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.71 Gb Total Space | 424.43 Gb Free Space | 91.13% Space Free | Partition Type: NTFS

Computer Name: DC64WRF1 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/10 11:56:11 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/12/16 16:19:34 | 002,402,512 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2010/12/14 07:10:42 | 000,134,864 | ---- | M] (Upromise, Inc.) -- C:\Program Files\Upromise\UpromiseGlobalCache.exe
PRC - [2010/12/14 07:10:36 | 000,241,360 | ---- | M] (Upromise, Inc.) -- C:\Program Files\Upromise\UpromiseTray.exe
PRC - [2010/12/02 11:22:46 | 000,175,800 | ---- | M] (Compete, Inc.) -- C:\Program Files\Upromise\dca-ua.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/12 17:27:20 | 000,273,672 | ---- | M] (Microsoft Corp.) -- C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\mswinext.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/07/27 14:46:08 | 000,316,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
PRC - [2010/07/27 14:46:08 | 000,249,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2010/06/11 18:14:24 | 001,280,344 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360tray.exe
PRC - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe
PRC - [2009/11/19 10:26:54 | 000,455,944 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2009/06/23 16:23:48 | 000,600,944 | ---- | M] () -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
PRC - [2008/06/05 10:19:18 | 000,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/28 16:03:07 | 001,838,592 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2008/01/11 16:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/11/08 13:01:54 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe
PRC - [2006/10/20 15:23:38 | 000,118,784 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2004/07/27 16:50:18 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/06/09 14:16:08 | 000,471,040 | ---- | M] (PalmSource, Inc) -- C:\Program Files\palmOne\Hotsync.exe
PRC - [2002/06/20 11:06:12 | 000,339,968 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\system32\hphmon04.exe
PRC - [2002/05/24 04:46:16 | 000,188,416 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
PRC - [2002/05/24 04:46:13 | 000,077,824 | ---- | M] (HP) -- C:\WINDOWS\system32\hphipm11.exe
PRC - [1998/03/31 17:29:20 | 000,039,424 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe


========== Modules (SafeList) ==========

MOD - [2011/02/10 11:56:11 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2011/01/19 19:53:34 | 000,238,424 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360mon.dll
MOD - [2010/08/23 08:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/07/27 14:46:08 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/11/19 10:26:54 | 000,455,944 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2009/06/23 16:23:48 | 000,600,944 | ---- | M] () [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloSystemService)
SRV - [2009/06/23 16:23:48 | 000,600,944 | ---- | M] () [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloFileInfoList)
SRV - [2008/02/28 16:03:07 | 001,838,592 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager)
SRV - [2008/01/11 16:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2002/05/24 04:46:13 | 000,077,824 | ---- | M] (HP) [On_Demand | Running] -- C:\WINDOWS\system32\hphipm11.exe -- (Pml Driver HPH11)


========== Driver Services (SafeList) ==========

DRV - [2011/02/10 12:05:26 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7BDA7FDF-278C-4B40-8248-28192259AB6A}\MpKsl496dc2c2.sys -- (MpKsl496dc2c2)
DRV - [2008/12/29 20:04:09 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2008/04/13 10:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 10:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 08:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/07/22 18:36:42 | 000,254,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/07/22 13:27:12 | 004,424,704 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/06/20 16:45:24 | 000,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2007/06/01 17:19:00 | 006,738,880 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 11:05:58 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2006/07/21 11:21:26 | 000,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2004/10/07 17:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2002/05/24 04:46:13 | 000,050,896 | R--- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphid411.sys -- (Dot4 HPH11)
DRV - [2002/05/24 04:46:13 | 000,050,276 | R--- | M] (Hewlett-Packard) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphs2k11.sys -- (Dot4Storage HPH11) Storage Class Driver for IEEE-1284.4 (HPH11)
DRV - [2002/05/24 04:46:13 | 000,018,928 | R--- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphius11.sys -- (Dot4Usb HPH11)
DRV - [2002/05/24 04:46:13 | 000,016,112 | R--- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphipr11.sys -- (Dot4Print HPH11)
DRV - [2001/08/17 12:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 12:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 12:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 12:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 12:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 11:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 11:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 11:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 11:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 11:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 11:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 11:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 11:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 11:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 11:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25465

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25465



IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25465

FF - HKLM\software\mozilla\Firefox\extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2011/02/03 15:58:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2011/02/03 15:58:27 | 000,000,000 | ---D | M]


