Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with Win32/Alureon.H Virus & google, yahoo keeps redirecting me


  • This topic is locked This topic is locked
21 replies to this topic

#1 win-day-ci-tay

win-day-ci-tay

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 30 March 2011 - 04:04 PM

When using either Google or Yahoo search, i will be redirected to other websites. I ran the Windows Live OneCare safety scanner and it told me i had Win32/Alureon.H Virus and another threat that im sorry cant remember. I downladed maleware bytes but when installing would create errors and would freeze and would not be able to install. Thank You for your help!

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Daniel Castillo at 15:16:34.36 on Wed 03/30/2011
internet explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.233 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Daniel Castillo\Desktop\dds.scr
.
============== Running Processes ===============
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Daniel Castillo\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_CURRENT_USER\software\microsoft\internet explorer\main
NoUpdateCheck REG_DWORD 0 (0x0)
Disable Script Debugger REG_SZ yes
Anchor Underline REG_SZ yes
Cache_Update_Frequency REG_SZ Once_Per_Session
Display Inline Images REG_SZ yes
Do404Search REG_BINARY 01000000
Save_Session_History_On_Exit REG_SZ no
Show_FullURL REG_SZ no
Show_StatusBar REG_SZ yes
Show_ToolBar REG_SZ yes
Show_URLinStatusBar REG_SZ yes
Show_URLToolBar REG_SZ yes
Use_DlgBox_Colors REG_SZ yes
Search Page REG_SZ http://rd.yahoo.com/customize/sbcy/defaults/sp/*http://www.yahoo.com
Search Bar REG_SZ http://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
Use Custom Search URL REG_DWORD 1 (0x1)
Expand Alt Text REG_SZ no
Move System Caret REG_SZ no
DisableScriptDebuggerIE REG_SZ yes
Page_Transitions REG_DWORD 1 (0x1)
Enable Browser Extensions REG_SZ yes
UseThemes REG_DWORD 1 (0x1)
Force Offscreen Composition REG_DWORD 0 (0x0)
SmoothScroll REG_DWORD 0 (0x0)
Enable AutoImageResize REG_SZ yes
Play_Animations REG_SZ yes
Play_Background_Sounds REG_SZ yes
Display Inline Videos REG_DWORD 1 (0x1)
Show image placeholders REG_DWORD 0 (0x0)
Print_Background REG_SZ no
StatusBarWeb REG_DWORD 1 (0x1)
XMLHTTP REG_DWORD 1 (0x1)
UseClearType REG_SZ yes
SearchMigrated REG_DWORD 1 (0x1)
SearchMigratedDefaultName REG_SZ Yahoo! Search
SearchMigratedDefaultURL REG_SZ http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
SearchMigratedInstalled REG_DWORD 1 (0x1)
IE8RunOnceLastShown REG_DWORD 1 (0x1)
IE8RunOncePerInstallCompleted REG_DWORD 0 (0x0)
IE8RunOnceCompletionTime REG_BINARY a00ebf5ef2eac901
IE8TourShown REG_DWORD 1 (0x1)
IE8TourShownTime REG_BINARY 50a7378ea2edcb01
SearchControlWidth REG_DWORD 300 (0x12c)
DOMStorage REG_DWORD 1 (0x1)
ForceGDIPlus REG_DWORD 0 (0x0)
SuppressScriptDebuggerDialog REG_DWORD 0 (0x0)
CSS_Compat REG_SZ doctype
Use Stylesheets REG_DWORD 1 (0x1)
UseHR REG_DWORD 0 (0x0)
Q300829 REG_DWORD 0 (0x0)
Cleanup HTCs REG_DWORD 0 (0x0)
XDomainRequest REG_DWORD 1 (0x1)
IE8TourNoShow REG_DWORD 0 (0x0)
FrameTabWindow REG_DWORD 1 (0x1)
AdminTabProcs REG_DWORD 1 (0x1)
SessionMerging REG_DWORD 1 (0x1)
FrameMerging REG_DWORD 1 (0x1)
HangResistantFrame REG_DWORD 0 (0x0)
TabShutdownDelay REG_DWORD 60000 (0xea60)
FrameShutdownDelay REG_DWORD 0 (0x0)
Start Page REG_SZ http://yahoo.com/
NscSingleExpand REG_DWORD 0 (0x0)
Error Dlg Displayed On Every Error REG_SZ no
EnableSearchPane REG_DWORD 0 (0x0)
NotifyDownloadComplete REG_SZ yes
AllowWindowReuse REG_DWORD 1 (0x1)
Friendly http errors REG_SZ yes
AutoSearch REG_DWORD 4 (0x4)
CompatibilityFlags REG_DWORD 0 (0x0)
FullScreen REG_SZ no
Window_Placement REG_BINARY 2c0000000000000001000000ffffffffffffffffffffffffffffffffb30000006b000000ab040000f2030000
IE8RunOnceLastShown_TIMESTAMP REG_BINARY 10583162c9eecb01
.
HKEY_CURRENT_USER\software\microsoft\internet explorer\main\Default Feeds
.
HKEY_CURRENT_USER\software\microsoft\internet explorer\main\FeatureControl
.
HKEY_CURRENT_USER\software\microsoft\internet explorer\main\Touch
.
HKEY_CURRENT_USER\software\microsoft\internet explorer\main\WindowsSearch
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main
Enable_Disk_Cache REG_SZ yes
Cache_Percent_of_Disk REG_BINARY 0a000000
Delete_Temp_Files_On_Exit REG_SZ yes
Anchor_Visitation_Horizon REG_BINARY 01000000
Use_Async_DNS REG_SZ yes
Placeholder_Width REG_BINARY 1a000000
Placeholder_Height REG_BINARY 1a000000
CompanyName REG_SZ Microsoft Corporation
Custom_Key REG_SZ MICROSO
Wizard_Version REG_SZ 6.0.2600.0000
FullScreen REG_SZ no
Default_Secondary_Page_URL REG_MULTI_SZ \0
Extensions Off Page REG_SZ about:NoAdd-ons
Security Risk Page REG_SZ about:SecurityRisk
Check_Associations REG_SZ yes
DEPOff REG_DWORD 0 (0x0)
StatusBarWeb REG_DWORD 1 (0x1)
SearchControlWidth REG_DWORD 300 (0x12c)
ForceGDIPlus REG_DWORD 0 (0x0)
MaxRenderLine REG_DWORD 4000 (0xfa0)
UseClearType REG_SZ yes
Page_Transitions REG_DWORD 1 (0x1)
Use_DlgBox_Colors REG_SZ yes
Anchor Underline REG_SZ yes
Display Inline Images REG_SZ yes
Display Inline Videos REG_DWORD 1 (0x1)
Play_Background_Sounds REG_SZ yes
Play_Animations REG_SZ yes
Print_Background REG_SZ no
SmoothScroll REG_DWORD 1 (0x1)
XMLHTTP REG_DWORD 1 (0x1)
Show image placeholders REG_DWORD 0 (0x0)
Disable Script Debugger REG_SZ yes
Enable AutoImageResize REG_SZ yes
XDomainRequest REG_DWORD 1 (0x1)
DOMStorage REG_DWORD 1 (0x1)
IE8RunOnceLastShown REG_DWORD 0 (0x0)
IE8RunOncePerInstallCompleted REG_DWORD 0 (0x0)
IE8TourNoShow REG_DWORD 0 (0x0)
IE8TourShown REG_DWORD 0 (0x0)
FrameTabWindow REG_DWORD 1 (0x1)
AdminTabProcs REG_DWORD 1 (0x1)
SessionMerging REG_DWORD 1 (0x1)
FrameMerging REG_DWORD 1 (0x1)
HangResistantFrame REG_DWORD 0 (0x0)
TabShutdownDelay REG_DWORD 60000 (0xea60)
FrameShutdownDelay REG_DWORD 0 (0x0)
.
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\ErrorThresholds
.
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\FeatureControl
.
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\UrlTemplate
.
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\WindowsSearch
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings
User Agent REG_SZ Mozilla/4.0 (compatible; MSIE 8.0; Win32)
IE5_UA_Backup_Flag REG_SZ 5.0
NoNetAutodial REG_DWORD 0 (0x0)
MigrateProxy REG_DWORD 1 (0x1)
EnableNegotiate REG_DWORD 1 (0x1)
ProxyEnable REG_DWORD 0 (0x0)
EmailName REG_SZ IEUser@
AutoConfigProxy REG_SZ wininet.dll
MimeExclusionListForCache REG_SZ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges
WarnOnPost REG_BINARY 01000000
UseSchannelDirectly REG_BINARY 01000000
EnableHttp1_1 REG_DWORD 1 (0x1)
PrivacyAdvanced REG_DWORD 0 (0x0)
EnableAutodial REG_DWORD 0 (0x0)
GlobalUserOffline REG_DWORD 0 (0x0)
DisconnectIdleTime REG_BINARY 14000000
PrivDiscUiShown REG_DWORD 1 (0x1)
UrlEncoding REG_DWORD 0 (0x0)
ProxyHttp1.1 REG_DWORD 1 (0x1)
CertificateRevocation REG_DWORD 0 (0x0)
DisableCachingOfSSLPages REG_DWORD 0 (0x0)
SecureProtocols REG_DWORD 160 (0xa0)
WarnonBadCertRecving REG_DWORD 1 (0x1)
WarnonZoneCrossing REG_DWORD 0 (0x0)
WarnOnPostRedirect REG_DWORD 1 (0x1)
ZonesSecurityUpgradeDone REG_DWORD 1 (0x1)
ZonesSecurityUpgrade REG_BINARY 502543aff1eac901
ProxyOverride REG_SZ *.local
SyncMode5 REG_DWORD 0 (0x0)
ShowPunycode REG_DWORD 0 (0x0)
EnablePunycode REG_DWORD 1 (0x1)
DisableIDNPrompt REG_DWORD 0 (0x0)
CreateUriCacheSize REG_DWORD 80 (0x50)
CoInternetCombineIUriCacheSize REG_DWORD 80 (0x50)
SecurityIdIUriCacheSize REG_DWORD 30 (0x1e)
SpecialFoldersCacheSize REG_DWORD 8 (0x8)
WarnOnIntranet REG_DWORD 1 (0x1)
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\5.0
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Activities
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Cache
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Connections
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Http Filters
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Lockdown_Zones
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\P3P
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Passport
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Protocols
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\TemplatePolicies
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Url History
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\ZoneMap
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Zones
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_CURRENT_USER\software\microsoft\internet explorer\search
.
HKEY_CURRENT_USER\software\microsoft\internet explorer\search\SearchProperties
usearchurl,(default) = hxxp://rd.yahoo.com/customize/sbcy/defaults/su/*http://www.yahoo.com
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\search
CustomSearch REG_SZ http://rd.yahoo.com/customize/sbcy/defaults/cs/*http://www.yahoo.com/search/ie.html
SteelWerX Registry Console Tool 2.0URLSearchHooks: H - No File
Written by Bobbi Flekman 2006 ©URLSearchHooks: H - No File
HKEY_CURRENT_USER\software\microsoft\internet explorer\urlsearchhooksURLSearchHooks: H - No File
SteelWerX Registry Console Tool 2.0URLSearchHooks: H - No File
Written by Bobbi Flekman 2006 ©URLSearchHooks: H - No File
Error: Key: software\microsoft\internet explorer\urlsearchhooks does not exist!URLSearchHooks: H - No File
SteelWerX Registry Console Tool 2.0URLSearchHooks: H - No File
Written by Bobbi Flekman 2006 ©URLSearchHooks: H - No File
Error: Key: .default\software\microsoft\internet explorer\urlsearchhooks does not exist!URLSearchHooks: H - No File
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
AutoRestartShell REG_DWORD 1 (0x1)
DefaultDomainName REG_SZ HK7YN01
DefaultUserName REG_SZ Daniel Castillo
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
System REG_SZ
Userinit REG_SZ c:\WINDOWS\system32e\userinit.exe,
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota REG_DWORD -1 (0xffffffff)
allocatecdroms REG_SZ 0
allocatedasd REG_SZ 0
allocatefloppies REG_SZ 0
cachedlogonscount REG_SZ 10
forceunlocklogon REG_DWORD 0 (0x0)
passwordexpirywarning REG_DWORD 14 (0xe)
scremoveoption REG_SZ 0
AllowMultipleTSSessions REG_DWORD 1 (0x1)
UIHost REG_EXPAND_SZ logonui.exe
LogonType REG_DWORD 1 (0x1)
Background REG_SZ 0 0 0
DebugServerCommand REG_SZ no
SFCDisable REG_DWORD 0 (0x0)
WinStationsDisabled REG_SZ 0
HibernationPreviouslyEnabled REG_DWORD 1 (0x1)
ShowLogonOptions REG_DWORD 0 (0x0)
AltDefaultUserName REG_SZ Daniel Castillo
AltDefaultDomainName REG_SZ HK7YN01
ChangePasswordUseKerberos REG_DWORD 1 (0x1)
.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions
.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify
.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\SCLogon
.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\SpecialAccounts
.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Credentials
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon
ParseAutoexec REG_SZ 1
ExcludeProfileDirs REG_SZ Local Settings;Temporary Internet Files;History;Temp;Local Settings\Application Data\Microsoft\Outlook
BuildNumber REG_DWORD 2600 (0xa28)
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows
DebugOptions REG_SZ 2048
Documents REG_SZ
DosPrint REG_SZ no
load REG_SZ
NetMessage REG_SZ no
NullPort REG_SZ None
Programs REG_SZ com exe bat pif cmd
Device REG_SZ Microsoft XPS Document Writer,winspool,Ne00:
BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: <NO NAME> - No File
urun: [MSMSGS] "c:\Program Files\Messengere\msmsgs.exe" /background
