Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Infected Computer


  • This topic is locked This topic is locked
38 replies to this topic

#1 isseng

isseng

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 17 May 2011 - 10:33 AM

My computer got infected a month ago with a trojan virus (I can't recall the exact name of it, but it wouldn't let me open my firefox window, also fake virus scans started popping up). Then, my McAfee some how blocked it days later, but I still have problems that suggest that there is still a virus lurking in my computer. One example is that on my navigation toolbar, I always have Google set up as my search engine, but ever since the virus attack, whenever I open the Firefox windows, the search engine always starts out with the Ask.com search engine instead. This didn't happen before. Also, I saved the GMER file to my Desktop, but when I tried the "Extract All" part by right clicking the icon, there was no such message. I just got "Extract files", "Extract Here", and "Extract to gmer(2)\" messages one right clicking.
I tried them all but something different came up, and so I didn't get to create the Ark.txt file.

Here is the DDS.txt log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Ina at 11:13:43.17 on Tue 05/17/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.864 [GMT -4:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Ina\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.bestbuy.com
mSearch Page =
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.bestbuy.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110515135306.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\ViewBarBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ma111c~1.lnk - c:\program files\netgear\ma111 configuration utility\wlancfg.exe
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: RaptisoftGameLoader - hxxp://real.gamehouse.com/games/raptisoft/raptisoftgameloader.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {3C403675-B43C-410B-BF56-D4D1FB68356C} - hxxp://72.29.84.224/OCX/gwnet.cab
DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://www.miniclip.com/games/ricochet-lost-worlds/en/ReflexiveWebGameLoader.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/36.24/uploader2.cab
DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v8.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://download.shockwave.com/pub/otoy/OTOYAX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} - hxxp://www.shockwave.com/content/reaxxion/sis/HLGLauncher.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} - hxxp://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/games/popcaploader_v6.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup161.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ina\applic~1\mozilla\firefox\profiles\bm73atg6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=LMW4&o=16794&locale=en_US&apn_uid=846890B1-2BEC-446F-843F-B2DA6CA6E120&apn_ptnrs=3M&apn_sauid=B2A77242-2668-4DE1-B47B-FB79644F21A1&apn_dtid=VIN007YYUS&q=
FF - component: c:\documents and settings\ina\application data\mozilla\firefox\profiles\bm73atg6.default\extensions\toolbar@ask.com\chrome\content\AudioService.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGPPlugin.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.il", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.ua", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--wgbh1c", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgba3a4f16a", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgba3a4fra", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--wgbl6a", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-2 387480]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-2 84200]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-10-6 14336]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-2 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-2 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-2 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-2 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-2 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-2 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2011-3-2 141792]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-2 56064]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-2 153280]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-2 52320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-2 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-2 88736]
R3 SunkFilt32;Alcor Micro Corp - 3233;c:\windows\system32\drivers\Sunkfilt32.sys [2004-8-18 40956]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-10 135664]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-10 135664]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-2 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-2 84488]
S3 rtl8180;Belkin 11Mbps Wireless Desktop Network Card Driver;c:\windows\system32\drivers\bel6001.sys --> c:\windows\system32\drivers\Bel6001.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\xdva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva189;XDva189;\??\c:\windows\system32\xdva189.sys --> c:\windows\system32\XDva189.sys [?]
S3 XDva296;XDva296;\??\c:\windows\system32\xdva296.sys --> c:\windows\system32\XDva296.sys [?]
S4 McOobeSv;McAfee OOBE Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-3-2 271480]