Hosts file not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (DCA BHO) - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Upromise\dca-bho.dll (Compete, Inc.)
O2 - BHO: (Bing Bar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll (Microsoft Corporation)
O2 - BHO: (Upromise TurboSaver) - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O3 - HKLM\..\Toolbar: (Upromise TurboSaver) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O3 - HKLM\..\Toolbar: (@C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll,-100) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Upromise TurboSaver) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Upromise TurboSaver) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O3 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [Bing Bar] C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\mswinext.exe (Microsoft Corp.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
O4 - HKLM..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD04] C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [PMX Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O4 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008..\Run: [Upromise Tray] C:\Program Files\Upromise\UpromiseTray.exe (Upromise, Inc.)
O4 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008..\Run: [Upromise Update] C:\Program Files\Upromise\dca-ua.exe (Compete, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe (PalmSource, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoControlPanel = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1
O7 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 0
O7 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O9 - Extra Button: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O9 - Extra 'Tools' menuitem : Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} http://support.microsoft.com/mats/DiagWebControl.cab (Diagnostics ActiveX WebControl)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 97.64.183.164 97.64.209.37 192.168.1.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 15:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{05830585-ffa1-11dc-baa7-001d098b8bd5}\Shell - "" = AutoRun
O33 - MountPoints2\{05830585-ffa1-11dc-baa7-001d098b8bd5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{05830585-ffa1-11dc-baa7-001d098b8bd5}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O33 - MountPoints2\{0747722c-3e08-11df-977d-001d098b8bd5}\Shell\AutoRun\command - "" = G:\Setup_FlipShare.exe
O33 - MountPoints2\{0747722c-3e08-11df-977d-001d098b8bd5}\Shell\Setup FlipShare\command - "" = G:\Setup_FlipShare.exe
O33 - MountPoints2\{1929ae41-f172-11dc-ba94-001d098b8bd5}\Shell - "" = AutoRun
O33 - MountPoints2\{1929ae41-f172-11dc-ba94-001d098b8bd5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1929ae41-f172-11dc-ba94-001d098b8bd5}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\{3a410eaa-fb0f-11dd-bbf0-001d098b8bd5}\Shell - "" = AutoRun
O33 - MountPoints2\{3a410eaa-fb0f-11dd-bbf0-001d098b8bd5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3a410eaa-fb0f-11dd-bbf0-001d098b8bd5}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\{67929baa-fd48-11dc-baa3-001d098b8bd5}\Shell - "" = AutoRun
O33 - MountPoints2\{67929baa-fd48-11dc-baa3-001d098b8bd5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{67929baa-fd48-11dc-baa3-001d098b8bd5}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\{df4bc7be-2bfa-11e0-9892-806d6172696f}\Shell\AutoRun\command - "" = F:\NBRTStrt.exe
O33 - MountPoints2\{e861d14c-c44c-11df-97fb-001d098b8bd5}\Shell\AutoRun\command - "" = F:\NBRTStrt.exe
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/10 12:02:23 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/02/10 11:56:09 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/03 17:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\gmer
[2011/02/03 16:40:43 | 000,356,352 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\NVUNINST.EXE
[2011/02/03 16:40:14 | 000,167,936 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvwrszht.dll
[2011/02/03 16:40:14 | 000,163,840 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvwrszhc.dll
[2011/02/03 16:40:13 | 000,225,280 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvrszhc.dll
[2011/02/03 16:40:13 | 000,122,880 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvrszht.dll
[2011/02/03 16:39:33 | 000,000,000 | ---D | C] -- C:\Intel
[2011/02/03 16:11:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\NV22562152.TMP
[2011/02/03 16:06:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\NV572984.TMP
[2011/02/03 15:58:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2011/02/03 15:57:58 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar
[2011/02/03 15:57:11 | 000,000,000 | ---D | C] -- C:\Program Files\Bing Bar Installer
[2011/02/03 15:55:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\winrm
[2011/02/03 15:55:38 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$968930Uinstall_KB968930$
[2011/02/03 15:46:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IObit Security 360
[2011/01/31 19:13:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2011/01/31 17:19:49 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/01/31 16:37:19 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/01/31 16:37:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/01/31 16:37:16 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/01/31 16:24:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\IObit
[2011/01/30 15:23:51 | 000,098,392 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/01/30 15:17:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software
[2011/01/30 14:58:41 | 000,008,576 | ---- | C] (Panda Software International) -- C:\WINDOWS\System32\drivers\wwrbuewxcndv.sys
[2011/01/30 14:57:01 | 000,008,576 | ---- | C] (Panda Software International) -- C:\WINDOWS\System32\drivers\wcepiekvrhos.sys
[2011/01/30 14:53:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Pavark
[2011/01/30 13:54:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\upromise
[2011/01/30 13:54:00 | 000,000,000 | ---D | C] -- C:\Program Files\Upromise
[2011/01/29 14:16:15 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/01/28 21:37:01 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\SIWSP
[2011/01/28 21:36:11 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\2fac2e
[2011/01/26 21:02:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Lakeport PD
[2011/01/21 06:44:37 | 000,439,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shimgvw.dll
[2011/01/16 13:26:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FreeApp
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/02/10 12:19:26 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\1z528h49.exe
[2011/02/10 12:19:03 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\~$w Microsoft Office Word Document.docx
[2011/02/10 12:10:24 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/02/10 12:05:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/10 12:05:31 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/02/10 12:05:13 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/02/10 12:05:13 | 000,000,250 | ---- | M] () -- C:\WINDOWS\tasks\Game_Booster_Startup.job
[2011/02/10 12:05:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/10 12:05:09 | 3219,308,544 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/10 12:03:40 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/02/10 11:59:46 | 000,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/10 11:58:36 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/10 11:56:11 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/10 11:49:48 | 000,022,511 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\New Microsoft Office Word Document.docx
[2011/02/03 19:26:40 | 000,005,113 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\attach.zip
[2011/02/03 19:23:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/02/03 17:56:24 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2011/02/03 17:32:50 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/02/03 17:29:33 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/02/03 17:28:58 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Defogger.exe
[2011/02/03 17:28:12 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Defogger.exe
[2011/02/03 16:41:39 | 000,133,370 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/02/03 16:27:56 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/03 16:18:21 | 000,540,348 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/02/03 16:18:21 | 000,101,186 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/02/03 15:46:21 | 000,000,733 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2011/01/31 20:00:00 | 000,000,622 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Owner.job
[2011/01/31 17:20:16 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/01/31 16:37:19 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/01/31 16:08:02 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/01/30 15:23:48 | 000,098,392 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/01/30 14:58:20 | 000,008,576 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\drivers\wwrbuewxcndv.sys
[2011/01/30 14:54:59 | 000,008,576 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\drivers\wcepiekvrhos.sys
[2011/01/28 16:39:11 | 000,000,010 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2011/01/26 20:24:35 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Word 2007.lnk
[2011/01/21 06:44:37 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll
[2011/01/21 06:44:37 | 000,439,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shimgvw.dll
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/02/10 11:49:21 | 000,022,511 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\New Microsoft Office Word Document.docx
[2011/02/03 19:26:14 | 000,005,113 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\attach.zip
[2011/02/03 17:56:24 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2011/02/03 17:32:46 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/02/03 17:29:33 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/02/03 17:28:58 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Defogger.exe
[2011/02/03 17:28:11 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Defogger.exe
[2011/02/03 16:42:55 | 3219,308,544 | -HS- | C] () -- C:\hiberfil.sys
[2011/02/03 16:40:08 | 000,115,998 | ---- | C] () -- C:\WINDOWS\System32\nvapps.nvb
[2011/02/03 16:02:54 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/03 15:58:28 | 000,001,077 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Default Manager.lnk
[2011/02/03 15:56:05 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/02/03 15:46:21 | 000,000,733 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2011/01/31 17:25:06 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/01/31 17:19:54 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/01/31 16:37:19 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/01/26 19:37:13 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/01/16 21:10:47 | 000,000,250 | ---- | C] () -- C:\WINDOWS\tasks\Game_Booster_Startup.job
[2010/04/18 12:29:55 | 000,000,653 | ---- | C] () -- C:\WINDOWS\{0240BDFB-2995-4A3F-8C96-18D41282B716}_WiseFW.ini
[2010/01/02 15:34:50 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2009/12/20 14:03:47 | 000,038,475 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Comma Separated Values (DOS).ADR
[2009/12/20 14:00:15 | 000,038,469 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Comma Separated Values (Windows).ADR
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/03/12 20:27:11 | 000,938,328 | ---- | C] () -- C:\WINDOWS\System32\Incinerator.dll
[2009/03/12 20:24:07 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll
[2008/12/31 19:29:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2008/12/30 21:46:33 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Components
[2008/12/30 21:46:33 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Owner\Application Data\Comedy Noises
[2008/12/30 21:46:33 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2008/12/30 20:45:44 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Commands
[2008/12/30 20:45:44 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Owner\Application Data\ColorTable
[2008/12/30 20:45:44 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2008/12/29 22:03:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2008/03/16 21:11:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PezDownload.INI
[2008/03/16 19:56:12 | 000,000,129 | ---- | C] () -- C:\WINDOWS\Picture Easy 3.ini
[2008/03/16 19:56:10 | 000,009,136 | ---- | C] () -- C:\WINDOWS\System32\inetwh16.dll
[2008/03/12 16:54:03 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2008/03/07 10:03:14 | 000,029,184 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/28 16:17:28 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/02/28 15:59:58 | 000,000,274 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/02/28 15:56:56 | 000,131,070 | ---- | C] () -- C:\WINDOWS\System32\DellPM.ini
[2008/02/28 15:35:23 | 000,001,124 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/02/18 22:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/11/09 13:07:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/16 23:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2004/08/11 15:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 15:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/11 15:07:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/06/20 11:09:10 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:62E2D794
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >


ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

OTL 2ND RUN


OTL logfile created on: 2/10/2011 12:24:03 PM - Run 2
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.71 Gb Total Space | 424.43 Gb Free Space | 91.13% Space Free | Partition Type: NTFS

Computer Name: DC64WRF1 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/10 11:56:11 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/12/14 07:10:42 | 000,134,864 | ---- | M] (Upromise, Inc.) -- C:\Program Files\Upromise\UpromiseGlobalCache.exe
PRC - [2010/12/14 07:10:36 | 000,241,360 | ---- | M] (Upromise, Inc.) -- C:\Program Files\Upromise\UpromiseTray.exe
PRC - [2010/12/02 11:22:46 | 000,175,800 | ---- | M] (Compete, Inc.) -- C:\Program Files\Upromise\dca-ua.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/12 17:27:20 | 000,273,672 | ---- | M] (Microsoft Corp.) -- C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\mswinext.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/07/27 14:46:08 | 000,316,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
PRC - [2010/07/27 14:46:08 | 000,249,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/11/19 10:26:54 | 000,455,944 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2009/06/23 16:23:48 | 000,600,944 | ---- | M] () -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
PRC - [2009/06/09 15:12:08 | 000,096,088 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
PRC - [2008/06/05 10:19:18 | 000,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/28 16:03:07 | 001,838,592 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
PRC - [2008/01/11 16:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/11/08 13:01:54 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe
PRC - [2006/10/20 15:23:38 | 000,118,784 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2004/07/27 16:50:18 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/06/09 14:16:08 | 000,471,040 | ---- | M] (PalmSource, Inc) -- C:\Program Files\palmOne\Hotsync.exe
PRC - [2002/06/20 11:06:12 | 000,339,968 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\system32\hphmon04.exe
PRC - [2002/05/24 04:46:16 | 000,188,416 | ---- | M] (HP) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
PRC - [2002/05/24 04:46:13 | 000,077,824 | ---- | M] (HP) -- C:\WINDOWS\system32\hphipm11.exe
PRC - [1998/03/31 17:29:20 | 000,039,424 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe


========== Modules (SafeList) ==========

MOD - [2011/02/10 11:56:11 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2010/08/23 08:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/07/27 14:46:08 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) [Auto | Stopped] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/11/19 10:26:54 | 000,455,944 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2009/06/23 16:23:48 | 000,600,944 | ---- | M] () [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloSystemService)
SRV - [2009/06/23 16:23:48 | 000,600,944 | ---- | M] () [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloFileInfoList)
SRV - [2008/02/28 16:03:07 | 001,838,592 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager)
SRV - [2008/01/11 16:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2002/05/24 04:46:13 | 000,077,824 | ---- | M] (HP) [On_Demand | Running] -- C:\WINDOWS\system32\hphipm11.exe -- (Pml Driver HPH11)


========== Driver Services (SafeList) ==========

DRV - [2011/02/10 12:05:26 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7BDA7FDF-278C-4B40-8248-28192259AB6A}\MpKsl496dc2c2.sys -- (MpKsl496dc2c2)
DRV - [2008/12/29 20:04:09 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2008/04/13 10:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 10:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 08:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/07/22 18:36:42 | 000,254,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2007/07/22 13:27:12 | 004,424,704 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/06/20 16:45:24 | 000,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2007/06/01 17:19:00 | 006,738,880 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/08/18 13:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 13:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 13:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 13:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 13:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 13:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 13:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 13:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 11:05:58 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2006/08/11 10:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 10:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2006/07/21 11:21:26 | 000,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2004/10/07 17:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2002/05/24 04:46:13 | 000,050,896 | R--- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphid411.sys -- (Dot4 HPH11)
DRV - [2002/05/24 04:46:13 | 000,050,276 | R--- | M] (Hewlett-Packard) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphs2k11.sys -- (Dot4Storage HPH11) Storage Class Driver for IEEE-1284.4 (HPH11)
DRV - [2002/05/24 04:46:13 | 000,018,928 | R--- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphius11.sys -- (Dot4Usb HPH11)
DRV - [2002/05/24 04:46:13 | 000,016,112 | R--- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hphipr11.sys -- (Dot4Print HPH11)
DRV - [2001/08/17 12:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 12:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 12:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 12:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 12:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 11:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 11:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 11:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 11:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 11:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 11:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 11:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 11:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 11:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 11:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25465

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25465



IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25465

FF - HKLM\software\mozilla\Firefox\extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2011/02/03 15:58:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2011/02/03 15:58:27 | 000,000,000 | ---D | M]


Hosts file not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (DCA BHO) - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Upromise\dca-bho.dll (Compete, Inc.)
O2 - BHO: (Bing Bar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll (Microsoft Corporation)
O2 - BHO: (Upromise TurboSaver) - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O3 - HKLM\..\Toolbar: (Upromise TurboSaver) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O3 - HKLM\..\Toolbar: (@C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll,-100) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Upromise TurboSaver) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Upromise TurboSaver) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O3 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [Bing Bar] C:\Program Files\MSN Toolbar\Platform\6.3.2380.0\mswinext.exe (Microsoft Corp.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
O4 - HKLM..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD04] C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [PMX Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O4 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008..\Run: [Upromise Tray] C:\Program Files\Upromise\UpromiseTray.exe (Upromise, Inc.)
O4 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008..\Run: [Upromise Update] C:\Program Files\Upromise\dca-ua.exe (Compete, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe (PalmSource, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoControlPanel = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1
O7 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 0
O7 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O9 - Extra Button: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O9 - Extra 'Tools' menuitem : Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} http://support.microsoft.com/mats/DiagWebControl.cab (Diagnostics ActiveX WebControl)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 15:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{05830585-ffa1-11dc-baa7-001d098b8bd5}\Shell - "" = AutoRun
O33 - MountPoints2\{05830585-ffa1-11dc-baa7-001d098b8bd5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{05830585-ffa1-11dc-baa7-001d098b8bd5}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O33 - MountPoints2\{0747722c-3e08-11df-977d-001d098b8bd5}\Shell\AutoRun\command - "" = G:\Setup_FlipShare.exe
O33 - MountPoints2\{0747722c-3e08-11df-977d-001d098b8bd5}\Shell\Setup FlipShare\command - "" = G:\Setup_FlipShare.exe
O33 - MountPoints2\{1929ae41-f172-11dc-ba94-001d098b8bd5}\Shell - "" = AutoRun
O33 - MountPoints2\{1929ae41-f172-11dc-ba94-001d098b8bd5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1929ae41-f172-11dc-ba94-001d098b8bd5}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\{3a410eaa-fb0f-11dd-bbf0-001d098b8bd5}\Shell - "" = AutoRun
O33 - MountPoints2\{3a410eaa-fb0f-11dd-bbf0-001d098b8bd5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3a410eaa-fb0f-11dd-bbf0-001d098b8bd5}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\{67929baa-fd48-11dc-baa3-001d098b8bd5}\Shell - "" = AutoRun
O33 - MountPoints2\{67929baa-fd48-11dc-baa3-001d098b8bd5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{67929baa-fd48-11dc-baa3-001d098b8bd5}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\{df4bc7be-2bfa-11e0-9892-806d6172696f}\Shell\AutoRun\command - "" = F:\NBRTStrt.exe
O33 - MountPoints2\{e861d14c-c44c-11df-97fb-001d098b8bd5}\Shell\AutoRun\command - "" = F:\NBRTStrt.exe
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/10 12:02:23 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/02/10 11:56:09 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/03 17:56:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\gmer
[2011/02/03 16:40:43 | 000,356,352 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\NVUNINST.EXE
[2011/02/03 16:40:14 | 000,167,936 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvwrszht.dll
[2011/02/03 16:40:14 | 000,163,840 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvwrszhc.dll
[2011/02/03 16:40:13 | 000,225,280 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvrszhc.dll
[2011/02/03 16:40:13 | 000,122,880 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvrszht.dll
[2011/02/03 16:39:33 | 000,000,000 | ---D | C] -- C:\Intel
[2011/02/03 16:11:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\NV22562152.TMP
[2011/02/03 16:06:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\NV572984.TMP
[2011/02/03 15:58:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2011/02/03 15:57:58 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar
[2011/02/03 15:57:11 | 000,000,000 | ---D | C] -- C:\Program Files\Bing Bar Installer
[2011/02/03 15:55:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\winrm
[2011/02/03 15:55:38 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$968930Uinstall_KB968930$
[2011/02/03 15:46:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IObit Security 360
[2011/01/31 19:13:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
[2011/01/31 17:19:49 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/01/31 16:37:19 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/01/31 16:37:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/01/31 16:37:16 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/01/31 16:24:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\IObit
[2011/01/30 15:23:51 | 000,098,392 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/01/30 15:17:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Sunbelt Software
[2011/01/30 14:58:41 | 000,008,576 | ---- | C] (Panda Software International) -- C:\WINDOWS\System32\drivers\wwrbuewxcndv.sys
[2011/01/30 14:57:01 | 000,008,576 | ---- | C] (Panda Software International) -- C:\WINDOWS\System32\drivers\wcepiekvrhos.sys
[2011/01/30 14:53:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Pavark
[2011/01/30 13:54:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\upromise
[2011/01/30 13:54:00 | 000,000,000 | ---D | C] -- C:\Program Files\Upromise
[2011/01/29 14:16:15 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2011/01/28 21:37:01 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\SIWSP
[2011/01/28 21:36:11 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\2fac2e
[2011/01/26 21:02:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Lakeport PD
[2011/01/21 06:44:37 | 000,439,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shimgvw.dll
[2011/01/16 13:26:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FreeApp
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/02/10 12:23:05 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/02/10 12:19:26 | 000,296,448 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\1z528h49.exe
[2011/02/10 12:19:03 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\~$w Microsoft Office Word Document.docx
[2011/02/10 12:10:24 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/02/10 12:05:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/10 12:05:31 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/02/10 12:05:13 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/02/10 12:05:13 | 000,000,250 | ---- | M] () -- C:\WINDOWS\tasks\Game_Booster_Startup.job
[2011/02/10 12:05:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/10 12:05:09 | 3219,308,544 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/10 12:03:40 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/02/10 11:59:46 | 000,269,392 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/10 11:58:36 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/10 11:56:11 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/10 11:49:48 | 000,022,511 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\New Microsoft Office Word Document.docx
[2011/02/03 19:26:40 | 000,005,113 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\attach.zip
[2011/02/03 17:56:24 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2011/02/03 17:32:50 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/02/03 17:29:33 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/02/03 17:28:58 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Defogger.exe
[2011/02/03 17:28:12 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Defogger.exe
[2011/02/03 16:41:39 | 000,133,370 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/02/03 16:27:56 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/03 16:18:21 | 000,540,348 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/02/03 16:18:21 | 000,101,186 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/02/03 15:46:21 | 000,000,733 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2011/01/31 20:00:00 | 000,000,622 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Owner.job
[2011/01/31 17:20:16 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/01/31 16:37:19 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/01/31 16:08:02 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/01/30 15:23:48 | 000,098,392 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/01/30 14:58:20 | 000,008,576 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\drivers\wwrbuewxcndv.sys
[2011/01/30 14:54:59 | 000,008,576 | ---- | M] (Panda Software International) -- C:\WINDOWS\System32\drivers\wcepiekvrhos.sys
[2011/01/28 16:39:11 | 000,000,010 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2011/01/26 20:24:35 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Word 2007.lnk
[2011/01/21 06:44:37 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll
[2011/01/21 06:44:37 | 000,439,296 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shimgvw.dll
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/02/10 12:19:39 | 000,296,448 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\1z528h49.exe
[2011/02/10 12:19:03 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner\Desktop\~$w Microsoft Office Word Document.docx
[2011/02/10 11:49:21 | 000,022,511 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\New Microsoft Office Word Document.docx
[2011/02/03 19:26:14 | 000,005,113 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\attach.zip
[2011/02/03 17:56:24 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2011/02/03 17:32:46 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2011/02/03 17:29:33 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2011/02/03 17:28:58 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Defogger.exe
[2011/02/03 17:28:11 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Defogger.exe
[2011/02/03 16:42:55 | 3219,308,544 | -HS- | C] () -- C:\hiberfil.sys
[2011/02/03 16:40:08 | 000,115,998 | ---- | C] () -- C:\WINDOWS\System32\nvapps.nvb
[2011/02/03 16:02:54 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/03 15:58:28 | 000,001,077 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Default Manager.lnk
[2011/02/03 15:56:05 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/02/03 15:46:21 | 000,000,733 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2011/01/31 17:25:06 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/01/31 17:19:54 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/01/31 16:37:19 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/01/26 19:37:13 | 000,001,945 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2011/01/16 21:10:47 | 000,000,250 | ---- | C] () -- C:\WINDOWS\tasks\Game_Booster_Startup.job
[2010/04/18 12:29:55 | 000,000,653 | ---- | C] () -- C:\WINDOWS\{0240BDFB-2995-4A3F-8C96-18D41282B716}_WiseFW.ini
[2010/01/02 15:34:50 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2009/12/20 14:03:47 | 000,038,475 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Comma Separated Values (DOS).ADR
[2009/12/20 14:00:15 | 000,038,469 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Comma Separated Values (Windows).ADR
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/03/12 20:27:11 | 000,938,328 | ---- | C] () -- C:\WINDOWS\System32\Incinerator.dll
[2009/03/12 20:24:07 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll
[2008/12/31 19:29:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2008/12/30 21:46:33 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Components
[2008/12/30 21:46:33 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Owner\Application Data\Comedy Noises
[2008/12/30 21:46:33 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2008/12/30 20:45:44 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Commands
[2008/12/30 20:45:44 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Owner\Application Data\ColorTable
[2008/12/30 20:45:44 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2008/12/29 22:03:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2008/03/16 21:11:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PezDownload.INI
[2008/03/16 19:56:12 | 000,000,129 | ---- | C] () -- C:\WINDOWS\Picture Easy 3.ini
[2008/03/16 19:56:10 | 000,009,136 | ---- | C] () -- C:\WINDOWS\System32\inetwh16.dll
[2008/03/12 16:54:03 | 000,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2008/03/07 10:03:14 | 000,029,184 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/28 16:17:28 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/02/28 15:59:58 | 000,000,274 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/02/28 15:56:56 | 000,131,070 | ---- | C] () -- C:\WINDOWS\System32\DellPM.ini
[2008/02/28 15:35:23 | 000,001,124 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/02/18 22:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/11/09 13:07:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/16 23:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2004/08/11 15:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 15:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/11 15:07:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/06/20 11:09:10 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:62E2D794
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >

ZZZZZZZZZZZZZZZZZZZ

EXTRAS.TXT FIRST RUN

OTL Extras logfile created on: 2/10/2011 12:10:21 PM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 74.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.71 Gb Total Space | 424.43 Gb Free Space | 91.13% Space Free | Partition Type: NTFS

Computer Name: DC64WRF1 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Digital Photo Professional] -- C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = Bing Bar
"{0D396571-7BBD-44CE-ABB3-518BF86B72F7}" = HP Photo and Imaging 1.0 - HP Photosmart Printer Series
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{17424F35-8B77-4ADF-BC63-BF9B81418539}" = Apple Application Support
"{1CAC7A41-583B-4483-9FA5-3E5465AFF8C2}" = Microsoft Default Manager
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{237CD223-1B9D-47E8-A76C-E478B83CCEA2}" = File Uploader
"{25E81740-CA17-489E-A8B6-54319A1C4D41}}_is1" = Dell PC TuneUp
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 12
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2C9A62F0-D1B3-4E2C-A7D9-24F38FF2A379}" = GEAR driver installer for x86 and x64
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{3018B943-C76C-44B0-B078-790A28CEF67E}" = Microsoft UI Engine
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{366FFC89-C800-4366-B903-B9C4314109A5}" = Garmin WebUpdater
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{448E2D77-E504-4221-B2C2-93646B344729}" = Mouse Suite for Desktop Computers
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{5301C483-40FB-4F94-B56E-D7D5A114D2F6}" = Garmin City Navigator North America NT v8
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{61A57FA5-642C-4AFC-9AD7-8E6CC4053135}" = Jewel Logic
"{61EDBE71-5D3E-4AB7-AD95-E53FEAF68C17}" = Bing Rewards Client Installer
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6B9B0C6F-E5FA-4633-A640-AB98A272ECCA}" = Safari
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.0
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8C2690CF-5B74-4F93-8139-7B5644CD6A3B}" = MobileMe Control Panel
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_SMALLBUSINESSR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_SMALLBUSINESSR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-00CA-0000-0000-0000000FF1CE}" = Microsoft Office Small Business 2007
"{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{928B06E4-DDAA-476A-926A-641620326327}" = Microsoft Search Enhancement Pack
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.2
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{B86C9440-82D7-423C-9FEC-6CB3092D1AA4}" = Bing Bar Platform
"{BB3AB664-D92B-4CB5-8B3E-D841841F4E68}" = Canon Camera WIA Driver
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D45E8C45-B601-4A80-AFD8-E16338744DE1}" = ArcSoft Panorama Maker 4
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{E8843212-F0FC-4C3B-BFF3-D51829CB4F19}" = iTunes
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F007CBCE-D714-4C0B-8CE9-9B0D78116468}" = ViewNX
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F7F23DFB-31E1-B7EC-7A6D-7668B595ADAE}" = FlipShare
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"{FF8157AA-F640-45BD-B7C2-BAA1016B267A}" = palmOne
"3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only)
"5 Card Slingo Deluxe" = 5 Card Slingo Deluxe
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"Bejeweled Deluxe 1.87" = Bejeweled Deluxe 1.87
"Bumper Deluxe" = Bumper Deluxe
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Cisco Connect" = Cisco Connect
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"CSCLIB" = Canon Camera Support Core Library
"Cubis Gold 2" = Cubis Gold 2
"DPP" = Canon Utilities Digital Photo Professional 3.4
"EOS Utility" = Canon Utilities EOS Utility
"Google Desktop" = Google Desktop
"Google Updater" = Google Updater
"hphuni04" = Photosmart 130,230,7150,7345,7350,7550 (Remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{BB3AB664-D92B-4CB5-8B3E-D841841F4E68}" = Canon EOS 5D WIA Driver
"IObit Security 360_is1" = IObit Security 360
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Original Data Security Tools" = Canon Utilities Original Data Security Tools
"PhotoStitch" = Canon Utilities PhotoStitch
"Picture Easy 3.0" = Picture Easy 3.0
"Picture Style Editor" = Canon Utilities Picture Style Editor
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SearchAssist" = SearchAssist
"Slingo Deluxe" = Slingo Deluxe
"SMALLBUSINESSR" = Microsoft Office Small Business 2007
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WFTK" = Canon Utilities WFT-E1/E2/E3 Utility
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility
"Zuma Deluxe 1.0" = Zuma Deluxe 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"Upromise TurboSaver" = Upromise TurboSaver (remove only)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/31/2011 7:36:45 PM | Computer Name = DC64WRF1 | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source
could be found for product Microsoft .NET Framework 1.1. The Windows installer
cannot continue.