urun: [ctfmon.exe] c:\WINDOWS\system32e\ctfmon.exe
mrun: [AdaptecDirectCD] c:\Program Files\Adaptec\Easy CD Creator 5\DirectCDe\DirectCD.exe
mrun: [HPDJ Taskbar Utility] c:\WINDOWS\system32\spool\drivers\w32x86\3e\hpztsb10.exe
mrun: [D066UUtility] c:\WINDOWS\TWAIN_32\D66Ue\D066UUTY.EXE
mrun: [c:\Program Files\SBC Yahoo!\Connection Managere\ConnectionManager.exe ] SBC Yahoo! Connection Manager
mrun: [QuickTime Task] "c:\Program Files\QuickTimee\qttask.exe" -atboottime
mrun: [iTunesHelper] "c:\Program Files\iTunese\iTunesHelper.exe"
mrun: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Readere\Reader_sl.exe"
mrun: [LogMeIn GUI] "c:\Program Files\LogMeIn\x86e\LogMeInSystray.exe"
mrun: [Corel Photo Downloader] c:\Program Files\CVS\CVS Photo Editor Pluse\Corel Photo Downloader.exe
drunonce: [RunNarrator] Narrator.exe
c:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\KODAKE~1.LNK - C:\Program Files\Kodak\Kodak EasyShare software\bine\EasyShare.exe
c:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files\Microsoft Office\Office10e\OSA.EXE
mpolicies-explorer: NoActiveDesktop = 1 (0x1)
.
ie: SteelWerX Registry Console Tool 2.0
ie: Written by Bobbi Flekman 2006 ©
.
ie: HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext
.
ie: {SteelWerX Registry Console Tool 2.0
ie: {Written by Bobbi Flekman 2006 ©
.
ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions
.
ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF}
ie: { Default Visible - REG_SZ Yes
ie: { ButtonText - REG_SZ PokerStars
ie: { Icon - REG_SZ c:\Program Files\PokerStarse\main.ico
ie: { HotIcon - REG_SZ c:\Program Files\PokerStarse\main.ico
ie: { Exec - REG_SZ c:\Program Files\PokerStarse\PokerStarsUpdate.exe
.
ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}
ie: { MenuText - REG_SZ @xpsp3res.dll,-20001
ie: { Exec - REG_SZ %windir%\Network Diagnostic\xpnetdiag.exe
.
ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D}
ie: { Default Visible - REG_SZ Yes
ie: { ButtonText - REG_SZ PokerStars.net
ie: { Icon - REG_SZ c:\Program Files\PokerStars.NETe\main.ico
ie: { HotIcon - REG_SZ c:\Program Files\PokerStars.NETe\main.ico
ie: { Exec - REG_SZ c:\Program Files\PokerStars.NETe\PokerStarsUpdate.exe
.
ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ie: { ButtonText - REG_SZ Messenger
ie: { Default Visible - REG_SZ Yes
ie: { Exec - REG_SZ c:\Program Files\Messengere\msmsgs.exe
ie: { HotIcon - REG_SZ c:\Program Files\Messengere\msmsgs.exe,302
ie: { Icon - REG_SZ c:\Program Files\Messengere\msmsgs.exe,301
ie: { MenuText - REG_SZ Windows Messenger
ie: { ToolTip - REG_SZ Windows Messenger
IE: { CLSID - REG_SZ {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - {1fba04ee-3024-11d2-8f1f-0000f87abd16}\inprocserver32 does not exist!
IE: { CLSID - REG_SZ {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - {1fba04ee-3024-11d2-8f1f-0000f87abd16}\inprocserver32 does not exist!
IE: { CLSID - REG_SZ {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - {1fba04ee-3024-11d2-8f1f-0000f87abd16}\inprocserver32 does not exist!
IE: { CLSID - REG_SZ {1FBA04EE-3024-11D2-8F1F-0000F87ABD16} - {1fba04ee-3024-11d2-8f1f-0000f87abd16}\inprocserver32 does not exist!
https REG_DWORD 2 (0x2)
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{17492023-C23A-453E-A040-C7C580BBF700}
SystemComponent REG_DWORD 0 (0x0)
Installer REG_SZ MSICD
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{17492023-C23A-453E-A040-C7C580BBF700}\Contains
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{17492023-C23A-453E-A040-C7C580BBF700}\Contains\Files
c:\WINDOWS\system32e\LegitCheckControl.DLL REG_SZ
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{17492023-C23A-453E-A040-C7C580BBF700}\DownloadInformation
CODEBASE REG_SZ http://go.microsoft.com/fwlink/?linkid=39204
INF REG_SZ c:\WINDOWS\Downloaded Program Filese\LegitCheckControl.inf
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{17492023-C23A-453E-A040-C7C580BBF700}\InstalledVersion
<NO NAME> REG_SZ 1,7,36,0
LastModified REG_SZ Tue, 24 Apr 2007 18:38:30 GMT
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{5ED80217-570B-4DA9-BF44-BE107C0EC166}
SystemComponent REG_DWORD 0 (0x0)
Installer REG_SZ MSICD
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{5ED80217-570B-4DA9-BF44-BE107C0EC166}\Contains
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{5ED80217-570B-4DA9-BF44-BE107C0EC166}\Contains\Files
c:\WINDOWS\Downloaded Program Filese\wlscBase.dll REG_SZ
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{5ED80217-570B-4DA9-BF44-BE107C0EC166}\DownloadInformation
CODEBASE REG_SZ http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
INF REG_SZ c:\WINDOWS\Downloaded Program Filese\wlscBase.inf
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{5ED80217-570B-4DA9-BF44-BE107C0EC166}\InstalledVersion
<NO NAME> REG_SZ 1,14,6886,1
LastModified REG_SZ Mon, 10 Jan 2011 22:17:56 GMT
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{B8748B60-E34D-42AA-9309-8012CA4964AC}
SystemComponent REG_DWORD 0 (0x0)
Installer REG_SZ MSICD
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{B8748B60-E34D-42AA-9309-8012CA4964AC}\Contains
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{B8748B60-E34D-42AA-9309-8012CA4964AC}\Contains\Files
c:\WINDOWS\Downloaded Program Filese\arcadeox.dll REG_SZ
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{B8748B60-E34D-42AA-9309-8012CA4964AC}\DownloadInformation
CODEBASE REG_SZ http://www.third.arcadeox.com/arcadeox.cab
INF REG_SZ c:\WINDOWS\Downloaded Program Filese\arcadeox.inf
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{B8748B60-E34D-42AA-9309-8012CA4964AC}\InstalledVersion
<NO NAME> REG_SZ 1,0,0,1
LastModified REG_SZ Mon, 23 Mar 2009 13:31:06 GMT
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}
SystemComponent REG_DWORD 0 (0x0)
Installer REG_SZ MSICD
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Contains
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation
CODEBASE REG_SZ http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
INF REG_SZ c:\WINDOWS\Downloaded Program Filese\swflash.inf
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\InstalledVersion
<NO NAME> REG_SZ 7,0,19,0
LastModified REG_SZ Wed, 05 Apr 2006 17:27:32 GMT
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9}
SystemComponent REG_DWORD 0 (0x0)
Installer REG_SZ MSICD
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9}\Contains
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9}\Contains\Files
c:\WINDOWS\Downloaded Program Filese\LMIGuardianEvt.dll REG_SZ
c:\WINDOWS\Downloaded Program Filese\LMIGuardianDll.dll REG_SZ
c:\WINDOWS\Downloaded Program Filese\LMIGuardian.exe REG_SZ
c:\WINDOWS\Downloaded Program Filese\LMIProxyHelper.exe REG_SZ
c:\WINDOWS\system32e\ractrlkeyhook.dll REG_SZ
c:\WINDOWS\Downloaded Program Filese\RACtrl.dll REG_SZ
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9}\DownloadInformation
CODEBASE REG_SZ https://secure.logmein.com/activex/ractrl.cab?lmi=100
INF REG_SZ c:\WINDOWS\Downloaded Program Filese\RACtrl.inf
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9}\InstalledVersion
<NO NAME> REG_SZ 1,0,0,608
LastModified REG_SZ Thu, 03 Jun 2010 09:41:22 GMT
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters
NameServer REG_SZ
CLSID - REG_SZ {CD00020A-8B95-11D1-82DB-00C04FB1625D} -
ssodl: wpdshserviceobj - {aaa288ba-9a4c-45b0-95d7-94d524869db5} - c:\WINDOWS\system32e\WPDShServiceObj.dll
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
d; /.* /!d; s//securityproviders: /
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
d;/^((authentication|notification) packages) .* /i!d; s//lsa: 1 = /
Authentication Packages REG_MULTI_SZ msv1_0
Bounds REG_BINARY 0030000000200000
d;/^((authentication|notification) packages) .* /i!d; s//lsa: 1 = /
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest
LsaPid REG_DWORD 608 (0x260)
SecureBoot REG_DWORD 1 (0x1)
auditbaseobjects REG_DWORD 0 (0x0)
crashonauditfail REG_DWORD 0 (0x0)
disabledomaincreds REG_DWORD 0 (0x0)
everyoneincludesanonymous REG_DWORD 0 (0x0)
fipsalgorithmpolicy REG_DWORD 0 (0x0)
forceguest REG_DWORD 1 (0x1)
fullprivilegeauditing REG_BINARY 00
limitblankpassworduse REG_DWORD 1 (0x1)
lmcompatibilitylevel REG_DWORD 0 (0x0)
nodefaultadminowner REG_DWORD 1 (0x1)
nolmhash REG_DWORD 0 (0x0)
restrictanonymous REG_DWORD 0 (0x0)
restrictanonymoussam REG_DWORD 1 (0x1)
d;/^((authentication|notification) packages) .* /i!d; s//lsa: 1 = /
Notification Packages REG_MULTI_SZ scecli
ImpersonatePrivilegeUpgradeToolHasRun REG_DWORD 1 (0x1)
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Data
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\GBG
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\JD
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\MSV1_0
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Skew1
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems
windows REG_EXPAND_SZ %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\WINDOWS\system32\driverse\Lbd.sys [2010-12-24 64288]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\Program Files\LogMeIn\x86e\LMIGuardianSvc.exe [2010-9-27 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\Program Files\LogMeIn\x86e\rainfo.sys [2010-5-31 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\WINDOWS\system32\driverse\LMIRfsDriver.sys [2010-11-17 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\Program Files\Viewpoint\Commone\ViewpointService.exe [2007-1-10 24652]
S3 Conipo;Conipo; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys --> C:\Program Files\Lavasoft\Ad-Awaree\KernExplorer.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== File Associations ===============
.
acrobat="c:\Program Files\Adobe\Reader 8.0\Readere\AcroRd32.exe" /u "%1"
AcroExch.Document="c:\Program Files\Adobe\Reader 8.0\Readere\AcroRd32.exe" "%1"
AcroExch.Document.7="c:\Program Files\Adobe\Reader 8.0\Readere\AcroRd32.exe" "%1"
AcroExch.FDFDoc="c:\Program Files\Adobe\Reader 8.0\Readere\AcroRd32.exe" "%1"
AcroExch.XDPDoc="c:\Program Files\Adobe\Reader 8.0\Readere\AcroRd32.exe" "%1"
AcroExch.XFDFDoc="c:\Program Files\Adobe\Reader 8.0\Readere\AcroRd32.exe" "%1"
acwfile=%SystemRoot%\system32\accwiz.exe %1
Adobe.Illustrator.Template=Illustrator.exe "%1"
AIFFFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
Application.Manifest=rundll32.exe dfshim.dll,ShOpenVerbApplication %1
Application.Reference=rundll32.exe dfshim.dll,ShOpenVerbShortcut %1|%2
Asf.RealTimeEncoder=c:\PROGRA~1\MICROS~2\Office10e\NSREX.EXE "%1"
ASFFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /prefetch:7 /Open "%L"
ASXFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
AUFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
avastsoundsfile="c:\Program Files\AVAST Software\Avaste\aswChLic.exe" "%1"
AVIFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /prefetch:8 /Open "%L"
!d
Briefcase=explorer.exe %1
callto=rundll32.exe msconf.dll,CallToProtocolHandler %l
CATFile=rundll32.exe cryptext.dll,CryptExtOpenCAT %1
cdafile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
CERFile=rundll32.exe cryptext.dll,CryptExtOpenCER %1
CertificateStoreFile=rundll32.exe cryptext.dll,CryptExtOpenSTR %1
certificate_wab_auto_file="c:\Program Files\Outlook Expresse\wab.exe" /certificate %1
!d
clpfile=clipbrd.exe %1
!d
!d
CompressedFolder=rundll32.exe zipfldr.dll,RouteTheCall %L
ConferenceLink=rundll32.exe msconf.dll,OpenConfLink %l
Connection Manager Profile=c:\WINDOWS\System32e\CMMGR32.EXE "%1"