=============== Created Last 30 ================


==================== Find3M ====================

2011-05-17 14:48:01 69 ----a-w- c:\documents and settings\ina\jagex_runescape_preferences.dat
2011-05-17 14:47:06 129 ----a-w- c:\documents and settings\ina\jagex_runescape_preferences2.dat
2011-04-14 18:01:38 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-14 18:01:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-14 18:01:38 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-14 18:01:38 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-14 18:01:38 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-14 18:01:38 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-14 18:01:38 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-14 18:01:38 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-14 18:01:38 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-14 18:01:38 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2007-07-06 23:23:06 15005 ----a-w- c:\program files\User Manual (Text Version).txt
2007-07-06 23:07:26 145809 ----a-w- c:\program files\User Manual (PDF Version).pdf
2006-02-26 15:47:32 774144 ----a-w- c:\program files\RngInterstitial.dll
2009-11-03 15:08:52 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2007-09-03 16:53:21 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007090320070904\index.dat
2007-10-03 02:37:29 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007100220071003\index.dat
2007-11-05 00:03:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007110420071105\index.dat
2008-12-02 04:30:21 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120120081202\index.dat

============= FINISH: 11:15:40.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 PM

Posted 27 May 2011 - 09:00 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 isseng

isseng
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 30 May 2011 - 03:29 PM

HI! I am infected with a trojan called "TDSS.d!mem" and I have new information. Before I explain, I must add that I am on the same computer, but on a different account/ username. This is because the main account I use is totally infected with the trojan virus, and it will not let me open Firefox, Task Manager, Microsoft Word, iTunes, or ANYTHING at all. Whenever I try and open these programs, a pop-up bubble tells me that the specific file (such as Firefox) is infected by "W32/Blaster.worm" and that I should install the virus protection to get rid of it. I know this is fake. Also, this fake program is called "Security Protection" and it keeps giving me pop-ups that tell me to install it and it keeps doing fake virus scans. Also, before I was completely infected with the virus, I would have Google redirects.
I did a virus scan with McAfee earlier and it told me that I was indeed infected by a virus called "TDSS.d!mem" and the Full Path was "SUSP_IRP_MJ_CREATE" (Although I do not know what that means :P )But McAfee could not remove it.
Should I still do the DDS log and the other things that you told me to do even though I am on a different account, which apparently does not seem to have been affected by the virus yet? (Firefox opened in safe mode on this account, however)

Edited by isseng, 30 May 2011 - 03:31 PM.


#4 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:38 PM

Posted 30 May 2011 - 07:04 PM

Hello isseng ! Welcome to BleepingComputer Forums! :welcome:

My name is Chris and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only! If you are not the original poster of this thread DO NOT run the fixes provided here.
  • Please do not run any tools until requested by myself or another member of Staff! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • If you stay with me, follow my instructions and ask questions when confused you'll be back up and running in no time :)

Now let's get down to business:

I'm currently a trainee in the Malware Removal Training program and therefore my answers have to be checked by a Teacher before they get posted to you. There may be a delay due to this. I apologize in advance if this happens. Hold tight while I get the first set of instructions out to you.

Edited by CStew23, 30 May 2011 - 07:04 PM.

Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#5 isseng

isseng
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 31 May 2011 - 03:34 PM

Okay, thanks! :)

#6 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:38 PM

Posted 01 June 2011 - 12:52 PM

Hi,

Are you interested in cleaning the originally infected user profile? We could remove it entirely but the downside is that we might not be able to save all the data contained within it. Do you have your XP CD handy?

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#7 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:38 PM

Posted 02 June 2011 - 12:15 PM

Hi,

Do you still need help with this?
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#8 isseng

isseng
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 02 June 2011 - 04:42 PM

Yes, I would still like to resolve this issue, and cleaning the originally infected user profile, but I have Microsoft Word documents on it that I do not want to delete. Is it still possible to retain the info ..? And I don't have an XP CD.

#9 isseng

isseng
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 02 June 2011 - 04:51 PM

I also did the OTL report:

Here is the OTL.txt:

OTL logfile created on: 6/2/2011 5:43:49 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Reela\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.49 Gb Total Physical Memory | 0.98 Gb Available Physical Memory | 65.91% Memory free
2.09 Gb Paging File | 1.51 Gb Available in Paging File | 72.41% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 24.14 Gb Free Space | 16.20% Space Free | Partition Type: NTFS