Error - 1/31/2011 7:36:45 PM | Computer Name = DC64WRF1 | Source = MsiInstaller | ID = 1023
Description = Product: Microsoft .NET Framework 1.1 - Update '{2F6EFCE6-10DF-49F9-9E64-9AE3775B2588}'
could not be installed. Error code 1603. Additional information is available in
the log file C:\WINDOWS\TEMP\NDP1.1sp1-KB2416447-X86\NDP1.1sp1-KB2416447-X86-msi.0.log.

Error - 1/31/2011 7:36:46 PM | Computer Name = DC64WRF1 | Source = NativeWrapper | ID = 5000
Description =

Error - 1/31/2011 7:47:29 PM | Computer Name = DC64WRF1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8107.0, P4
0, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 1/31/2011 7:51:30 PM | Computer Name = DC64WRF1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/31/2011 7:53:13 PM | Computer Name = DC64WRF1 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 1/31/2011 7:53:13 PM | Computer Name = DC64WRF1 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 1/31/2011 9:20:03 PM | Computer Name = DC64WRF1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 3.0.8107.0,
P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 1/31/2011 11:13:14 PM | Computer Name = DC64WRF1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8107.0, P4
0, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 2/3/2011 3:35:42 AM | Computer Name = DC64WRF1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8107.0,
P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

[ OSession Events ]
Error - 5/10/2008 6:25:00 PM | Computer Name = DC64WRF1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6211.1000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1295
seconds with 1200 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 2/3/2011 3:35:42 AM | Computer Name = DC64WRF1 | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.97.752.0 Update Source: %%859 Update Stage:
%%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error
code: 0x8024402c Error description: An unexpected problem occurred while checking
for updates. For information on installing or troubleshooting updates, see Help
and Support.

Error - 2/3/2011 6:57:55 PM | Computer Name = DC64WRF1 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/3/2011 6:57:55 PM | Computer Name = DC64WRF1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 2/3/2011 6:58:10 PM | Computer Name = DC64WRF1 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/3/2011 6:58:10 PM | Computer Name = DC64WRF1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 2/3/2011 7:15:05 PM | Computer Name = DC64WRF1 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.115 for the Network Card with network
address 001D098B8BD5 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 2/3/2011 7:55:35 PM | Computer Name = DC64WRF1 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070005: nVidia - Video - NVIDIA GeForce 8600 GTS.

Error - 2/3/2011 8:12:01 PM | Computer Name = DC64WRF1 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070005: nVidia - Video - NVIDIA GeForce 8600 GTS.

Error - 2/3/2011 8:22:59 PM | Computer Name = DC64WRF1 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070005: nVidia - Video - NVIDIA GeForce 8600 GTS.

Error - 2/4/2011 8:28:38 PM | Computer Name = DC64WRF1 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.133 for the Network Card with network
address 001D098B8BD5 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >




EXTRAS.TXT 2ND RUN

OTL Extras logfile created on: 2/10/2011 12:24:04 PM - Run 2
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.71 Gb Total Space | 424.43 Gb Free Space | 91.13% Space Free | Partition Type: NTFS

Computer Name: DC64WRF1 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Digital Photo Professional] -- C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = Bing Bar
"{0D396571-7BBD-44CE-ABB3-518BF86B72F7}" = HP Photo and Imaging 1.0 - HP Photosmart Printer Series
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{17424F35-8B77-4ADF-BC63-BF9B81418539}" = Apple Application Support
"{1CAC7A41-583B-4483-9FA5-3E5465AFF8C2}" = Microsoft Default Manager
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{237CD223-1B9D-47E8-A76C-E478B83CCEA2}" = File Uploader
"{25E81740-CA17-489E-A8B6-54319A1C4D41}}_is1" = Dell PC TuneUp
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 12
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2C9A62F0-D1B3-4E2C-A7D9-24F38FF2A379}" = GEAR driver installer for x86 and x64
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{3018B943-C76C-44B0-B078-790A28CEF67E}" = Microsoft UI Engine
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{366FFC89-C800-4366-B903-B9C4314109A5}" = Garmin WebUpdater
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{448E2D77-E504-4221-B2C2-93646B344729}" = Mouse Suite for Desktop Computers
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{5301C483-40FB-4F94-B56E-D7D5A114D2F6}" = Garmin City Navigator North America NT v8
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{61A57FA5-642C-4AFC-9AD7-8E6CC4053135}" = Jewel Logic
"{61EDBE71-5D3E-4AB7-AD95-E53FEAF68C17}" = Bing Rewards Client Installer
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6B9B0C6F-E5FA-4633-A640-AB98A272ECCA}" = Safari
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.12.0
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8C2690CF-5B74-4F93-8139-7B5644CD6A3B}" = MobileMe Control Panel
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_SMALLBUSINESSR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_SMALLBUSINESSR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-00CA-0000-0000-0000000FF1CE}" = Microsoft Office Small Business 2007
"{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{928B06E4-DDAA-476A-926A-641620326327}" = Microsoft Search Enhancement Pack
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.2
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{B86C9440-82D7-423C-9FEC-6CB3092D1AA4}" = Bing Bar Platform
"{BB3AB664-D92B-4CB5-8B3E-D841841F4E68}" = Canon Camera WIA Driver
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D45E8C45-B601-4A80-AFD8-E16338744DE1}" = ArcSoft Panorama Maker 4
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{E8843212-F0FC-4C3B-BFF3-D51829CB4F19}" = iTunes
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F007CBCE-D714-4C0B-8CE9-9B0D78116468}" = ViewNX
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F7F23DFB-31E1-B7EC-7A6D-7668B595ADAE}" = FlipShare
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"{FF8157AA-F640-45BD-B7C2-BAA1016B267A}" = palmOne
"3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only)
"5 Card Slingo Deluxe" = 5 Card Slingo Deluxe
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"Bejeweled Deluxe 1.87" = Bejeweled Deluxe 1.87
"Bumper Deluxe" = Bumper Deluxe
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Cisco Connect" = Cisco Connect
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"CSCLIB" = Canon Camera Support Core Library
"Cubis Gold 2" = Cubis Gold 2
"DPP" = Canon Utilities Digital Photo Professional 3.4
"EOS Utility" = Canon Utilities EOS Utility
"Google Desktop" = Google Desktop
"Google Updater" = Google Updater
"hphuni04" = Photosmart 130,230,7150,7345,7350,7550 (Remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{BB3AB664-D92B-4CB5-8B3E-D841841F4E68}" = Canon EOS 5D WIA Driver
"IObit Security 360_is1" = IObit Security 360
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Original Data Security Tools" = Canon Utilities Original Data Security Tools
"PhotoStitch" = Canon Utilities PhotoStitch
"Picture Easy 3.0" = Picture Easy 3.0
"Picture Style Editor" = Canon Utilities Picture Style Editor
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SearchAssist" = SearchAssist
"Slingo Deluxe" = Slingo Deluxe
"SMALLBUSINESSR" = Microsoft Office Small Business 2007
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WFTK" = Canon Utilities WFT-E1/E2/E3 Utility
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility
"Zuma Deluxe 1.0" = Zuma Deluxe 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3409573255-1799108214-1649763889-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"f031ef6ac137efc5" = Dell Driver Download Manager
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"Upromise TurboSaver" = Upromise TurboSaver (remove only)

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/31/2011 7:36:45 PM | Computer Name = DC64WRF1 | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source
could be found for product Microsoft .NET Framework 1.1. The Windows installer
cannot continue.