CreateCD50="c:\Program Files\Common Files\Adaptec Shared\CreateCDe\CreateCD50.exe"
CRLFile=rundll32.exe cryptext.dll,CryptExtOpenCRL %1
daap=c:\Program Files\iTunese\iTunes.exe /url "%1"
data-file=c:\WINDOWSe\notepad.exe "%1"
DocShortcut=rundll32 %SystemRoot%\System32\shscrap.dll,OpenScrap_RunDLL /r /x %1
dqyfile=c:\PROGRA~1\MICROS~2\Office10e\EXCEL.EXE
dunfile=%SystemRoot%\system32\RUNDLL32.EXE NETSHELL.DLL,InvokeDunFile %1
EasyCDCreator.Document.5=c:\PROGRA~1\Adaptec\EASYCD~1\EASYCD~1e\Creatr50.exe %1
emffile=rundll32.exe c:\WINDOWS\System32e\shimgvw.dll,ImageView_Fullscreen %1
Excel.Addin="c:\Program Files\Microsoft Office\Office10e\EXCEL.EXE" /e
Excel.Backup="c:\Program Files\Microsoft Office\Office10e\EXCEL.EXE" /e
Excel.Chart=c:\PROGRA~1\MICROS~2\Office10e\EXCEL.EXE /e
Excel.Chart.8="c:\Program Files\Microsoft Office\Office10e\EXCEL.EXE" /e
Excel.CSV="c:\Program Files\Microsoft Office\Office10e\EXCEL.EXE" /e
Excel.DIF="c:\Program Files\Microsoft Office\Office10e\EXCEL.EXE" /e
Excel.Macrosheet="c:\Program Files\Microsoft Office\Office10e\EXCEL.EXE" /e
Excel.Sheet.8="c:\Program Files\Microsoft Office\Office10e\EXCEL.EXE" /e
Excel.SLK="c:\Program Files\Microsoft Office\Office10e\EXCEL.EXE" /e
Excel.Template="c:\Program Files\Microsoft Office\Office10e\EXCEL.EXE" /e
Excel.Workspace="c:\Program Files\Microsoft Office\Office10e\EXCEL.EXE" /e
Excel.XLL="c:\Program Files\Microsoft Office\Office10e\EXCEL.EXE" /e
Excelhtmlfile="c:\Program Files\Microsoft Office\Office10e\EXCEL.EXE"
Excelhtmltemplate="c:\Program Files\Microsoft Office\Office10e\EXCEL.EXE"
!d
fndfile=%SystemRoot%\Explorer.exe
Folder=%SystemRoot%\Explorer.exe /idlist,%I,%L
fonfile=%SystemRoot%\System32\fontview.exe %1
ftp="c:\Program Files\Internet Explorere\IEXPLORE.EXE" %1
giffile="c:\Program Files\Internet Explorere\iexplore.exe" -nohome
gopher="c:\Program Files\Internet Explorere\iexplore.exe" -nohome
h323file="rundll32.exe" msconf.dll,NewMediaPhone %l
HCP=%SystemRoot%\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe -FromHCP -url "%1"
helpfile=winhlp32.exe %1
hlpfile=%SystemRoot%\System32\winhlp32.exe %1
holfile="c:\PROGRA~1\MICROS~2\Office10e\OUTLOOK.EXE" /hol "%1"
htafile=c:\WINDOWS\system32e\mshta.exe "%1" %*
htfile="c:\Program Files\Windows NTe\HYPERTRM.EXE" %1
htmlfile="c:\Program Files\Internet Explorere\IEXPLORE.EXE" -nohome
http="c:\Program Files\Internet Explorere\IEXPLORE.EXE" -nohome
https="c:\Program Files\Internet Explorere\IEXPLORE.EXE" -nohome
icsfile="c:\PROGRA~1\MICROS~2\Office10e\OUTLOOK.EXE" /ical "%1"
iiifile="rundll32.exe" msconf.dll,NewMediaPhone %l
!d
!d
InternetShortcut="c:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32e\ieframe.dll",OpenURL %l
iqyfile=c:\PROGRA~1\MICROS~2\Office10e\EXCEL.EXE
itms=c:\Program Files\iTunese\iTunes.exe /url "%1"
itmss=c:\Program Files\iTunese\iTunes.exe /url "%1"
itpc=c:\Program Files\iTunese\iTunes.exe /url "%1"
iTunes.aa="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.aax="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.aif="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.aifc="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.aiff="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.cda="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.cdda="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.ipa="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.ipg="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.ipsw="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.itb="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.itdb="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.itl="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.itms="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.itpc="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m3u="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m3u8="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m4a="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m4b="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m4p="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m4r="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.m4v="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.mov="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.mp2="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.mp3="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.mpeg="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.mpg="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.pcast="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.pls="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.rmp="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.wav="c:\Program Files\iTunese\iTunes.exe" /open "%L"
iTunes.wave="c:\Program Files\iTunese\iTunes.exe" /open "%L"
jpegfile="c:\Program Files\Common Files\Microsoft Shared\PhotoEde\PHOTOED.EXE" "%1"
JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
LDAP="c:\Program Files\Outlook Expresse\wab.exe" /ldap:%1
m3ufile="c:\Program Files\Windows Media Playere\wmplayer.exe" /prefetch:6 /Open "%L"
MacromediaFlashPaper.MacromediaFlashPaper="c:\Program Files\Internet Explorere\IEXPLORE.EXE" -nohome "%1"
mailto="c:\PROGRA~1\MICROS~2\Office10e\OUTLOOK.EXE" -c IPM.Note /m "%1"
MediaPackageFile="c:\Program Files\Microsoft Office\Office10e\MSTORE.EXE" "%1"
meet=c:\WINDOWS\system32\rundll32.exe "C:\Program Files\Common Files\Microsoft Shared\LiveMeeting Sharede\RtcRouter.dll",RouteMeet %1
mhtmlfile="c:\Program Files\Internet Explorere\IEXPLORE.EXE" -nohome
Microsoft Internet Mail Message="%ProgramFiles%\Outlook Express\msimn.exe" /eml:%1
Microsoft Internet News Message="%ProgramFiles%\Outlook Express\msimn.exe" /nws:%1
Microsoft.InformationCard=c:\WINDOWS\system32\rundll32.exe c:\WINDOWS\system32e\infocardcpl.cpl,ImportInformationCard_RunDll %1
Microsoft.RTC.ConnectionFile=c:\WINDOWS\system32\rundll32.exe "C:\Program Files\Common Files\Microsoft Shared\LiveMeeting Sharede\RtcRouter.dll",RouteMIME %1
Microsoft.WindowsCardSpaceBackup=c:\WINDOWS\system32\rundll32.exe c:\WINDOWS\system32e\infocardcpl.cpl,ImportInformationCard_RunDll %1
MIDFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
MMS="c:\Program Files\Windows Media Playere\wmplayer.exe" "%L"
MMST="c:\Program Files\Windows Media Playere\wmplayer.exe" "%L"
MMSU="c:\Program Files\Windows Media Playere\wmplayer.exe" "%L"
mp3file="c:\Program Files\Windows Media Playere\wmplayer.exe" /prefetch:6 /Open "%L"
mpegfile="c:\Program Files\Windows Media Playere\wmplayer.exe" /prefetch:9 /Open "%L"
MPlayer=mplay32.exe /play /close "%L"
MS-ITSS FILE="c:\Program Files\Internet Explorere\iexplore.exe" -nohome ms-itss:%1::/
msbackupfile=%SystemRoot%\system32\ntbackup.exe
MSBD="c:\Program Files\Windows Media Playere\wmplayer.exe" "%L"
MSCFile=%SystemRoot%\system32\mmc.exe "%1" %*
MSDASC=Rundll32.exe c:\PROGRA~1\COMMON~1\System\OLEDB~1e\oledb32.dll,OpenDSLFile %1
msgfile="c:\Program Files\Microsoft Office\Office10e\OUTLOOK.EXE" /f "%1"
Msi.Package="%SystemRoot%\System32\msiexec.exe" /i "%1" %*
Msi.Patch="%SystemRoot%\System32\msiexec.exe" /p "%1" %*
MSInfo.Document=c:\Program Files\Common Files\Microsoft Shared\MSInfoe\MSInfo32.exe /msinfo_file %1
MSPaper.Document="c:\PROGRA~1\COMMON~1\MICROS~1\MSPapere\MSPVIEW.EXE" "%1"
MSPhotoEd.3=c:\PROGRA~1\COMMON~1\MICROS~1\PhotoEde\PHOTOED.EXE "%1"
MSProgramGroup=c:\WINDOWS\system32e\grpconv.exe %1
MsRcIncident=%SystemRoot%\PCHealth\HelpCtr\Binaries\HelpCtr.exe -Mode "hcp://system/Remote%%20Assistance/RAClientLayout.xml" -url "hcp://system/Remote%%20Assistance/Interaction/Client/rctoolScreen1.htm" -ExtraArgument "IncidentFile=%1"
msstylesfile=%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Appearance /Action:OpenMSTheme /file:"%1"
NeroCopyType=c:\PROGRA~1\Ahead\neroe\nero.exe "%1"
NeroCueSheetType=c:\PROGRA~1\Ahead\neroe\nero.exe "%1"
NeroErrorType=c:\PROGRA~1\Ahead\neroe\nero.exe "%1"
NeroHDBackupType=c:\PROGRA~1\Ahead\neroe\nero.exe "%1"
news="c:\Program Files\Outlook Expresse\msimn.exe" /outnews /newsurl:%1
nntp="c:\Program Files\Outlook Expresse\msimn.exe" /outnews /newsurl:%1
Office.Binder="c:\PROGRA~1\MICROS~2\Office10e\UNBIND.EXE" "%1"
Office.Binder.8="c:\PROGRA~1\MICROS~2\Office10e\UNBIND.EXE" "%1"
Office.Binder.9="c:\Program Files\Microsoft Office\Office10e\UNBIND.EXE" "%1"
Office.Binder.95="c:\PROGRA~1\MICROS~2\Office10e\UNBIND.EXE" "%1"
Office.Binder.Template.9="c:\Program Files\Microsoft Office\Office10e\UNBIND.EXE" "%1"
Office.Binder.Wizard.9="c:\Program Files\Microsoft Office\Office10e\UNBIND.EXE" "%1"
Office.ProfileSettings.10="c:\Program Files\Microsoft Office\Office10e\PROFLWIZ.EXE" /p /u /r "%1"
OfficeBinder.Binder="c:\PROGRA~1\MICROS~2\Office10e\UNBIND.EXE" "%1"
OfficeBinder.Binder.8="c:\PROGRA~1\MICROS~2\Office10e\UNBIND.EXE" "%1"
OfficeBinder.Binder.9="c:\PROGRA~1\MICROS~2\Office10e\UNBIND.EXE" "%1"
oqyfile=c:\PROGRA~1\MICROS~2\Office10e\EXCEL.EXE
ossfile="c:\Program Files\Microsoft Office\Office10e\FINDER.EXE" /f "%1"
otffile=%SystemRoot%\System32\fontview.exe %1
outlook="c:\PROGRA~1\MICROS~2\Office10e\OUTLOOK.EXE" "%1"
Outlook.NavigatorBarFile="c:\PROGRA~1\MICROS~2\Office10e\OUTLOOK.EXE" /s "%1"
Outlook.Template="c:\Program Files\Microsoft Office\Office10e\OUTLOOK.EXE" /t "%1"
P7RFile=rundll32.exe cryptext.dll,CryptExtOpenP7R %1
P7SFile=rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1
Paint.Picture=rundll32.exe c:\WINDOWS\System32e\shimgvw.dll,ImageView_Fullscreen %1
pbkfile=%SystemRoot%\system32\rasphone.exe -f "%1"
pcast=c:\Program Files\iTunese\iTunes.exe /url "%1"
PCDfile="c:\Program Files\Common Files\Microsoft Shared\PhotoEde\PHOTOED.EXE" "%1"
pcxfile="c:\Program Files\Common Files\Microsoft Shared\PhotoEde\PHOTOED.EXE" "%1"
PerfFile=%SystemRoot%\system32\perfmon.exe %1
pfmfile=%SystemRoot%\System32\fontview.exe %1
!d
pjpegfile=rundll32.exe c:\WINDOWS\System32e\shimgvw.dll,ImageView_Fullscreen %1
pngfile="c:\Program Files\Common Files\Microsoft Shared\PhotoEde\PHOTOED.EXE" "%1"
pnm="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
pokerstars="c:\Program Files\PokerStarse\PokerStars.exe" -url %1
pokerstarsnet="c:\Program Files\PokerStars.NETe\PokerStars.exe" -url %1
PowerPoint.Addin.8="c:\Program Files\Microsoft Office\Office10e\POWERPNT.EXE" "%1"
PowerPoint.Show.4=c:\PROGRA~1\MICROS~2\Office10e\POWERPNT.EXE "%1"
PowerPoint.Show.7=c:\PROGRA~1\MICROS~2\Office10e\POWERPNT.EXE "%1"
PowerPoint.Show.8="c:\Program Files\Microsoft Office\Office10e\POWERPNT.EXE" "%1"
PowerPoint.Slide.4=c:\PROGRA~1\MICROS~2\Office10e\POWERPNT.EXE "%1"
PowerPoint.Slide.7=c:\PROGRA~1\MICROS~2\Office10e\POWERPNT.EXE "%1"
PowerPoint.Slide.8=c:\PROGRA~1\MICROS~2\Office10e\POWERPNT.EXE "%1"
PowerPoint.SlideShow.8="c:\Program Files\Microsoft Office\Office10e\POWERPNT.EXE" /s "%1"
PowerPoint.Template.8="c:\Program Files\Microsoft Office\Office10e\POWERPNT.EXE" "%1"
PowerPoint.Wizard.8="c:\Program Files\Microsoft Office\Office10e\POWERPNT.EXE" "%1"
powerpointhtmlfile="c:\Program Files\Microsoft Office\Office10e\POWERPNT.EXE"
powerpointhtmltemplate="c:\Program Files\Microsoft Office\Office10e\POWERPNT.EXE"
prffile="c:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32e\msrating.dll",ClickedOnPRF %1
pspFile=c:\PROGRA~1\SBCYAH~1\CONNEC~1e\CONNEC~1.EXE -isp:"%1"
Publishing Folder=explorer.exe /idlist,%I,%L
PUB_auto_file="c:\Documents and Settings\All Users\Start Menu\Programs\Watchtower Readere\Watchtower Reader - English.lnk" %1