Computer Name: INARISHU | User Name: Reela | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/02 17:43:07 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Reela\My Documents\Downloads\OTL.exe
PRC - [2011/04/30 10:51:07 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/04/14 14:01:38 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2011/04/14 14:01:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2011/04/14 14:01:38 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
PRC - [2011/04/05 11:50:44 | 001,195,408 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/04/05 11:50:44 | 001,159,888 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2011/04/05 11:50:44 | 000,822,560 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcupdate.exe
PRC - [2011/02/25 11:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2011/01/17 18:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 18:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/12/22 07:31:50 | 000,108,712 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
PRC - [2006/12/22 07:29:56 | 000,067,752 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
PRC - [2005/01/24 20:58:02 | 000,081,920 | ---- | M] () -- C:\Program Files\Sony\SonicStage\SSAAD.exe
PRC - [2004/08/18 18:52:30 | 000,135,168 | ---- | M] (Alcor Micro, Corp.) -- C:\Program Files\Digital Media Reader\shwiconEM.exe
PRC - [2004/05/14 20:47:18 | 000,067,072 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2003/08/04 18:28:18 | 000,049,152 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd.exe


========== Modules (SafeList) ==========

MOD - [2011/06/02 17:43:07 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Reela\My Documents\Downloads\OTL.exe
MOD - [2011/04/08 16:56:28 | 000,018,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/04/14 14:01:38 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2011/04/14 14:01:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/04/14 14:01:38 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2011/02/28 19:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 11:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2010/10/07 21:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McOobeSv)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/03/10 11:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2006/12/22 07:31:50 | 000,108,712 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor5.0)
SRV - [2005/01/26 16:30:04 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2005/01/26 16:25:34 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2005/01/26 16:20:14 | 000,069,718 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2005/01/24 19:36:52 | 000,069,632 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)
SRV - [2004/01/05 03:27:32 | 000,065,795 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\hpzipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2011/04/14 14:01:38 | 000,387,480 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/04/14 14:01:38 | 000,314,088 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/04/14 14:01:38 | 000,153,280 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/04/14 14:01:38 | 000,095,824 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/04/14 14:01:38 | 000,088,736 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2011/04/14 14:01:38 | 000,088,736 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2011/04/14 14:01:38 | 000,084,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/04/14 14:01:38 | 000,084,200 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2011/04/14 14:01:38 | 000,056,064 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2011/04/14 14:01:38 | 000,052,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/07/10 16:18:32 | 000,101,431 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys -- (IdeChnDr) Intel®
DRV - [2009/03/18 17:35:40 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/04/02 09:14:04 | 000,023,217 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | Auto | Running] -- C:\Nexon\MapleStory\npkcrypt.sys -- (npkcrypt)
DRV - [2007/04/17 20:08:44 | 000,018,944 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PELMOUSE.SYS -- (pelmouse)
DRV - [2007/04/02 20:34:44 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2007/03/07 15:23:04 | 000,017,920 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pelusblf.sys -- (pelusblf)
DRV - [2005/03/05 22:48:31 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32)
DRV - [2004/08/18 19:44:20 | 000,040,956 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Sunkfilt32.sys -- (SunkFilt32)
DRV - [2004/05/15 04:24:10 | 000,622,172 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/03/22 19:01:38 | 000,040,564 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Sunkfilt.sys -- (SunkFilt)
DRV - [2004/02/24 16:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/01/10 11:56:34 | 000,030,921 | ---- | M] (Service & Quality Technology.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SQCaptur.sys -- (DCamUSBSQTECH) Dual-Mode DSC(2770)
DRV - [2003/01/09 17:40:24 | 000,167,168 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/01/09 17:39:34 | 000,617,600 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/01/09 17:38:26 | 001,068,032 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2002/12/23 13:35:32 | 000,607,325 | R--- | M] (NETGEAR, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MA111nd5.sys -- (WLAN_USB)
DRV - [2002/10/15 08:00:00 | 000,013,891 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\IdeBusDr.sys -- (IdeBusDr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/ie/defaults/cs/ymsgr6/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bestbuy.com