Error - 1/31/2011 7:36:45 PM | Computer Name = DC64WRF1 | Source = MsiInstaller | ID = 1023
Description = Product: Microsoft .NET Framework 1.1 - Update '{2F6EFCE6-10DF-49F9-9E64-9AE3775B2588}'
could not be installed. Error code 1603. Additional information is available in
the log file C:\WINDOWS\TEMP\NDP1.1sp1-KB2416447-X86\NDP1.1sp1-KB2416447-X86-msi.0.log.

Error - 1/31/2011 7:36:46 PM | Computer Name = DC64WRF1 | Source = NativeWrapper | ID = 5000
Description =

Error - 1/31/2011 7:47:29 PM | Computer Name = DC64WRF1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8107.0, P4
0, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 1/31/2011 7:51:30 PM | Computer Name = DC64WRF1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 1/31/2011 7:53:13 PM | Computer Name = DC64WRF1 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 1/31/2011 7:53:13 PM | Computer Name = DC64WRF1 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 1/31/2011 9:20:03 PM | Computer Name = DC64WRF1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 3.0.8107.0,
P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 1/31/2011 11:13:14 PM | Computer Name = DC64WRF1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8107.0, P4
0, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 2/3/2011 3:35:42 AM | Computer Name = DC64WRF1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8107.0,
P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

[ OSession Events ]
Error - 5/10/2008 6:25:00 PM | Computer Name = DC64WRF1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6211.1000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1295
seconds with 1200 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 2/3/2011 3:35:42 AM | Computer Name = DC64WRF1 | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.97.752.0 Update Source: %%859 Update Stage:
%%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error
code: 0x8024402c Error description: An unexpected problem occurred while checking
for updates. For information on installing or troubleshooting updates, see Help
and Support.

Error - 2/3/2011 6:57:55 PM | Computer Name = DC64WRF1 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/3/2011 6:57:55 PM | Computer Name = DC64WRF1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 2/3/2011 6:58:10 PM | Computer Name = DC64WRF1 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 2/3/2011 6:58:10 PM | Computer Name = DC64WRF1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 2/3/2011 7:15:05 PM | Computer Name = DC64WRF1 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.115 for the Network Card with network
address 001D098B8BD5 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 2/3/2011 7:55:35 PM | Computer Name = DC64WRF1 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070005: nVidia - Video - NVIDIA GeForce 8600 GTS.

Error - 2/3/2011 8:12:01 PM | Computer Name = DC64WRF1 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070005: nVidia - Video - NVIDIA GeForce 8600 GTS.

Error - 2/3/2011 8:22:59 PM | Computer Name = DC64WRF1 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070005: nVidia - Video - NVIDIA GeForce 8600 GTS.

Error - 2/4/2011 8:28:38 PM | Computer Name = DC64WRF1 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.133 for the Network Card with network
address 001D098B8BD5 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >

#4 LarryDS

LarryDS
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nevada-USA
  • Local time:03:55 AM

Posted 10 February 2011 - 05:51 PM

Ok, following the instructions I have run GMER & here are the results. Again I did not read ahead and assumed "disable any real-time active protection" was AV's. Since I was off-line I did not realize it meant also firewalls. So it was run with xp firewall on. Again at this point in time the only visible sign of infection is that "Security Center" in the control panel reports "more than one firewall". If xp firewall is stopped then it reports "Smart Internet Protection 2011 is ON"

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-10 14:34:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HD501LJ rev.CR100-12
Running: 0j2wytex.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kftoapod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8BED360, 0x2F31A7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft Security Client\msseces.exe[500] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01CA0001
.text C:\WINDOWS\system32\ctfmon.exe[884] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AD0001
.text C:\Program Files\Upromise\dca-ua.exe[1012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01A50001
.text C:\Program Files\Upromise\UpromiseTray.exe[1112] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 018D0001
.text C:\Program Files\palmOne\Hotsync.exe[1304] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 015B0001
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\palmOne\Hotsync.exe[1304] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[1380] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E80001
.text C:\WINDOWS\Explorer.EXE[1612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 03A70001
.text C:\WINDOWS\system32\ICO.EXE[1832] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CF0001
.text C:\WINDOWS\RTHDCPL.EXE[1844] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 04EC0001
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1868] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text ...

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device B254CD20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

#5 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:06:55 AM

Posted 11 February 2011 - 01:04 PM

Hey LarryDS :)

I will be handling your log. Plese give me some time to research the logs you have provided, and I will return with further instructions.

Best Regards,
oneof4.


#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:06:55 AM

Posted 14 February 2011 - 04:34 PM

Hello LarryDS, and :welcome: to the Virus/Trojan/Spyware/Malware Removal forum.

I am oneof4, and I am here to help you!

  • I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.
  • At the top right-center of the topic you will see a button called Watch Topic. If you click on this, another page will open. Please choose Immediate Notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  • If after 5 days you have not replied to this topic, I will assume it has been abandoned, and I will close it.
  • I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. :heart: Please be courteous and appreciative for the assistance provided!
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

======

Now, let's begin:

Please UNINSTALL the following programs through the ADD/REMOVE feature of your Control Panel:

Advanced SystemCare 3
IObit Security 360


======

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

======

Next,

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25465
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25465
    IE - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25465
    O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
    O4 - HKU\S-1-5-21-3409573255-1799108214-1649763889-1008..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Value error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Value error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab (Java Plug-in 1.6.0_12)
    [2011/02/03 15:46:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IObit Security 360
    [2011/02/03 15:46:21 | 000,000,733 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
    @Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:62E2D794
    @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.

Now, using Windows Explorer, I need you to DELETE the following bolded files and/or folder(s) and all their content:

C:\Program Files\IObit


Things I need to see in your next reply:

  • OTL fix log
  • Jotti or VirusTotal Results
  • A description of how things are now running.

Best Regards,
oneof4.


#7 LarryDS

LarryDS
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nevada-USA
  • Local time:03:55 AM

Posted 15 February 2011 - 04:34 PM

Again I certainly appreciate your time and effort oneof4.

Removed Advanced systemCare 3 and IObit Securtiy 360 from Add/Remove in the control panel with no problems. But only took a couple seconds and each reported complete.

Ran jotti which I've never done before. This also only took a few seconds. If result means this "0 out of 19 scanners reported malware" and on the screen each scan engine reported something positive. If this is literal how can it be so fast?

Ran otl with the pasted info in the box. Rebooted - an update for Adobe Flash player came up that I am sitting on until I hear from you. Again at this point in time the only visible sign of infection is that "Security Center" in the control panel reports "more than one firewall". If xp firewall is stopped then it reports "Smart Internet Protection 2011 is ON". This behavior still exists. Following is the otl log. Again I appreciated your time and effort.

Larry

========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-21-3409573255-1799108214-1649763889-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\IObit Security 360 not found.
File C:\Program Files\IObit\IObit Security 360\IS360tray.exe not found.
Registry value HKEY_USERS\S-1-5-21-3409573255-1799108214-1649763889-1008\Software\Microsoft\Windows\CurrentVersion\Run\\Advanced SystemCare 3 not found.
File C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Folder C:\Documents and Settings\All Users\Start Menu\Programs\IObit Security 360\ not found.
File C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:62E2D794 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 deleted successfully.