QuickTime.3g2=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.3gp=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.3gp2=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.3gpp=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.aac=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.ac3=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.adts=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.aif=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.aifc=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.aiff=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.amc=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.AMR=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.au=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.avi=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.bmp=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.bwf=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.caf=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.cdda=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.cel=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.dib=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.dif=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.dv=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.flc=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.fli=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.gif=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.gsm=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.jp2=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.jpe=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.jpeg=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.jpg=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.kar=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m15=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m1a=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m1s=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m1v=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m3u=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m3url=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m4a=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m4b=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m4p=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m4v=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.m75=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mac=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.mid=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.midi=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mov=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mp2=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mp3=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mp4=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mpa=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mpeg=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mpg=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mpg4=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mpm=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mpv=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.mqv=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.pct=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.pic=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.pict=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.png=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.pnt=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.pntg=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.psd=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.qcp=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.qht=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.qhtm=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.qt=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.qti=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.qtif=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.qtl=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.rgb=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.rts=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.rtsp=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.sd2=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.sdp=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.sdv=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.sgi=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.smf=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.smi=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.smil=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.sml=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.snd=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.swa=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.targa=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.tga=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.tif=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.tiff=c:\Program Files\QuickTimee\PictureViewer.exe "%1"
QuickTime.ulw=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.vfw=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
QuickTime.wav=c:\Program Files\QuickTimee\QuickTimePlayer.exe "%1"
ratfile="c:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32e\msrating.dll",ClickedOnRAT %1
RealJukebox.RJS.1="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
RealJukebox.RJT.1="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
RealJukebox.RMJ.1="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
RealJukebox.RMP.1="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
RealJukebox.RMX.1="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
RealPlayer.AMR.10="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
RealPlayer.AMR_WB.10="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
RealPlayer.AutoPlay.6="c:\Program Files\Real\RealPlayere\RealPlay.exe" /autoplay "%1"
RealPlayer.CDBurn.6="c:\Program Files\Real\RealPlayere\RealPlay.exe" /burn "%1"
RealPlayer.DIVX.6="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
RealPlayer.RAM.6="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
RealPlayer.RAX.6="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
RealPlayer.RMS.6="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
RealPlayer.RP.6="c:\Program Files\Common Files\Real\Update_OBe\rnxproc.exe" "%1"
RealPlayer.RSML.6="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
RealPlayer.RVX.6="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
RealPlayer.SMIL.6="c:\Program Files\Real\RealPlayere\RealPlay.exe" "%1"
!d
!d
rlogin="c:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32e\url.dll",TelnetProtocolHandler %l
rqyfile=c:\PROGRA~1\MICROS~2\Office10e\EXCEL.EXE
rtffile="c:\Program Files\Windows NT\Accessoriese\WORDPAD.EXE" "%1"
SavedDsQuery=rundll32 %SystemRoot%\System32\dsquery.dll,OpenSavedDsQuery %1
SchedulePlus.Application.7=c:\PROGRA~1\MICROS~2\Office10\1033e\SCHDPL32.EXE '%1'
!d
scriptletfile="c:\WINDOWSe\NOTEPAD.EXE" "%1"
secondlife="c:\Program Files\SecondLifee\SecondLife.exe" -url "%1"
SHCmdFile=explorer.exe
Shell=%SystemRoot%\Explorer.exe /idlist,%I,%L
ShellScrap=rundll32 %SystemRoot%\system32\shscrap.dll,OpenScrap_RunDLL %1
SldSrtr.Document=c:\PROGRA~1\COMMON~1\MICROS~1\MSPapere\MSPVIEW.EXE "%1"
SnapfireI.Image="c:\Program Files\CVS\CVS Photo Editor Pluse\Corel Snapfire.exe" "%1"
SnapfireI.Project="c:\Program Files\CVS\CVS Photo Editor Pluse\Corel Snapfire.exe" "%1"
SnapfireI.Show="c:\Program Files\CVS\CVS Photo Editor Pluse\Corel Snapfire.exe" "%1"
SnapfireI.ShowProject="c:\Program Files\CVS\CVS Photo Editor Pluse\Corel Snapfire.exe" "%1"
snews="c:\Program Files\Outlook Expresse\msimn.exe" /outnews /newsurl:%1
SoundRec="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
SPCFile=rundll32.exe cryptext.dll,CryptExtOpenPKCS7 %1
STLFile=rundll32.exe cryptext.dll,CryptExtOpenCTL %1
T126_Whiteboard="c:\Program Files\NetMeetinge\wb32.exe" - "%1"
telnet="c:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32e\url.dll",TelnetProtocolHandler %l
themefile=%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,Control_RunDLL %SystemRoot%\system32\desk.cpl desk,@Themes /Action:OpenTheme /file:"%1"
TIFImage.Document=rundll32.exe c:\WINDOWS\System32e\shimgvw.dll,ImageView_Fullscreen %1
tn3270="c:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32e\url.dll",TelnetProtocolHandler %l
ttcfile=%SystemRoot%\System32\fontview.exe %1
ttffile=%SystemRoot%\System32\fontview.exe %1
!d
ulsfile="rundll32.exe" msconf.dll,NewMediaPhone %l
vcard_wab_auto_file="c:\Program Files\Outlook Expresse\wab.exe" /vcard %1
vcffile="c:\PROGRA~1\MICROS~2\Office10e\OUTLOOK.EXE" /v "%1"
vcsfile="c:\PROGRA~1\MICROS~2\Office10e\OUTLOOK.EXE" /vcal "%1"
wab_auto_file="c:\Program Files\Outlook Expresse\wab.exe" %1
WAXFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
wbc_auto_file=c:\PROGRA~1\Webshotse\Launcher.exe %1
wbp_auto_file=c:\PROGRA~1\Webshotse\Launcher.exe %1
wbz_auto_file=c:\PROGRA~1\Webshotse\Launcher.exe %1
webpnpFile=%SystemRoot%\system32\wpnpinst.exe %1
Whiteboard="c:\Program Files\NetMeetinge\wb32.exe" "%1"
Windows.CompositeFont="%WinDir%\System32\notepad.exe" "%1"
Windows.Movie.Maker=c:\Program Files\Movie Makere\moviemk.exe "%1"
Windows.XamlDocument="c:\WINDOWS\system32e\PresentationHost.exe" "%1" %*
Windows.Xbap="c:\WINDOWS\system32e\PresentationHost.exe" "%1" %*
WinZip=c:\PROGRA~1\WINZIPe\winzip32.exe "%1"
wmafile="c:\Program Files\Windows Media Playere\wmplayer.exe" /prefetch:5 /Open "%L"
WMDFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /WMPackage:"%L"
wmffile=rundll32.exe c:\WINDOWS\System32e\shimgvw.dll,ImageView_Fullscreen %1
WMP.DVR-MSFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
WMPFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
WMSFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /layout:"%L"
WMVFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /prefetch:7 /Open "%L"
WMZFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /layout:"%L"
Word.Backup.8="c:\Program Files\Microsoft Office\Office10e\WINWORD.EXE" /n /dde
Word.Document.8="c:\Program Files\Microsoft Office\Office10e\WINWORD.EXE" /n /dde
Word.RTF.8="c:\Program Files\Microsoft Office\Office10e\WINWORD.EXE" /n /dde
Word.Template.8="c:\Program Files\Microsoft Office\Office10e\WINWORD.EXE" /n /dde
wordhtmlfile="c:\Program Files\Microsoft Office\Office10e\WINWORD.EXE"
wordhtmltemplate="c:\Program Files\Microsoft Office\Office10e\WINWORD.EXE"
Wordpad.Document.1="%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE" "%1"
WPLFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
wrifile="c:\Program Files\Windows NT\Accessoriese\WORDPAD.EXE" "%1"
WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
WVXFile="c:\Program Files\Windows Media Playere\wmplayer.exe" /Open "%L"
x-internet-signup=%ProgramFiles%\Internet Explorer\Connection Wizard\ISIGNUP.EXE %1
xmlfile="c:\Program Files\Internet Explorere\iexplore.exe" -nohome
xnkfile="c:\Program Files\Microsoft Office\Office10e\OUTLOOK.EXE" /x "%1"
XPSViewer.Document.1="c:\WINDOWS\system32\XPSViewere\XPSViewer.exe" "%1" %*
xslfile="c:\Program Files\Internet Explorere\iexplore.exe" -nohome
zapfile=%SystemRoot%\system32\NOTEPAD.EXE %1
.bat
.cmd
.com
.exe
.scr
.reg
.txt
.
=============== Created Last 30 ================
.
2011-03-05 22:44:29 -------- d-----w- c:\DOCUME~1\ALLUSE~1\APPLIC~1e\eNhDoPo15405
.
==================== Find3M ====================
.
2005-05-24 03:02:55 2636408 -c--a-w- c:\Program Filese\aawsepersonal.exe
.
============= FINISH: 15:19:33.43 ===============