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bestbuy.com
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-370030131-3186773635-3883207141-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKU\S-1-5-21-370030131-3186773635-3883207141-1008\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-370030131-3186773635-3883207141-1008\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-370030131-3186773635-3883207141-1008\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-370030131-3186773635-3883207141-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bestbuy.com/
IE - HKU\S-1-5-21-370030131-3186773635-3883207141-1008\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\S-1-5-21-370030131-3186773635-3883207141-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100127023632
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.3.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24

FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/24 19:34:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/16 19:00:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 10:51:17 | 000,000,000 | ---D | M]

[2009/07/22 18:28:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Reela\Application Data\Mozilla\Extensions
[2011/06/01 18:32:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Reela\Application Data\Mozilla\Firefox\Profiles\37mbksdu.default\extensions
[2009/09/07 10:44:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Reela\Application Data\Mozilla\Firefox\Profiles\37mbksdu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/01 18:32:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/17 17:44:35 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/08/04 22:19:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/12/01 15:50:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/02/06 15:13:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/04/18 14:39:26 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2010/08/04 22:18:44 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/05/24 19:34:48 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
[2011/04/14 14:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/09/25 02:02:40 | 000,098,304 | ---- | M] (OGPlanet Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npOGPPlugin.dll
[2011/03/04 16:19:12 | 000,002,024 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

Hosts file not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20110515135306.dll (McAfee, Inc.)
O2 - BHO: (Viewpoint Toolbar BHO) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - File not found
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (LimeWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (LimeWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-370030131-3186773635-3883207141-1008\..\Toolbar\WebBrowser: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - No CLSID value found.
O3 - HKU\S-1-5-21-370030131-3186773635-3883207141-1008\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SsAAD.exe] C:\Program Files\Sony\SonicStage\SSAAD.exe ()
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconEM.exe (Alcor Micro, Corp.)
O4 - HKU\S-1-5-21-370030131-3186773635-3883207141-1008..\Run: [MSKAGENTEXE] File not found
O4 - HKU\S-1-5-21-370030131-3186773635-3883207141-1008..\Run: [Power2GoExpress] File not found
O4 - HKU\S-1-5-21-370030131-3186773635-3883207141-1008..\Run: [Yahoo! Pager] File not found
O4 - HKU\.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (Adobe Systems, Inc.)
O4 - HKU\S-1-5-18..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MA111 Configuration Utility.lnk = File not found
O4 - Startup: C:\Documents and Settings\Reela\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-370030131-3186773635-3883207141-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3C403675-B43C-410B-BF56-D4D1FB68356C} http://72.29.84.224/OCX/gwnet.cab (ActiveXPortal Control)
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} http://www.miniclip.com/games/ricochet-lost-worlds/en/ReflexiveWebGameLoader.cab (WebGameLoader Class)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www1.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.google.com/s/v/36.24/uploader2.cab (UploadListView Class)
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab (ijjiPlugin2 Class)
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} http://www.acclaim.com/cabs/acclaim_v8.cab (GameLauncher Control)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://download.shockwave.com/pub/otoy/OTOYAX.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B0FB831D-17F6-4CBD-9B5D-3305881D362E} http://www.shockwave.com/content/reaxxion/sis/HLGLauncher.cab (LHGLauncherXForm Control)
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} http://www.yoyogames.com/downloads/activex/YoYo.cab (YYGInstantPlay Control)
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe (Virtools WebPlayer Class)
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab (NsvPlayX Control)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab (HGPlugin9USA Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab (SproutLauncherCtrl Class)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.popcap.com/games/popcaploader_v6.cab (PopCapLoader Object)
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} http://download.abacast.com/download/files/abasetup161.cab (Reg Error: Key error.)
O16 - DPF: RaptisoftGameLoader http://real.gamehouse.com/games/raptisoft/raptisoftgameloader.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Reela\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{05225899-0878-11d9-8b9b-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{05225899-0878-11d9-8b9b-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{05225899-0878-11d9-8b9b-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe
O33 - MountPoints2\{ac0cbb00-77f2-11de-a842-001111932cdd}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ac0cbb00-77f2-11de-a842-001111932cdd}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe
O33 - MountPoints2\{ac0cbb00-77f2-11de-a842-001111932cdd}\Shell\Explore\command - "" = H:\autorun.exe
O33 - MountPoints2\{ac0cbb00-77f2-11de-a842-001111932cdd}\Shell\Open\command - "" = H:\autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