OTL by OldTimer - Version 3.2.20.6 log created on 02152011_130515

#8 LarryDS

LarryDS
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nevada-USA
  • Local time:03:55 AM

Posted 15 February 2011 - 04:38 PM

I going to shut the computer down - not doing anything with the adobe update and wait for your reply on another computer.

#9 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:06:55 AM

Posted 16 February 2011 - 06:04 PM

Hello LarryDS :)


Running ComboFix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
  • IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Best Regards,
oneof4.


#10 LarryDS

LarryDS
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nevada-USA
  • Local time:03:55 AM

Posted 17 February 2011 - 09:54 PM

Followed last instructions:
Downloaded & ran combofix with Microsoft Security Essentials real-time protection turned off.
Two warnings from combofix that "Smart Internet Protection 2011" was active
Microsoft Windows recovery console was downloaded and installed
Combofix completed sucessfully and created log.txt
When Internet Explorer was launched a dialog box indicated "Internet Explorer is not currently your default browser"
Security Center still reports two firewalls.
Security Center does not report "no virus protection" when Essentials is defeated.
Computer appears to be running ok - with no redirects or false virus scare windows popping up as in the very beginning.
Log to follow: Thank you very much for your contining help.

ComboFix 11-02-17.01 - Owner 02/17/2011 18:25:29.1.2 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Smart Internet Protection 2011 *Enabled/Updated* {B1FFC698-C832-4176-81E5-535050FCBBF4}
FW: Smart Internet Protection 2011 *Enabled* {28B39011-3EEC-4112-B493-AE64B5EA2A7F}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\2fac2e
c:\documents and settings\All Users\Application Data\2fac2e\5157.mof
c:\documents and settings\All Users\Application Data\2fac2e\BackUp\HotSync Manager.lnk
c:\documents and settings\All Users\Application Data\2fac2e\BackUp\Nikon Monitor.lnk
c:\documents and settings\All Users\Application Data\2fac2e\BackUp\Windows Search.lnk
c:\documents and settings\All Users\Application Data\2fac2e\f5fbc8b12a95ad92e228592202a9d925.ocx
c:\documents and settings\All Users\Application Data\2fac2e\g8z6avge7lkakg5e7tcz6afgm9qbxwg.dll
c:\documents and settings\All Users\Application Data\2fac2e\SIP.ico
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\Drivers\wcepiekvrhos.sys
c:\windows\system32\Drivers\wwrbuewxcndv.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_wcepiekvrhos
-------\Legacy_wwrbuewxcndv
-------\Service_wcepiekvrhos
-------\Service_wwrbuewxcndv


((((((((((((((((((((((((( Files Created from 2011-01-18 to 2011-02-18 )))))))))))))))))))))))))))))))
.

2011-02-15 21:05 . 2011-02-15 21:05 -------- d-----w- C:\_OTL
2011-02-15 20:51 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{65F63A08-2066-4408-A220-11D121FC6C4A}\mpengine.dll
2011-02-12 03:46 . 2011-02-12 03:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-02-04 00:40 . 2007-06-02 02:33 356352 ----a-w- c:\windows\system32\NVUNINST.EXE
2011-02-04 00:40 . 2003-11-11 02:14 729088 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2011-02-04 00:40 . 2003-11-11 02:13 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2011-02-04 00:40 . 2003-11-11 02:12 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2011-02-04 00:40 . 2003-11-11 02:12 192512 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2011-02-04 00:40 . 2003-11-11 02:11 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2011-02-04 00:40 . 2011-02-04 00:40 311428 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2011-02-04 00:40 . 2011-02-04 00:40 188548 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2011-02-04 00:40 . 2007-06-02 01:19 167936 ----a-w- c:\windows\system32\nvwrszht.dll
2011-02-04 00:40 . 2007-06-02 01:19 163840 ----a-w- c:\windows\system32\nvwrszhc.dll
2011-02-04 00:40 . 2007-06-02 01:19 225280 ----a-w- c:\windows\system32\nvrszhc.dll
2011-02-04 00:40 . 2007-06-02 01:19 122880 ----a-w- c:\windows\system32\nvrszht.dll
2011-02-04 00:39 . 2011-02-04 00:39 -------- d-----w- C:\Intel
2011-02-04 00:11 . 2011-02-04 00:27 -------- d-----w- c:\windows\NV22562152.TMP
2011-02-04 00:06 . 2011-02-04 00:27 -------- d-----w- c:\windows\NV572984.TMP
2011-02-03 23:58 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-03 23:57 . 2011-02-03 23:58 -------- d-----w- c:\program files\MSN Toolbar
2011-02-03 23:57 . 2011-02-03 23:58 -------- d-----w- c:\program files\Bing Bar Installer
2011-02-03 23:55 . 2011-02-03 23:55 -------- d-----w- c:\windows\system32\winrm
2011-02-03 23:55 . 2011-02-03 23:55 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-02-01 03:13 . 2011-02-01 03:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-02-01 01:19 . 2011-02-01 01:20 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-01 00:37 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-01 00:37 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-01 00:24 . 2011-02-03 23:46 -------- d-----w- c:\documents and settings\Owner\Application Data\IObit
2011-01-31 23:51 . 2011-01-31 23:51 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2011-01-30 23:23 . 2011-01-30 23:23 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-30 23:17 . 2011-01-30 23:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2011-01-30 22:57 . 2011-01-30 22:57 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-01-30 22:53 . 2011-01-30 22:53 -------- d-----w- c:\documents and settings\Owner\Pavark
2011-01-30 21:54 . 2011-01-30 21:54 -------- d-----w- c:\documents and settings\Owner\Application Data\upromise
2011-01-30 21:54 . 2011-01-30 21:54 -------- d-----w- c:\program files\Upromise
2011-01-29 22:59 . 2011-01-29 22:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-01-29 22:17 . 2011-01-29 22:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-01-29 22:16 . 2011-01-29 22:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-01-29 05:37 . 2011-01-29 05:37 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SIWSP
2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-11 23:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-11 23:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-11 23:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-11 23:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-11 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-08-11 23:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-11 23:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-11 02:29 . 2010-12-11 02:29 64864 ----a-w- c:\windows\system32\sqlctr90.dll
2010-12-11 02:29 . 2010-12-11 02:29 2248032 ----a-w- c:\windows\system32\sqlncli.dll
2010-12-09 15:15 . 2004-08-11 23:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-11 23:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-11 23:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 04:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Upromise Update"="c:\program files\Upromise\dca-ua.exe" [2010-12-02 175800]
"Upromise Tray"="c:\program files\Upromise\UpromiseTray.exe" [2010-12-14 241360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-02 8429568]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-22 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-29 1838592]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-06-20 339968]
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-05-24 49152]
"Picture Easy Download"="c:\program files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe" [1998-04-01 39424]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-09 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\6.3.2380.0\mswinext.exe" [2010-11-13 273672]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [3/12/2009 8:27 PM 600944]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [3/12/2009 8:27 PM 600944]
S1 MpKsl29ce37d8;MpKsl29ce37d8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{473BA8C4-6BFF-4DAF-8A8C-FA8AC293A68B}\MpKsl29ce37d8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{473BA8C4-6BFF-4DAF-8A8C-FA8AC293A68B}\MpKsl29ce37d8.sys [?]
S1 MpKslb2dc1181;MpKslb2dc1181;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{65F63A08-2066-4408-A220-11D121FC6C4A}\MpKslb2dc1181.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{65F63A08-2066-4408-A220-11D121FC6C4A}\MpKslb2dc1181.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/1/2010 9:03 PM 135664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 3:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-11-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2011-02-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-27 02:44]

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 05:03]

2011-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 05:03]

2011-02-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-17 18:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,60,4a,3c,fd,3f,be,48,90,54,e9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,60,4a,3c,fd,3f,be,48,90,54,e9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3736)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\ICO.EXE
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-02-17 18:33:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-18 02:33

Pre-Run: 455,754,067,968 bytes free
Post-Run: 455,699,189,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4AB97C887AF09B21AAB244DE6C2D8D9B

#11 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:06:55 AM

Posted 18 February 2011 - 05:59 PM

Hello LarryDS :)


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

SecCenter::

AV: Smart Internet Protection 2011 *Enabled/Updated* {B1FFC698-C832-4176-81E5-535050FCBBF4}

FW: Smart Internet Protection 2011 *Enabled*


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

======

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following files, one at a time, and click Submit.

c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{473BA8C4-6BFF-4DAF-8A8C-FA8AC293A68B}\MpKsl29ce37d8.sys

c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{65F63A08-2066-4408-A220-11D121FC6C4A}\MpKslb2dc1181.sys[/b]

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


Things I need to see in your next reply:

  • ComboFix.txt
  • Jotti or VirusTotal Results
  • A description of how things are now running.