Attached Files


Edited by SweetTech, 31 March 2011 - 08:02 PM.
removed excess whitespace.--ST


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:15 AM

Posted 31 March 2011 - 08:02 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________


Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 win-day-ci-tay

win-day-ci-tay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 01 April 2011 - 07:19 AM

Thanks for your reply and help ST, pleasure to meet you as well.
I havent looked anywhere else for help, so im ready to get things started.
I did want to re-format but I dont have the software disk for my computer anymore, so i wouldnt help me much.
So hopefully I can get this machine cleaned, i know its no guarantee so im hopin for the best.
Also I will be going out of town this weekend and wont be able to reply after today till probably monday so please dont close this forum, just a heads up.
And thanks again for your help.

2011/04/01 06:37:29.0265 4744 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/01 06:37:29.0475 4744 ================================================================================
2011/04/01 06:37:29.0475 4744 SystemInfo:
2011/04/01 06:37:29.0475 4744
2011/04/01 06:37:29.0475 4744 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/01 06:37:29.0475 4744 Product type: Workstation
2011/04/01 06:37:29.0475 4744 ComputerName: HK7YN01
2011/04/01 06:37:29.0475 4744 UserName: Daniel Castillo
2011/04/01 06:37:29.0475 4744 Windows directory: C:\WINDOWS
2011/04/01 06:37:29.0475 4744 System windows directory: C:\WINDOWS
2011/04/01 06:37:29.0475 4744 Processor architecture: Intel x86
2011/04/01 06:37:29.0475 4744 Number of processors: 1
2011/04/01 06:37:29.0475 4744 Page size: 0x1000
2011/04/01 06:37:29.0475 4744 Boot type: Normal boot
2011/04/01 06:37:29.0475 4744 ================================================================================
2011/04/01 06:37:29.0886 4744 Initialize success
2011/04/01 06:37:35.0424 5972 ================================================================================
2011/04/01 06:37:35.0424 5972 Scan started
2011/04/01 06:37:35.0424 5972 Mode: Manual;
2011/04/01 06:37:35.0424 5972 ================================================================================
2011/04/01 06:37:37.0416 5972 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/01 06:37:37.0807 5972 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/01 06:37:38.0478 5972 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/01 06:37:38.0949 5972 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/01 06:37:39.0329 5972 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/04/01 06:37:42.0143 5972 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/01 06:37:42.0554 5972 atapi (71de39e3c8baaa6759410eaa2f84ee20) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/01 06:37:42.0554 5972 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 71de39e3c8baaa6759410eaa2f84ee20, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
2011/04/01 06:37:42.0574 5972 atapi - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/04/01 06:37:43.0205 5972 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/01 06:37:43.0565 5972 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/01 06:37:43.0906 5972 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/01 06:37:44.0306 5972 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2011/04/01 06:37:44.0657 5972 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/01 06:37:45.0328 5972 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/01 06:37:45.0678 5972 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/01 06:37:46.0059 5972 Cdr4_xp (837eef65af62d4e8a37c41d3879f7274) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2011/04/01 06:37:46.0439 5972 Cdralw2k (579da2f9f5401f55dae2cf8779d61dfc) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/04/01 06:37:46.0840 5972 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/01 06:37:47.0251 5972 cdudf_xp (8c7746acde6225a46b58ed7ae09ec166) C:\WINDOWS\system32\drivers\cdudf_xp.sys
2011/04/01 06:37:48.0983 5972 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
2011/04/01 06:37:49.0965 5972 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/01 06:37:50.0385 5972 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/01 06:37:50.0866 5972 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/01 06:37:51.0206 5972 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/01 06:37:51.0597 5972 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/01 06:37:52.0268 5972 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/01 06:37:52.0628 5972 dvd_2K (800de2dfa19db3fd87aa95308ba0c17b) C:\WINDOWS\system32\drivers\dvd_2K.sys
2011/04/01 06:37:53.0069 5972 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2011/04/01 06:37:53.0530 5972 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
2011/04/01 06:37:53.0940 5972 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
2011/04/01 06:37:54.0381 5972 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/01 06:37:54.0771 5972 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/01 06:37:55.0142 5972 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/01 06:37:55.0482 5972 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/01 06:37:55.0863 5972 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/01 06:37:56.0234 5972 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/01 06:37:56.0624 5972 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/01 06:37:57.0075 5972 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/04/01 06:37:57.0455 5972 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/01 06:37:57.0886 5972 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/01 06:37:58.0266 5972 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/01 06:37:59.0318 5972 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/01 06:38:00.0380 5972 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/01 06:38:00.0790 5972 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
2011/04/01 06:38:01.0461 5972 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/04/01 06:38:01.0792 5972 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/01 06:38:02.0152 5972 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/01 06:38:02.0533 5972 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/01 06:38:02.0943 5972 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/01 06:38:03.0344 5972 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/01 06:38:03.0784 5972 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/01 06:38:04.0215 5972 IPVNMon (f60af0f89204a9177d110e3b2bd9fa0b) C:\WINDOWS\system32\drivers\IPVNMon.sys
2011/04/01 06:38:04.0576 5972 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/01 06:38:04.0956 5972 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/01 06:38:05.0287 5972 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/01 06:38:05.0637 5972 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/01 06:38:06.0028 5972 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/01 06:38:06.0368 5972 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/01 06:38:06.0879 5972 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/04/01 06:38:07.0520 5972 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2011/04/01 06:38:07.0900 5972 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2011/04/01 06:38:08.0531 5972 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2011/04/01 06:38:08.0982 5972 mmc_2K (0a35ad036de912858a1c5e9637840724) C:\WINDOWS\system32\drivers\mmc_2K.sys
2011/04/01 06:38:09.0332 5972 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/01 06:38:09.0703 5972 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/01 06:38:10.0063 5972 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/01 06:38:10.0394 5972 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/01 06:38:10.0744 5972 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/01 06:38:11.0415 5972 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/01 06:38:11.0976 5972 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/01 06:38:12.0507 5972 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/01 06:38:12.0908 5972 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/01 06:38:13.0258 5972 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/01 06:38:13.0578 5972 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/01 06:38:13.0949 5972 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/01 06:38:14.0340 5972 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/01 06:38:14.0750 5972 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/01 06:38:15.0131 5972 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/01 06:38:15.0451 5972 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/01 06:38:15.0812 5972 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/01 06:38:16.0202 5972 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/01 06:38:16.0553 5972 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/01 06:38:16.0953 5972 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/01 06:38:17.0654 5972 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/01 06:38:18.0195 5972 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/01 06:38:18.0736 5972 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/01 06:38:19.0687 5972 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/01 06:38:20.0879 5972 nv4 (4d31783965b0b7ced7db3f4ee14cf260) C:\WINDOWS\system32\DRIVERS\nv4.sys
2011/04/01 06:38:21.0350 5972 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/01 06:38:21.0710 5972 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/01 06:38:22.0081 5972 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/01 06:38:22.0431 5972 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/01 06:38:22.0802 5972 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/01 06:38:23.0182 5972 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/01 06:38:24.0164 5972 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/01 06:38:26.0407 5972 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/01 06:38:26.0737 5972 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/04/01 06:38:27.0188 5972 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/01 06:38:27.0599 5972 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/01 06:38:28.0039 5972 pwd_2K (1840112f3f3b7ece84dbbd93a70c4135) C:\WINDOWS\system32\drivers\pwd_2K.sys
2011/04/01 06:38:28.0440 5972 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/04/01 06:38:30.0222 5972 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/01 06:38:30.0603 5972 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/01 06:38:30.0974 5972 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/01 06:38:31.0344 5972 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/01 06:38:31.0725 5972 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/01 06:38:32.0125 5972 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/01 06:38:32.0546 5972 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/01 06:38:33.0046 5972 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/01 06:38:33.0457 5972 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/01 06:38:33.0898 5972 SbcpHid (2f0d9848b2eb1fa97d089bb3521d5377) C:\WINDOWS\system32\Drivers\SbcpHid.sys
2011/04/01 06:38:34.0308 5972 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/01 06:38:34.0689 5972 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/01 06:38:35.0059 5972 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/01 06:38:35.0490 5972 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/01 06:38:35.0800 5972 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
2011/04/01 06:38:36.0782 5972 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/01 06:38:37.0132 5972 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/01 06:38:37.0753 5972 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/01 06:38:38.0234 5972 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/01 06:38:38.0645 5972 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/01 06:38:40.0307 5972 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/01 06:38:40.0808 5972 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/01 06:38:41.0278 5972 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/01 06:38:41.0639 5972 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/01 06:38:42.0009 5972 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/01 06:38:42.0801 5972 UdfReadr_xp (e1b5bfba7f1cde1fc28934639e83b3cf) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
2011/04/01 06:38:43.0301 5972 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/01 06:38:44.0072 5972 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/01 06:38:44.0613 5972 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/04/01 06:38:44.0984 5972 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/01 06:38:45.0364 5972 usbcm (a31c1f4b2448eeeff7c0d4e4d58bd9b3) C:\WINDOWS\system32\DRIVERS\usbcm.sys
2011/04/01 06:38:45.0735 5972 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/01 06:38:46.0095 5972 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/01 06:38:46.0446 5972 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/01 06:38:46.0786 5972 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/01 06:38:47.0137 5972 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/01 06:38:47.0507 5972 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/01 06:38:48.0208 5972 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/01 06:38:48.0699 5972 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/01 06:38:49.0330 5972 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/01 06:38:49.0841 5972 WmBEnum (671db6a9b772b807721147c28faf760f) C:\WINDOWS\system32\drivers\WmBEnum.sys
2011/04/01 06:38:50.0191 5972 WmFilter (cffe18db8140b00335221907a694dd01) C:\WINDOWS\system32\drivers\WmFilter.sys
2011/04/01 06:38:50.0612 5972 WmVirHid (2e17ea3b132963e3c07d50d68d2df54e) C:\WINDOWS\system32\drivers\WmVirHid.sys
2011/04/01 06:38:50.0982 5972 WmXlCore (0ece3bb49eb9ee42c411a0f1ec39dda9) C:\WINDOWS\system32\drivers\WmXlCore.sys
2011/04/01 06:38:51.0343 5972 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/04/01 06:38:51.0773 5972 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/01 06:38:52.0134 5972 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/01 06:38:52.0605 5972 ================================================================================
2011/04/01 06:38:52.0605 5972 Scan finished
2011/04/01 06:38:52.0605 5972 ================================================================================
2011/04/01 06:38:52.0655 2840 Detected object count: 1
2011/04/01 06:39:20.0204 2840 atapi (71de39e3c8baaa6759410eaa2f84ee20) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/01 06:39:20.0214 2840 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 71de39e3c8baaa6759410eaa2f84ee20, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
2011/04/01 06:39:20.0995 2840 Backup copy found, using it..
2011/04/01 06:39:21.0056 2840 C:\WINDOWS\system32\DRIVERS\atapi.sys - will be cured after reboot
2011/04/01 06:39:21.0056 2840 Rootkit.Win32.TDSS.tdl3(atapi) - User select action: Cure
2011/04/01 06:40:07.0953 5456 Deinitialize success











OTL logfile created on: 4/1/2011 6:58:14 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Daniel Castillo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

639.00 Mb Total Physical Memory | 353.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 8.18 Gb Free Space | 43.87% Space Free | Partition Type: NTFS

Computer Name: HK7YN01 | User Name: Daniel Castillo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/01 06:57:12 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daniel Castillo\Desktop\OTL.exe
PRC - [2010/12/15 08:17:55 | 000,136,584 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2010/12/15 08:17:46 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2010/12/15 08:17:32 | 000,374,152 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2010/05/31 12:31:10 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/19 04:33:46 | 000,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
PRC - [2007/01/04 16:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/11/02 21:40:12 | 000,174,656 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2004/08/31 08:39:30 | 000,684,032 | ---- | M] (Roxio) -- C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
PRC - [2001/08/17 17:36:42 | 000,024,064 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\devldr32.exe
PRC - [2000/07/06 15:11:00 | 000,032,768 | R--- | M] () -- C:\WINDOWS\twain_32\D66U\D066UUTY.EXE


========== Modules (SafeList) ==========

MOD - [2011/04/01 06:57:12 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daniel Castillo\Desktop\OTL.exe
MOD - [2008/04/13 19:12:51 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (hpdj)
SRV - [2010/12/15 08:17:55 | 000,136,584 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2010/12/15 08:17:46 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2010/12/15 08:17:32 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/11/02 21:40:12 | 000,174,656 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)