File not found --
[2011/06/02 14:53:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/05/30 19:31:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Reela\Application Data\OpenOffice.org
[2011/05/30 19:28:25 | 000,000,000 | --SD | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\OpenOffice.org 3.3
[2011/05/30 19:18:18 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/05/30 19:18:18 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/05/30 19:18:18 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/05/30 19:13:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Reela\Desktop\OpenOffice.org 3.3 (en-US) Installation Files
[2006/02/26 11:47:51 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/02 17:49:00 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{FD67BC90-2951-43A2-9D13-8090AB6E40B7}.job
[2011/06/02 17:16:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/02 15:01:00 | 000,000,230 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/06/02 14:53:39 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Total Protection.lnk
[2011/06/02 14:53:28 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/02 14:53:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/01 22:09:08 | 000,000,034 | ---- | M] () -- C:\Documents and Settings\Reela\jagex_runescape_preferences.dat
[2011/06/01 22:08:16 | 000,000,129 | ---- | M] () -- C:\Documents and Settings\Reela\jagex_runescape_preferences2.dat
[2011/06/01 19:00:00 | 000,000,250 | ---- | M] () -- C:\WINDOWS\tasks\RMSchedule.job
[2011/05/31 14:45:40 | 000,243,128 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/30 20:24:07 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/05/30 19:32:08 | 000,000,864 | ---- | M] () -- C:\Documents and Settings\Reela\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
[2011/05/30 19:28:27 | 000,000,885 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\OpenOffice.org 3.3.lnk
[2011/05/29 20:49:45 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/30 19:32:08 | 000,000,864 | ---- | C] () -- C:\Documents and Settings\Reela\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
[2011/05/30 19:28:27 | 000,000,885 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\OpenOffice.org 3.3.lnk
[2011/05/30 16:53:31 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Reela\jagex_runescape_preferences2.dat
[2011/04/07 21:53:22 | 000,012,296 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\82n6u1y5v2x4155u05qfmjh637ph4uoluj8
[2010/04/03 19:02:18 | 000,012,614 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8s32
[2010/04/01 16:45:27 | 000,001,048 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\8Cq4r
[2010/04/01 16:45:27 | 000,001,048 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8Cq4r
[2010/02/21 11:53:14 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/02/07 23:44:05 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Reela\Local Settings\Application Data\fusioncache.dat
[2009/11/06 18:09:43 | 000,054,108 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/07/18 18:02:01 | 000,021,504 | ---- | C] () -- C:\WINDOWS\System32\HorizontalScroll.exe
[2009/06/18 22:28:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/08/17 21:02:55 | 000,081,920 | ---- | C] () -- C:\WINDOWS\asr32311.dll
[2008/08/17 21:02:55 | 000,000,070 | ---- | C] () -- C:\WINDOWS\HGSpeech.ini
[2008/08/17 21:02:41 | 000,096,256 | ---- | C] () -- C:\WINDOWS\System32\Smackw32.dll
[2008/07/29 22:14:06 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2007/09/11 11:21:29 | 000,000,145 | ---- | C] () -- C:\WINDOWS\listen2.ini
[2007/09/07 13:34:05 | 000,000,150 | ---- | C] () -- C:\WINDOWS\listen1.ini
[2007/09/03 12:46:28 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2007/07/06 19:24:34 | 000,145,809 | ---- | C] () -- C:\Program Files\User Manual (PDF Version).pdf
[2007/06/07 17:33:00 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/03/12 17:55:56 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/12/10 14:07:34 | 000,000,050 | ---- | C] () -- C:\WINDOWS\GunzLauncher.INI