Best Regards,
oneof4.


#12 LarryDS

LarryDS
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nevada-USA
  • Local time:03:55 AM

Posted 19 February 2011 - 02:14 PM

Copied instructions into micorosft office so I could close down browser.
Created combofix.txt ok (Warning that Smart Internet Protection 2011 is active)
Launched joti, but the last directory in the file path does not exist. Another folder exists
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EFE55920-A1E0-449B-B5DC-F4A3C8956F6A}
with severals files in it ending with .vdm and one .dll.
Combofix.txt to follow.
Security Center still indicates two firewalls. Other than that computer still seems normal without redirects or false virus warnings.


ComboFix 11-02-18.05 - Owner 02/19/2011 10:47:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2431 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Smart Internet Protection 2011 *Enabled* {28B39011-3EEC-4112-B493-AE64B5EA2A7F}
.

((((((((((((((((((((((((( Files Created from 2011-01-19 to 2011-02-19 )))))))))))))))))))))))))))))))
.

2011-02-19 18:45 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EFE55920-A1E0-449B-B5DC-F4A3C8956F6A}\mpengine.dll
2011-02-15 21:05 . 2011-02-15 21:05 -------- d-----w- C:\_OTL
2011-02-12 03:46 . 2011-02-12 03:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-02-04 00:40 . 2007-06-02 02:33 356352 ----a-w- c:\windows\system32\NVUNINST.EXE
2011-02-04 00:40 . 2003-11-11 02:14 729088 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2011-02-04 00:40 . 2003-11-11 02:13 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2011-02-04 00:40 . 2003-11-11 02:12 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2011-02-04 00:40 . 2003-11-11 02:12 192512 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2011-02-04 00:40 . 2003-11-11 02:11 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2011-02-04 00:40 . 2011-02-04 00:40 311428 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2011-02-04 00:40 . 2011-02-04 00:40 188548 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2011-02-04 00:40 . 2007-06-02 01:19 167936 ----a-w- c:\windows\system32\nvwrszht.dll
2011-02-04 00:40 . 2007-06-02 01:19 163840 ----a-w- c:\windows\system32\nvwrszhc.dll
2011-02-04 00:40 . 2007-06-02 01:19 225280 ----a-w- c:\windows\system32\nvrszhc.dll
2011-02-04 00:40 . 2007-06-02 01:19 122880 ----a-w- c:\windows\system32\nvrszht.dll
2011-02-04 00:39 . 2011-02-04 00:39 -------- d-----w- C:\Intel
2011-02-04 00:11 . 2011-02-04 00:27 -------- d-----w- c:\windows\NV22562152.TMP
2011-02-04 00:06 . 2011-02-04 00:27 -------- d-----w- c:\windows\NV572984.TMP
2011-02-03 23:58 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-03 23:57 . 2011-02-03 23:58 -------- d-----w- c:\program files\MSN Toolbar
2011-02-03 23:57 . 2011-02-03 23:58 -------- d-----w- c:\program files\Bing Bar Installer
2011-02-03 23:55 . 2011-02-03 23:55 -------- d-----w- c:\windows\system32\winrm
2011-02-03 23:55 . 2011-02-03 23:55 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-02-01 03:13 . 2011-02-01 03:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-02-01 01:19 . 2011-02-01 01:20 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-01 00:37 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-01 00:37 . 2010-12-21 02:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-01 00:24 . 2011-02-03 23:46 -------- d-----w- c:\documents and settings\Owner\Application Data\IObit
2011-01-31 23:51 . 2011-01-31 23:51 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2011-01-30 23:23 . 2011-01-30 23:23 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-30 23:17 . 2011-01-30 23:17 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sunbelt Software
2011-01-30 22:57 . 2011-01-30 22:57 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-01-30 22:53 . 2011-01-30 22:53 -------- d-----w- c:\documents and settings\Owner\Pavark
2011-01-30 21:54 . 2011-01-30 21:54 -------- d-----w- c:\documents and settings\Owner\Application Data\upromise
2011-01-30 21:54 . 2011-01-30 21:54 -------- d-----w- c:\program files\Upromise
2011-01-29 22:59 . 2011-01-29 22:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-01-29 22:17 . 2011-01-29 22:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-01-29 22:16 . 2011-01-29 22:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-01-29 05:37 . 2011-01-29 05:37 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SIWSP
2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-11 23:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-11 23:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-11 23:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-11 23:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-11 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-08-11 23:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-11 23:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-11 02:29 . 2010-12-11 02:29 64864 ----a-w- c:\windows\system32\sqlctr90.dll
2010-12-11 02:29 . 2010-12-11 02:29 2248032 ----a-w- c:\windows\system32\sqlncli.dll
2010-12-09 15:15 . 2004-08-11 23:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-11 23:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-11 23:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 04:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Upromise Update"="c:\program files\Upromise\dca-ua.exe" [2010-12-02 175800]
"Upromise Tray"="c:\program files\Upromise\UpromiseTray.exe" [2010-12-14 241360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-02 8429568]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-22 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-29 1838592]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-06-20 339968]
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-05-24 49152]
"Picture Easy Download"="c:\program files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe" [1998-04-01 39424]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-09 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\6.3.2380.0\mswinext.exe" [2010-11-13 273672]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [3/12/2009 8:27 PM 600944]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [3/12/2009 8:27 PM 600944]
S1 MpKsl29ce37d8;MpKsl29ce37d8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{473BA8C4-6BFF-4DAF-8A8C-FA8AC293A68B}\MpKsl29ce37d8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{473BA8C4-6BFF-4DAF-8A8C-FA8AC293A68B}\MpKsl29ce37d8.sys [?]
S1 MpKslb2dc1181;MpKslb2dc1181;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{65F63A08-2066-4408-A220-11D121FC6C4A}\MpKslb2dc1181.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{65F63A08-2066-4408-A220-11D121FC6C4A}\MpKslb2dc1181.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/1/2010 9:03 PM 135664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 3:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-11-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2011-02-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-27 02:44]

2011-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 05:03]

2011-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 05:03]

2011-02-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-19 10:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,60,4a,3c,fd,3f,be,48,90,54,e9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,60,4a,3c,fd,3f,be,48,90,54,e9,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2796)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-02-19 10:53:01
ComboFix-quarantined-files.txt 2011-02-19 18:52
ComboFix2.txt 2011-02-18 02:33

Pre-Run: 455,640,403,968 bytes free
Post-Run: 455,615,512,576 bytes free

- - End Of File - - 80D9F4CC61E33028C391D2BB548DC522

#13 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:06:55 AM

Posted 20 February 2011 - 11:04 PM

Hello LarryDS :)

Let's try this again, shall we...

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

SecCenter::

{28B39011-3EEC-4112-B493-AE64B5EA2A7F}


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Did that correct the "two firewalls" being listed? How is everything else running?

Best Regards,
oneof4.


#14 LarryDS

LarryDS
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nevada-USA
  • Local time:03:55 AM

Posted 22 February 2011 - 10:10 PM

Oneof4,

Cool, finally.

When Microsoft Essentials is defeated - security center reports it.
When Windows Firewall is defeated - security center reports it.

I thank you very much for your time and effort.

Larry

#15 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:06:55 AM

Posted 23 February 2011 - 07:09 PM

Hi LarryDS :)

That's Great! We finally got you back to normal. :thumbsup:

Let's take a final look at your system to make sure we didn't miss anything:

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Best Regards,
oneof4.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users