========== Driver Services (SafeList) ==========

DRV - [2010/12/15 08:17:34 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2010/12/03 04:05:34 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/05/31 12:31:12 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2010/05/31 12:31:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2009/08/19 16:49:22 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/13 13:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/02/02 03:00:00 | 000,009,464 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/02/02 03:00:00 | 000,009,336 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2004/08/31 08:39:32 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2004/08/31 08:39:32 | 000,144,250 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2K)
DRV - [2004/08/31 08:39:31 | 000,241,280 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2004/08/31 08:39:31 | 000,030,662 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2004/08/31 08:39:31 | 000,025,930 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2003/05/14 13:42:56 | 000,021,216 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WmFilter.sys -- (WmFilter)
DRV - [2003/05/14 13:42:50 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmBEnum.sys -- (WmBEnum)
DRV - [2003/05/14 13:42:48 | 000,005,728 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WmVirHid.sys -- (WmVirHid)
DRV - [2003/05/14 13:42:44 | 000,044,288 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmXlCore.sys -- (WmXlCore)
DRV - [2002/04/11 13:21:38 | 000,013,335 | R--- | M] (Microsystems Corp) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbcm.sys -- (usbcm)
DRV - [2001/08/23 14:00:00 | 000,022,400 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)
DRV - [2001/08/17 07:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4.sys -- (nv4)
DRV - [2001/08/17 07:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 07:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2001/08/17 07:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2001/08/17 07:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
DRV - [2001/08/17 07:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://rd.yahoo.com/customize/sbcy/defaults/cs/*http://www.yahoo.com/search/ie.html


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-839522115-113007714-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcy/defaults/sp/*http://www.yahoo.com
IE - HKU\S-1-5-21-839522115-113007714-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-839522115-113007714-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-839522115-113007714-1343024091-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKU\S-1-5-21-839522115-113007714-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-839522115-113007714-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-839522115-113007714-1343024091-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcy/defaults/sp/*http://www.yahoo.com
IE - HKU\S-1-5-21-839522115-113007714-1343024091-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
IE - HKU\S-1-5-21-839522115-113007714-1343024091-1006\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://rd.yahoo.com/customize/sbcy/defaults/cs/*http://www.yahoo.com/search/ie.html
IE - HKU\S-1-5-21-839522115-113007714-1343024091-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2009/02/11 20:25:04 | 000,292,053 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10057 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-839522115-113007714-1343024091-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe (Roxio)
O4 - HKLM..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] File not found
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\CVS\CVS Photo Editor Plus\Corel Photo Downloader.exe (Corel, Inc.)
O4 - HKLM..\Run: [D066UUtility] C:\WINDOWS\twain_32\D66U\D066UUTY.EXE ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe (HP)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKU\.DEFAULT..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\RunOnce: [RunNarrator] C:\WINDOWS\System32\narrator.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-839522115-113007714-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-839522115-113007714-1343024091-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe (PokerStars)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-839522115-113007714-1343024091-1003\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-839522115-113007714-1343024091-1003\..Trusted Domains: mlb.com ([www] https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab (Windows Live Safety Center Base Module)
O16 - DPF: {B8748B60-E34D-42AA-9309-8012CA4964AC} http://www.third.arcadeox.com/arcadeox.cab (ArcadeOX control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/31 08:15:33 | 000,000,047 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (aswBoot.exe /M:333c9991ab) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/01 06:57:11 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Daniel Castillo\Desktop\OTL.exe
[2011/03/30 15:23:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniel Castillo\Desktop\gmer
[2011/03/30 14:38:12 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/03/30 09:00:21 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2011/03/30 08:47:41 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Daniel Castillo\Desktop\chicago.exe
[2011/03/29 18:22:17 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Daniel Castillo\Desktop\mbam-setup-1.50.1.1100.exe
[2011/03/29 17:56:57 | 012,502,472 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Daniel Castillo\Desktop\windows-kb890830-v3.17.exe
[2011/03/28 19:34:53 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/03/28 19:34:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/03/10 12:27:50 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Daniel Castillo\Desktop\TDSSKiller.exe
[2011/03/05 17:44:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\eNhDoPo15405
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Daniel Castillo\My Documents\*.tmp files -> C:\Documents and Settings\Daniel Castillo\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/01 06:57:12 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daniel Castillo\Desktop\OTL.exe
[2011/04/01 06:43:31 | 000,031,828 | ---- | M] () -- C:\logfile
[2011/04/01 06:43:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/01 06:42:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/01 06:42:10 | 670,187,520 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/01 06:36:29 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\Desktop\tdsskiller.zip
[2011/04/01 00:36:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/03/30 15:22:18 | 000,293,019 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\Desktop\gmer.zip
[2011/03/30 15:14:32 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\Desktop\dds.scr
[2011/03/30 15:12:35 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\Desktop\Defogger.exe
[2011/03/30 15:09:08 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\defogger_reenable
[2011/03/30 14:40:37 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/03/30 08:47:41 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Daniel Castillo\Desktop\chicago.exe
[2011/03/30 08:39:40 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\Local Settings\Application Data\housecall.guid.cache
[2011/03/29 20:31:18 | 000,000,745 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\Desktop\xp_exe_fix.zip
[2011/03/29 18:22:17 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Daniel Castillo\Desktop\mbam-setup-1.50.1.1100.exe
[2011/03/29 17:56:59 | 012,502,472 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Daniel Castillo\Desktop\windows-kb890830-v3.17.exe
[2011/03/27 15:28:07 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/27 15:28:07 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/25 20:16:09 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Daniel Castillo\Desktop\TDSSKiller.exe
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Daniel Castillo\My Documents\*.tmp files -> C:\Documents and Settings\Daniel Castillo\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/01 06:36:26 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Desktop\tdsskiller.zip
[2011/03/30 15:22:16 | 000,293,019 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Desktop\gmer.zip
[2011/03/30 15:14:31 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Desktop\dds.scr
[2011/03/30 15:12:35 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Desktop\Defogger.exe
[2011/03/30 15:09:08 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\defogger_reenable
[2011/03/30 08:39:40 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Local Settings\Application Data\housecall.guid.cache
[2011/03/29 21:53:28 | 000,002,600 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Desktop\xp_exe_fix.reg
[2011/03/29 20:31:10 | 000,000,745 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Desktop\xp_exe_fix.zip
[2010/07/26 06:49:18 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/05 19:49:49 | 000,040,960 | R--- | C] () -- C:\WINDOWS\System32\wh2robo.dll
[2010/03/08 21:30:33 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\1E663BF96A.sys
[2010/03/08 21:30:32 | 000,002,516 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/01/25 12:58:06 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2008/05/30 17:38:25 | 001,228,854 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\OrbError.bmp
[2008/05/22 21:10:22 | 000,000,191 | ---- | C] () -- C:\WINDOWS\sc.INI
[2008/02/05 22:25:03 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Local Settings\Application Data\fusioncache.dat
[2007/03/05 14:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/01/21 20:39:42 | 000,002,401 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/11/02 21:40:12 | 000,174,656 | ---- | C] () -- C:\WINDOWS\System32\PSIService.exe
[2006/01/18 23:03:37 | 000,001,761 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/12/02 16:03:14 | 000,000,037 | ---- | C] () -- C:\WINDOWS\D660UES.ini
[2005/05/23 22:02:55 | 002,636,408 | ---- | C] () -- C:\Program Files\aawsepersonal.exe
[2005/05/03 23:11:33 | 000,004,007 | ---- | C] () -- C:\WINDOWS\hpdj3740.ini
[2005/05/03 23:10:07 | 000,000,414 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2005/05/03 21:40:00 | 000,000,376 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2005/04/27 19:56:09 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2004/10/11 19:35:52 | 000,004,638 | ---- | C] () -- C:\WINDOWS\hpdj5600.ini
[2004/09/18 17:29:08 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/09/13 18:24:57 | 000,053,248 | ---- | C] () -- C:\WINDOWS\runepson.exe
[2004/09/13 18:24:57 | 000,000,018 | ---- | C] () -- C:\WINDOWS\Epson777.ini
[2004/08/31 18:18:42 | 000,000,966 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2004/08/31 17:38:25 | 000,000,047 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2004/08/31 08:59:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2004/08/31 08:09:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mtstack.INI
[2004/08/31 07:55:46 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/30 12:57:50 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/30 10:15:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/30 10:07:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/30 05:00:48 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/30 04:59:39 | 000,196,960 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/02/03 11:18:20 | 000,197,120 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2003/02/03 11:18:20 | 000,034,816 | ---- | C] () -- C:\WINDOWS\patch.exe
[2001/08/23 14:00:00 | 000,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[2001/08/23 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 07:00:00 | 000,441,124 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 07:00:00 | 000,071,060 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/08/10 13:14:16 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ImapiRoxPS.dll
[2000/06/12 01:37:18 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\mtstack.exe
[2000/04/17 21:02:00 | 000,000,110 | ---- | C] () -- C:\WINDOWS\System32\EBPPORT.DAT

< End of report >


OTL Extras logfile created on: 4/1/2011 6:58:14 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Daniel Castillo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

639.00 Mb Total Physical Memory | 353.00 Mb Available Physical Memory | 55.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 8.18 Gb Free Space | 43.87% Space Free | Partition Type: NTFS

Computer Name: HK7YN01 | User Name: Daniel Castillo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe" = C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe:*:Enabled:Yahoo! FT Server
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- (Eastman Kodak Company)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03EDED24-8375-407D-A721-4643D9768BE1}" = kgchlwn
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{073F22CE-9A5B-4A40-A604-C7270AC6BF34}" = ESSSONIC
"{11F3F858-4131-4FFA-A560-3FE282933B6E}" = kgchday
"{12665B01-3F3A-4433-B179-9D8E352D7547}" = Try Corel Snapfire muvee autoProducer add on
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{42EED331-936C-446E-9374-077F7B028518}" = Watchtower Library 2006 - English Edition
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{5D112C61-C8D0-4718-8DD7-B9115EB9AF90}" = LogMeIn
"{5D601655-6D54-4384-B52C-17EC5385FBBD}" = iTunes
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{693C08A7-9E76-43FF-B11E-9A58175474C4}" = kgckids
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8355F970-601D-442D-A79B-1D7DB4F24CAD}" = Apple Mobile Device Support
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A8664E1-84C8-4936-891C-BC1F07797549}" = kgcvday
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90120409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9BD54685-1496-46A5-AB62-357CD140ED8B}" = kgcinvt
"{A1588373-1D86-4D44-86C9-78ABD190F9CC}" = kgcmove
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A98AFBC7-D5A7-46A1-8795-EABE2F55A7D6}" = Microsoft Office Live Meeting 2007
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{E0150C73-3138-4FD2-B038-7F2637C9B5C7}" = CVS Photo Editor Plus
"{E18B549C-5D15-45DA-8D8F-8FD2BD946344}" = kgcbaby
"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
"{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}" = kgcbase
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"DScaler 5 Mpeg Decoders_is1" = DScaler 5 Mpeg Decoders
"EB88B6218325D2AB47CFFBF7170236B60A6198FF" = Windows Driver Package - Microsoft Corporation (usbvideo) Image (05/25/2007 1.0.3656.0)
"EPSON Printer and Utilities" = EPSON Printer Software
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"LiveUpdate" = LiveUpdate 1.80 (Symantec Corporation)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PokerStars" = PokerStars
"PokerStars.net" = PokerStars.net
"RealPlayer 6.0" = RealPlayer
"Shockwave" = Shockwave
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-839522115-113007714-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/24/2010 2:32:51 AM | Computer Name = HK7YN01 | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 12/31/2010 7:54:13 PM | Computer Name = HK7YN01 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/2/2011 8:20:02 PM | Computer Name = HK7YN01 | Source = Application Error | ID = 1000
Description = Faulting application javaw.exe, version 6.0.200.2, faulting module
unknown, version 0.0.0.0, fault address 0x4fe0b04d.