[2006/11/06 18:49:36 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2006/09/01 15:03:48 | 000,000,029 | ---- | C] () -- C:\WINDOWS\PControl.ini
[2006/05/29 17:40:18 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2006/05/13 16:36:23 | 000,002,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/04/12 17:05:06 | 000,000,069 | ---- | C] () -- C:\WINDOWS\kidphon.ini
[2006/04/11 18:05:30 | 000,000,156 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2006/03/12 22:20:47 | 000,000,423 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/03/05 20:35:12 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2005/12/17 16:26:12 | 000,000,300 | ---- | C] () -- C:\WINDOWS\EReg077.dat
[2005/09/06 17:15:51 | 000,000,053 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2005/07/04 13:57:54 | 000,000,256 | ---- | C] () -- C:\WINDOWS\usbfhn2.dll
[2005/04/24 19:36:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\MSDraw.ini
[2005/04/17 10:24:09 | 000,000,139 | ---- | C] () -- C:\WINDOWS\encore_launcher.ini
[2005/04/14 15:15:12 | 000,000,943 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2005/04/02 12:28:49 | 000,000,083 | ---- | C] () -- C:\WINDOWS\wa.INI
[2005/03/28 00:31:33 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2005/03/18 21:56:56 | 000,000,294 | ---- | C] () -- C:\WINDOWS\EReg515.dat
[2005/03/18 21:55:02 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2005/03/18 21:54:22 | 000,000,892 | ---- | C] () -- C:\WINDOWS\disney.ini
[2005/03/12 17:01:58 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2005/03/12 16:37:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OPPRIN~1.INI
[2005/02/26 21:08:39 | 000,038,867 | ---- | C] () -- C:\WINDOWS\hpomdl03.dat.temp
[2005/02/26 21:08:39 | 000,029,258 | ---- | C] () -- C:\WINDOWS\hpoins03.dat.temp
[2005/02/26 20:15:59 | 000,565,248 | R--- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2005/02/26 20:02:41 | 000,038,867 | ---- | C] () -- C:\WINDOWS\hpomdl03.dat
[2005/02/26 20:02:41 | 000,029,258 | ---- | C] () -- C:\WINDOWS\hpoins03.dat
[2005/02/25 11:17:45 | 000,000,258 | ---- | C] () -- C:\WINDOWS\TLCAPPS.INI
[2005/02/23 20:21:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Setup32.INI
[2005/02/22 16:47:12 | 000,000,081 | ---- | C] () -- C:\WINDOWS\KA.ini
[2005/02/22 10:06:52 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\instlsp.exe
[2005/02/21 22:19:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2004/10/06 06:42:03 | 000,000,060 | ---- | C] () -- C:\WINDOWS\System32\SYSDRV.DAT
[2004/10/06 06:37:26 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/10/06 06:36:27 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/10/06 06:36:27 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/10/06 06:36:23 | 000,004,489 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/10/06 06:36:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/10/06 06:36:11 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/10/06 06:35:35 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/10/06 06:35:35 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/10/06 06:34:21 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/10/06 06:33:46 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/09/23 21:17:03 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/09/17 17:04:54 | 000,000,676 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/09/17 17:04:27 | 000,444,358 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/09/17 17:04:27 | 000,072,108 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/09/17 17:02:34 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2004/09/17 17:02:33 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2004/09/17 15:50:50 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/09/17 15:22:43 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/09/17 15:18:52 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/09/17 10:10:57 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/09/17 10:10:13 | 000,243,128 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/10/24 17:00:40 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[1997/06/13 22:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >















Here is the Extras.Txt:

OTL Extras logfile created on: 6/2/2011 5:43:50 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Reela\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.49 Gb Total Physical Memory | 0.98 Gb Available Physical Memory | 65.91% Memory free
2.09 Gb Paging File | 1.51 Gb Available in Paging File | 72.41% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 24.14 Gb Free Space | 16.20% Space Free | Partition Type: NTFS

Computer Name: INARISHU | User Name: Reela | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-370030131-3186773635-3883207141-1008\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"443:TCP" = 443:TCP:*:Enabled:ooVoo TCP port 443
"443:UDP" = 443:UDP:*:Enabled:ooVoo UDP port 443
"37674:TCP" = 37674:TCP:*:Enabled:ooVoo TCP port 37674
"37674:UDP" = 37674:UDP:*:Enabled:ooVoo UDP port 37674
"37675:UDP" = 37675:UDP:*:Enabled:ooVoo UDP port 37675
"3676:TCP" = 3676:TCP:*:Enabled:Akamai NetSession Interface
"5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\ijji\ENGLISH\u_gunz.exe" = C:\ijji\ENGLISH\u_gunz.exe:*:Enabled:<ijji Downloader> -- (NHN USA inc.)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\OGPlanet\LostSaga\autoupgrade.exe" = C:\Program Files\OGPlanet\LostSaga\autoupgrade.exe:*:Enabled:LostSaga(upgrade)
"C:\Program Files\OGPlanet\LostSaga\lostsaga.exe" = C:\Program Files\OGPlanet\LostSaga\lostsaga.exe:*:Enabled:LostSaga(client)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{07FCBED5-94C3-4F94-B9D3-360FA27C7B06}" = Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0FABD3D7-3036-4e78-B29D-58957ADB0A12}" = HP PSC & OfficeJet 3.5
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}" = Microsoft XNA Framework Redistributable 3.1
"{1B343C8C-F170-4829-8481-E163317C5830}" = iTunes
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F7473D9-6C0B-4F5A-8FA4-AB8AD78CBE54}" = DocProc
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24C8FBF7-26C6-48ca-834B-A4E5C09E362F}" = AiO_Scan
"{25569723-DC5A-4467-A639-79535BF01B71}" = Adobe Help Center 2.1
"{257EC58E-03FD-472B-A9B6-93F23A3C4CB0}" = Scan
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 24
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java™ 6 Update 22
"{29B50D30-EAFC-4cea-9F76-3A0E3729E9B0}" = SkinsHP1
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}" = Apple Application Support
"{2F151B50-B434-4838-B51D-70442EBA093E}" = OpenMG Secure Module 4.1.00
"{300D9EF4-2721-4cb4-A6C3-FB2337CFEA2D}" = AIOMinimal
"{300EBE97-0E16-4bf4-B2DD-CEDA6CB46C9C}" = 2400_2500Help
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{32634366-9540-4AFA-A164-EF6F2B87107A}" = Best Buy imagelab home
"{34957B51-9676-41CE-9E52-44AE91B73F1C}" = HP Software Update
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3AC275FB-658D-43DA-A04D-9B2E30E517B2}" = Palm
"{3B4FF449-09F0-4dcc-8822-3D7BB7F5FED1}" = 2400
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{415B8A4E-0EA2-4C69-975C-EEE07B837FD7}" = Unload
"{48242276-DB89-42e8-9678-BD4280D7B99A}" = Copy
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{57C7C46A-D35D-492d-A328-4F8C9B5B4B52}" = PrintScreen
"{5C2EBBF9-B81F-47b7-9136-EE70E6740C2A}" = 2400_2500trb
"{63F2408D-A675-4d97-A256-70EACB6B9B4A}" = AiOSoftware
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7148F0A8-6813-11D6-A77B-00B0D0142060}" = Java 2 Runtime Environment, SE v1.4.2_06
"{723C033E-63EA-4227-BAB2-0AA8693C16EB}" = Director
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{745A92AF-53B4-41A7-91C3-9B026B1D5897}" = InstantShare
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77F8A71E-3515-4832-B8B2-2F1EDBD2E0F1}" = Bing Bar
"{81DD5688-695A-4c1d-AE7D-368BF857725A}" = TrayApp
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{885744A4-1A01-44B0-858A-0AE6738CBCF7}" = PrimoPDF Redistribution Package
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90840409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9112E78D-4A03-48df-9B68-786E6479CF41}" = 23_24_2500Tour