Error - 2/7/2011 11:52:07 PM | Computer Name = HK7YN01 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 2/7/2011 11:52:07 PM | Computer Name = HK7YN01 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 3/18/2011 7:51:20 PM | Computer Name = HK7YN01 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/18/2011 7:53:46 PM | Computer Name = HK7YN01 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/28/2011 8:04:01 PM | Computer Name = HK7YN01 | Source = Application Hang | ID = 1002
Description = Hanging application spybotsd162[1].tmp, version 51.49.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/29/2011 7:27:17 PM | Computer Name = HK7YN01 | Source = Application Hang | ID = 1002
Description = Hanging application mbam-setup-1.50.1.1100.tmp, version 51.52.0.0,
hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/30/2011 9:54:32 AM | Computer Name = HK7YN01 | Source = Application Hang | ID = 1002
Description = Hanging application chicago.tmp, version 51.49.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 3/30/2011 3:52:37 PM | Computer Name = HK7YN01 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 3/30/2011 3:52:37 PM | Computer Name = HK7YN01 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 3/30/2011 3:52:42 PM | Computer Name = HK7YN01 | Source = Service Control Manager | ID = 7000
Description = The hpdj service failed to start due to the following error: %%2

Error - 3/30/2011 4:28:06 PM | Computer Name = HK7YN01 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 3/30/2011 4:28:12 PM | Computer Name = HK7YN01 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 3/30/2011 4:35:44 PM | Computer Name = HK7YN01 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 4/1/2011 7:42:36 AM | Computer Name = HK7YN01 | Source = ACPI | ID = 327685
Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
(0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 4/1/2011 7:42:36 AM | Computer Name = HK7YN01 | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to
system instability. Please contact your system vendor for technical assistance.

Error - 4/1/2011 7:42:36 AM | Computer Name = HK7YN01 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 4/1/2011 7:42:40 AM | Computer Name = HK7YN01 | Source = Service Control Manager | ID = 7000
Description = The hpdj service failed to start due to the following error: %%2


< End of report >


I tested the internet search and it dosent re-direct me anymore. I tried to setup malware bytes but gives me a setup error saying "Access violation at address 74E85202. Read of address 04B70F07

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:15 AM

Posted 01 April 2011 - 08:54 AM

win-day-ci-tay,

Also I will be going out of town this weekend and wont be able to reply after today till probably monday so please dont close this forum, just a heads up.

Okay, thanks for letting me know.


You were infected with an infection called TD3.

See the snippet of text below:

2011/04/01 06:38:52.0655 2840 Detected object count: 1
2011/04/01 06:39:20.0204 2840 atapi (71de39e3c8baaa6759410eaa2f84ee20) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/01 06:39:20.0214 2840 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 71de39e3c8baaa6759410eaa2f84ee20, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
2011/04/01 06:39:20.0995 2840 Backup copy found, using it..
2011/04/01 06:39:21.0056 2840 C:\WINDOWS\system32\DRIVERS\atapi.sys - will be cured after reboot
2011/04/01 06:39:21.0056 2840 Rootkit.Win32.TDSS.tdl3(atapi) - User select action: Cure
2011/04/01 06:40:07.0953 5456 Deinitialize success


You can read more about this infection here:

Special thanks to quietman7 for providing the above links.



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :Services
    :OTL
    SRV - File not found [Auto | Stopped] -- -- (hpdj)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\S-1-5-21-839522115-113007714-1343024091-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    O4 - HKLM..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] File not found
    O34 - HKLM BootExecute: (aswBoot.exe /M:333c9991ab) - File not found
    [2011/03/05 17:44:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\eNhDoPo15405
    [4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\Documents and Settings\Daniel Castillo\My Documents\*.tmp files -> C:\Documents and Settings\Daniel Castillo\My Documents\*.tmp -> ]
    [4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\Documents and Settings\Daniel Castillo\My Documents\*.tmp files -> C:\Documents and Settings\Daniel Castillo\My Documents\*.tmp -> ]
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
  • IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 win-day-ci-tay

win-day-ci-tay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 03 April 2011 - 05:25 PM

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Service hpdj stopped successfully!
Service hpdj deleted successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\S-1-5-21-839522115-113007714-1343024091-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:aswBoot.exe /M:333c9991ab deleted successfully.
Folder C:\Documents and Settings\All Users\Application Data\eNhDoPo15405\ not found.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET5D.tmp deleted successfully.
C:\WINDOWS\System32\SET61.tmp deleted successfully.
C:\WINDOWS\System32\SET69.tmp deleted successfully.
C:\WINDOWS\002397_.tmp deleted successfully.
C:\WINDOWS\006123_.tmp deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET7.tmp deleted successfully.
C:\Documents and Settings\Daniel Castillo\My Documents\~WRL1338.tmp deleted successfully.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Daniel Castillo\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Daniel Castillo\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: All Users

User: Application Data

User: Daniel Castillo
->Temp folder emptied: 137709457 bytes
->Temporary Internet Files folder emptied: 28808143 bytes
->Apple Safari cache emptied: 14336 bytes
->Flash cache emptied: 2277567 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 437216 bytes
->Temporary Internet Files folder emptied: 33438 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4431474 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1130139 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33726 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 167.00 mb


[EMPTYFLASH]

User: All Users

User: Application Data

User: Daniel Castillo
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService

User: LogMeInRemoteUser

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04012011_090411

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...















ComboFix 11-04-03.01 - Daniel Castillo 04/03/2011 16:53:23.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.253 [GMT -5:00]
Running from: c:\documents and settings\Daniel Castillo\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Java
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_WMPNetworkSvc
.
.
((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))
.
.
2011-04-01 14:04 . 2011-04-01 14:04 -------- d-----w- C:\_OTL
2011-03-30 14:00 . 2011-03-30 18:53 -------- d-----w- c:\program files\Windows Live Safety Center
2011-03-29 00:34 . 2011-03-30 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-03-29 00:34 . 2011-03-29 00:34 -------- d-----w- c:\program files\AVAST Software
2011-03-05 22:44 . 2011-03-05 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\eNhDoPo15405
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-01 11:41 . 2001-08-23 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-02-03 02:40 . 2010-05-06 00:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2005-05-24 03:02 . 2005-05-24 03:02 2636408 -c--a-w- c:\program files\aawsepersonal.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\program files\SBC Yahoo!\Connection Manager\ConnectionManager.exe "="SBC Yahoo! Connection Manager" [X]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2004-08-31 684032]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"D066UUtility"="c:\windows\TWAIN_32\D66U\D066UUTY.EXE" [2000-07-06 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-05-31 63048]
"Corel Photo Downloader"="c:\program files\CVS\CVS Photo Editor Plus\Corel Photo Downloader.exe" [2007-02-06 478800]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-15 13:17 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/24/2010 1:36 AM 64288]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/27/2010 3:47 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [5/31/2010 12:31 PM 12856]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 10:16 PM 24652]
S3 Conipo;Conipo; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://rd.yahoo.com/customize/sbcy/defaults/su/*http://www.yahoo.com
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: mlb.com\www
DPF: {B8748B60-E34D-42AA-9309-8012CA4964AC} - hxxp://www.third.arcadeox.com/arcadeox.cab
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-klmdb.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-03 17:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3888)
c:\windows\system32\WININET.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2011-04-03 17:13:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-03 22:13
.
Pre-Run: 8,756,969,472 bytes free
Post-Run: 8,629,489,664 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 31792E3BED90A2CA39F76CF8343BE4B5



Still Cant run Malwarebytes, is this common? Any reason why I cant run it? same thing happens with spybot. What are my other alternatives for installing a spywaresotware? Still worried why i cant install malware bytes, i feel something is preventing it from loading.

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:15 AM

Posted 03 April 2011 - 07:22 PM

Hi!

Still Cant run Malwarebytes, is this common? Any reason why I cant run it? same thing happens with spybot. What are my other alternatives for installing a spywaresotware? Still worried why i cant install malware bytes, i feel something is preventing it from loading.

Not too sure. We will try removing it and then re-installing it.


ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
File::
Folder::
c:\documents and settings\All Users\Application Data\eNhDoPo15405
Registry::
Driver::
Conipo

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



MalwareBytes' Anti-Malware Uninstall

Please do the following:

  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
  • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
  • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
    Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or ask and we'll explain how to do it.


NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 win-day-ci-tay

win-day-ci-tay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 04 April 2011 - 06:53 AM

Malwarebytes still wont load, gives me the same error message and freezes while trying to install

ESET ONLINE SCAN found no threats







ComboFix 11-04-03.01 - Daniel Castillo 04/03/2011 19:50:55.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.370 [GMT -5:00]
Running from: c:\documents and settings\Daniel Castillo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daniel Castillo\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\eNhDoPo15405
c:\documents and settings\All Users\Application Data\eNhDoPo15405\eNhDoPo15405
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_CONIPO
-------\Service_Conipo
.
.
((((((((((((((((((((((((( Files Created from 2011-03-04 to 2011-04-04 )))))))))))))))))))))))))))))))
.
.
2011-04-01 14:04 . 2011-04-01 14:04 -------- d-----w- C:\_OTL
2011-03-30 14:00 . 2011-03-30 18:53 -------- d-----w- c:\program files\Windows Live Safety Center
2011-03-29 00:34 . 2011-03-30 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-03-29 00:34 . 2011-03-29 00:34 -------- d-----w- c:\program files\AVAST Software
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-01 11:41 . 2001-08-23 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2011-02-03 02:40 . 2010-05-06 00:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2005-05-24 03:02 . 2005-05-24 03:02 2636408 -c--a-w- c:\program files\aawsepersonal.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\program files\SBC Yahoo!\Connection Manager\ConnectionManager.exe "="SBC Yahoo! Connection Manager" [X]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2004-08-31 684032]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"D066UUtility"="c:\windows\TWAIN_32\D66U\D066UUTY.EXE" [2000-07-06 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-05-31 63048]
"Corel Photo Downloader"="c:\program files\CVS\CVS Photo Editor Plus\Corel Photo Downloader.exe" [2007-02-06 478800]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-15 13:17 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/24/2010 1:36 AM 64288]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/27/2010 3:47 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [5/31/2010 12:31 PM 12856]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 10:16 PM 24652]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://rd.yahoo.com/customize/sbcy/defaults/su/*http://www.yahoo.com
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: mlb.com\www
DPF: {B8748B60-E34D-42AA-9309-8012CA4964AC} - hxxp://www.third.arcadeox.com/arcadeox.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-03 20:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(1576)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2011-04-03 20:10:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-04 01:10
ComboFix2.txt 2011-04-03 22:13
.
Pre-Run: 8,621,989,888 bytes free
Post-Run: 8,626,012,160 bytes free
.
- - End Of File - - 8DFB648761593E1F4B97F329D6E019E9



Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Flash Player
Adobe Reader 8.1.3
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:15 AM

Posted 04 April 2011 - 01:24 PM

What is the error message you are receiving when trying to run MBAM?

Any additional information on that error message that you can provide me with would be extremely helpful.


Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.



NEXT:


OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following bolded text into the Posted Image textbox.


    netsvcs
    drivers32
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



What outstanding issues (if any) are you still experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 win-day-ci-tay

win-day-ci-tay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 04 April 2011 - 06:38 PM

While using your link to majorgeeks.com to download malware bytes, using the first download location it told me "Internet Explorer cannot display the webpage". 2nd webpage tells me "The webpage cannot be found". I downloaded the mbam-setup from malware bytes website, clicked run, english and follows with "setup...access violation at address 74E85202. Read of address 04B70F07". I press ok, gives me same message, i press ok amd gives me the message "setup...privliged instruction." press ok and displays same message. press ok and brings up the Welcome to the malwarebytes ant-malware setup wizard. I press ok and it gives me a "setup...access violation at address. Read of address". i press ok "setup...access violation at address 91000FF. Read of address 91000FF". 2 more times after clickin ok....then a "setup...access violation at address74E35B3E. Read of address 000000000". and it freezes at the license agreement display. I notice there is no license agreement text in the dialog box.

OTL logfile created on: 4/4/2011 6:10:17 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Daniel Castillo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

639.00 Mb Total Physical Memory | 255.00 Mb Available Physical Memory | 40.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 960 1920 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 7.74 Gb Free Space | 41.52% Space Free | Partition Type: NTFS

Computer Name: HK7YN01 | User Name: Daniel Castillo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/01 06:57:12 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daniel Castillo\Desktop\OTL.exe
PRC - [2011/03/01 09:57:04 | 000,277,392 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe
PRC - [2010/12/15 08:17:32 | 000,374,152 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2010/05/31 12:31:10 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/19 04:33:46 | 000,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
PRC - [2007/01/04 16:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/11/02 21:40:12 | 000,174,656 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2004/08/31 08:39:30 | 000,684,032 | ---- | M] (Roxio) -- C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
PRC - [2001/08/17 17:36:42 | 000,024,064 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\devldr32.exe
PRC - [2000/07/06 15:11:00 | 000,032,768 | R--- | M] () -- C:\WINDOWS\twain_32\D66U\D066UUTY.EXE


========== Modules (SafeList) ==========

MOD - [2011/04/01 06:57:12 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daniel Castillo\Desktop\OTL.exe
MOD - [2008/04/13 19:12:51 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/03/01 09:56:36 | 000,052,288 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Running] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2010/12/15 08:17:55 | 000,136,584 | ---- | M] (LogMeIn, Inc.) [Disabled | Stopped] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2010/12/15 08:17:46 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Disabled | Stopped] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2010/12/15 08:17:32 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/11/02 21:40:12 | 000,174,656 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)


========== Driver Services (SafeList) ==========

DRV - [2010/12/15 08:17:34 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2010/12/03 04:05:34 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/05/31 12:31:12 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2010/05/31 12:31:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2009/08/19 16:49:22 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/13 13:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/02/02 03:00:00 | 000,009,464 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/02/02 03:00:00 | 000,009,336 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2004/08/31 08:39:32 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2004/08/31 08:39:32 | 000,144,250 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2K)
DRV - [2004/08/31 08:39:31 | 000,241,280 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2004/08/31 08:39:31 | 000,030,662 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2004/08/31 08:39:31 | 000,025,930 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2003/05/14 13:42:56 | 000,021,216 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WmFilter.sys -- (WmFilter)
DRV - [2003/05/14 13:42:50 | 000,010,144 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmBEnum.sys -- (WmBEnum)
DRV - [2003/05/14 13:42:48 | 000,005,728 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WmVirHid.sys -- (WmVirHid)
DRV - [2003/05/14 13:42:44 | 000,044,288 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmXlCore.sys -- (WmXlCore)
DRV - [2002/04/11 13:21:38 | 000,013,335 | R--- | M] (Microsystems Corp) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbcm.sys -- (usbcm)
DRV - [2001/08/23 14:00:00 | 000,022,400 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)
DRV - [2001/08/17 07:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4.sys -- (nv4)
DRV - [2001/08/17 07:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 07:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2001/08/17 07:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2001/08/17 07:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)
DRV - [2001/08/17 07:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://rd.yahoo.com/customize/sbcy/defaults/cs/*http://www.yahoo.com/search/ie.html

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: ([2011/04/03 20:03:33 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe (Roxio)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] File not found
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\CVS\CVS Photo Editor Plus\Corel Photo Downloader.exe (Corel, Inc.)
O4 - HKLM..\Run: [D066UUtility] C:\WINDOWS\twain_32\D66U\D066UUTY.EXE ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe (HP)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\RunOnce: [Uninstall Adobe Download Manager] C:\Program Files\NOS\bin\getPlusUninst_Adobe.exe (NOS Microsystems Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe (PokerStars)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: mlb.com ([www] https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab (Windows Live Safety Center Base Module)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {B8748B60-E34D-42AA-9309-8012CA4964AC} http://www.third.arcadeox.com/arcadeox.cab (ArcadeOX control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/31 08:15:33 | 000,000,047 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: aux - C:\WINDOWS\System32\ctwdm32.dll (Creative Technology Ltd.)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/04/04 18:00:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2011/04/04 17:59:12 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2011/04/03 20:17:35 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/04/03 20:10:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/04/03 19:48:35 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/04/03 16:51:20 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/03 16:49:02 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/03 16:49:02 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/03 16:49:02 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/03 16:49:02 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/03 16:48:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/03 16:48:06 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/01 09:04:11 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/01 06:57:11 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Daniel Castillo\Desktop\OTL.exe
[2011/03/30 15:23:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daniel Castillo\Desktop\gmer
[2011/03/30 09:00:21 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2011/03/28 19:34:53 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/03/28 19:34:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/03/10 12:27:50 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Daniel Castillo\Desktop\TDSSKiller.exe

========== Files - Modified Within 30 Days ==========

[2011/04/04 18:07:51 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/04/04 17:55:45 | 000,032,588 | ---- | M] () -- C:\logfile
[2011/04/04 17:55:04 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/04 17:54:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/04 17:54:32 | 670,187,520 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/04 06:44:05 | 000,879,081 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\Desktop\SecurityCheck.exe
[2011/04/03 20:03:33 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/04/03 16:51:32 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/04/03 16:46:24 | 004,312,954 | R--- | M] () -- C:\Documents and Settings\Daniel Castillo\Desktop\ComboFix.exe
[2011/04/01 20:16:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/04/01 06:57:12 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daniel Castillo\Desktop\OTL.exe
[2011/04/01 06:36:29 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\Desktop\tdsskiller.zip
[2011/03/30 15:22:18 | 000,293,019 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\Desktop\gmer.zip
[2011/03/30 15:14:32 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\Desktop\dds.scr
[2011/03/30 15:12:35 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\Desktop\Defogger.exe
[2011/03/30 15:09:08 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\defogger_reenable
[2011/03/30 14:40:37 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/03/30 08:39:40 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Daniel Castillo\Local Settings\Application Data\housecall.guid.cache
[2011/03/27 15:28:07 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/27 15:28:07 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Daniel Castillo\Desktop\TDSSKiller.exe

========== Files Created - No Company Name ==========

[2011/04/04 18:07:51 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/04/04 18:07:51 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/04/04 06:44:04 | 000,879,081 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Desktop\SecurityCheck.exe
[2011/04/03 16:51:32 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/04/03 16:51:25 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/04/03 16:49:02 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/03 16:49:02 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/03 16:49:02 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/03 16:49:02 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/03 16:49:02 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/03 16:46:19 | 004,312,954 | R--- | C] () -- C:\Documents and Settings\Daniel Castillo\Desktop\ComboFix.exe
[2011/04/01 06:36:26 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Desktop\tdsskiller.zip
[2011/03/30 15:22:16 | 000,293,019 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Desktop\gmer.zip
[2011/03/30 15:14:31 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Desktop\dds.scr
[2011/03/30 15:12:35 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Desktop\Defogger.exe
[2011/03/30 15:09:08 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\defogger_reenable
[2011/03/30 08:39:40 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Local Settings\Application Data\housecall.guid.cache
[2010/07/26 06:49:18 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/05 19:49:49 | 000,040,960 | R--- | C] () -- C:\WINDOWS\System32\wh2robo.dll
[2010/03/08 21:30:33 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\1E663BF96A.sys
[2010/03/08 21:30:32 | 000,002,516 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/01/25 12:58:06 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2008/05/30 17:38:25 | 001,228,854 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\OrbError.bmp
[2008/05/22 21:10:22 | 000,000,191 | ---- | C] () -- C:\WINDOWS\sc.INI
[2008/02/05 22:25:03 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Local Settings\Application Data\fusioncache.dat
[2007/03/05 14:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/01/21 20:39:42 | 000,002,401 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/11/02 21:40:12 | 000,174,656 | ---- | C] () -- C:\WINDOWS\System32\PSIService.exe
[2006/01/18 23:03:37 | 000,001,761 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/12/02 16:03:14 | 000,000,037 | ---- | C] () -- C:\WINDOWS\D660UES.ini
[2005/05/23 22:02:55 | 002,636,408 | ---- | C] () -- C:\Program Files\aawsepersonal.exe
[2005/05/03 23:11:33 | 000,004,007 | ---- | C] () -- C:\WINDOWS\hpdj3740.ini
[2005/05/03 23:10:07 | 000,000,414 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2005/05/03 21:40:00 | 000,000,376 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2005/04/27 19:56:09 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2004/10/11 19:35:52 | 000,004,638 | ---- | C] () -- C:\WINDOWS\hpdj5600.ini
[2004/09/18 17:29:08 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Daniel Castillo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/09/13 18:24:57 | 000,053,248 | ---- | C] () -- C:\WINDOWS\runepson.exe
[2004/09/13 18:24:57 | 000,000,018 | ---- | C] () -- C:\WINDOWS\Epson777.ini
[2004/08/31 18:18:42 | 000,000,966 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2004/08/31 17:38:25 | 000,000,047 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2004/08/31 08:59:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2004/08/31 08:09:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mtstack.INI
[2004/08/31 07:55:46 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/30 12:57:50 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/30 10:15:03 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/30 10:07:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/30 05:00:48 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/30 04:59:39 | 000,196,960 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/02/03 11:18:20 | 000,197,120 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2003/02/03 11:18:20 | 000,034,816 | ---- | C] () -- C:\WINDOWS\patch.exe
[2001/08/23 14:00:00 | 000,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[2001/08/23 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 07:00:00 | 000,441,124 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 07:00:00 | 000,071,060 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/08/10 13:14:16 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ImapiRoxPS.dll
[2000/06/12 01:37:18 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\mtstack.exe
[2000/04/17 21:02:00 | 000,000,110 | ---- | C] () -- C:\WINDOWS\System32\EBPPORT.DAT

========== LOP Check ==========

[2008/11/25 22:15:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2011/03/30 14:40:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2011/04/03 07:41:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2004/09/01 21:55:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RSE
[2008/12/11 08:17:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/02/11 20:07:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo
[2009/04/29 08:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2005/12/05 14:37:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daniel Castillo\Application Data\Canon
[2010/03/08 21:47:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daniel Castillo\Application Data\CVS
[2008/02/04 23:52:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daniel Castillo\Application Data\ICAClient
[2007/11/21 20:31:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daniel Castillo\Application Data\Simple Star
[2008/02/05 22:24:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daniel Castillo\Application Data\Sirius
[2007/11/21 20:12:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daniel Castillo\Application Data\Snapfish
[2007/01/28 19:28:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daniel Castillo\Application Data\Viewpoint
[2008/06/06 23:39:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daniel Castillo\Application Data\Walgreens
[2009/01/11 22:25:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daniel Castillo\Application Data\Watchtower
[2006/03/18 14:50:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daniel Castillo\Application Data\Webshots

========== Purity Check ==========



========== Custom Scans ==========


< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2009-07-15 21:36:26

< End of report >

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:15 AM

Posted 05 April 2011 - 03:48 PM

Okay.

First things first.

Lets install an Anti-Virus program:

No Anti-Virus Present

Looking over your log it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect cleans and erase harmful virus files on a computer
Web server or network.
Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors
  • Avira AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.
  • avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer then only one of them should be active in memory at a time.



NEXT:



Also any reason you haven't updated your system in over 2+ years?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2009-07-15 21:36:26

You really need to update your version of Windows and install the latest updates that are available for you, because it's possible that this MBAM error message is related to updates not being installed.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 win-day-ci-tay

win-day-ci-tay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 05 April 2011 - 08:47 PM

Added the Avira anti-virus software.

Didnt realize my automatic updates were off so changed it and added all updates.

Tried to install malware bytes again, with no success, it gave me a error report, dont know if this is any help.


C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\WER1262.dir00\mbam-setup-1.50.1.1100.tmp.mdmp
szAppName : mbam-setup-1.50.1.1100.tmp szAppVer : 51.52.0.0
szModName : hungapp szModVer : 0.0.0.0 offset : 00000000

Besides that everything seems well, just worried why malware wont install.

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:15 AM

Posted 06 April 2011 - 08:47 AM

I'm not sure if this will work but I'll ask you to try it anyways.

Can you please try to save the MBAM setup file to your desktop when you download a new copy of it? You should be able to right click on the link and be able to choose Save Link As or Save As?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 win-day-ci-tay

win-day-ci-tay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 06 April 2011 - 06:46 PM

Well tried it, didnt work, tried to rename it, didnt work. Seems like its a unknown mystery.

#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:04:15 AM

Posted 07 April 2011 - 03:59 PM

Please try this scanner:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 win-day-ci-tay

win-day-ci-tay
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:15 AM

Posted 07 April 2011 - 07:54 PM

Was able to save SUPERAntiSpyware with no problem.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/07/2011 at 07:42 PM

Application Version : 4.50.1002

Core Rules Database Version : 6779
Trace Rules Database Version: 4591

Scan type : Complete Scan
Total Scan Time : 01:34:00

Memory items scanned : 576
Memory threats detected : 0
Registry items scanned : 5992
Registry threats detected : 0
File items scanned : 23552
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Daniel Castillo\Cookies\daniel_castillo@content.yieldmanager[1].txt
C:\Documents and Settings\Daniel Castillo\Cookies\daniel_castillo@ad.wsod[2].txt
C:\Documents and Settings\Daniel Castillo\Cookies\daniel_castillo@ad.yieldmanager[1].txt
C:\Documents and Settings\Daniel Castillo\Cookies\daniel_castillo@kontera[2].txt
C:\Documents and Settings\Daniel Castillo\Cookies\daniel_castillo@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Daniel Castillo\Cookies\daniel_castillo@collective-media[1].txt
C:\Documents and Settings\Daniel Castillo\Cookies\daniel_castillo@questionmarket[2].txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users