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9984DF60-1C5B-11D3-ACA1-908A4FC10801}" = Intel Application Accelerator
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B03C535-3AEA-4ef2-B326-0A01A2207034}" = CreativeProjects
"{9B40FEE5-85E8-4851-89AD-66E2A1B4DC04}" = MapleStory
"{A0EB195B-5876-48E6-879D-33D4B2102610}" = SonicStage 3.0
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}" = Readme
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}" = Adobe Photoshop Elements 5.0
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{AF226123-1A6F-4ec1-8DEF-E35E7A0D0127}" = Fax
"{B4C0A315-07FB-39F9-85CD-8CE20C019350}" = Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework
"{BBC0D330-C37B-4472-BFB9-AA217CF0C95F}" = Ulead Photo Express 4.0 SE
"{BC339BFD-F550-471a-8D26-4D08126C62F7}" = SkinsHP2
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CBE3E0AF-73BB-4c21-8B96-B09E003EDE7F}" = QuickProjects
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D186329B-1B4D-408D-ABEC-EA5CE1F182C9}" = Overland
"{E8BFBD0A-8002-4dc9-869C-E495FA9DCE7A}" = PhotoGallery
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
"{EEDBE2DF-4141-44A9-8614-9832B16637E6}" = Mouse Suite
"{F2DF47C6-796D-477A-A6B8-36150E7B5184}" = Digital Media Reader
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FBBF532A-47AC-457d-AC06-0D3163D8911E}" = WebReg
"{FF102450-55AA-4AE1-ACE4-E271E2470C83}" = hpmdtab
"Abacast Client" = Abacast Client
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 5" = Adobe Photoshop Elements 5.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AIM_7" = AIM 7
"Akamai" = Akamai NetSession Interface
"Canon Digital Camera USB WIA Driver" = Canon Digital Camera USB WIA Driver
"Canon PhotoStitch 3.1" = Canon Utilities PhotoStitch 3.1
"Canon Utilities RAW Image Converter" = Canon Utilities RAW Image Converter
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F00&SUBSYS_1055148D" = Creative Modem Blaster PCI Value DI5652-1
"DVD Shrink_is1" = DVD Shrink 3.2
"ESET Online Scanner" = ESET Online Scanner v3
"Game Maker 7.0" = Game Maker 7.0
"Google Desktop" = Google Desktop Search
"HP Photo & Imaging" = HP Image Zone 3.5
"ICopyDVDs2 Basic" = ICopyDVDs2 Basic 4.0.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{2F151B50-B434-4838-B51D-70442EBA093E}" = OpenMG Secure Module 4.1.00
"InstallShield_{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10
"InstallShield_{F2DF47C6-796D-477A-A6B8-36150E7B5184}" = Digital Media Reader
"InterActual Player" = InterActual Player
"Learn To Speak English 7.0" = Learn To Speak English 7.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Math Odyssey Geometry" = Math Odyssey Geometry
"Math Odyssey Pre-Algebra" = Math Odyssey Pre-Algebra
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Miuchiz - Planet Mion" = Miuchiz - Planet Mion
"Mozilla Firefox (3.6.17)" = Mozilla Firefox (3.6.17)
"MSC" = McAfee Total Protection
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OpenMG HotFix4.1-05-13-31-01" = OpenMG Limited Patch 4.1-05-13-31-01
"PhotoRecord" = Canon PhotoRecord
"PrimoPDF3.1" = PrimoPDF
"PROSet" = Intel® PRO Network Adapters and Drivers
"RealPlayer 6.0" = RealPlayer
"RemoteCapture" = Canon Utilities RemoteCapture 2.2
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Steam App 73050" = Magicka - Demo
"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
"Visual MP3 Splitter & Joiner_is1" = Visual MP3 Splitter & Joiner 5.8
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/27/2011 11:32:43 AM | Computer Name = INARISHU | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 2328

Error - 5/27/2011 11:32:43 AM | Computer Name = INARISHU | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2328

Error - 5/27/2011 11:32:47 AM | Computer Name = INARISHU | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 5/27/2011 11:32:47 AM | Computer Name = INARISHU | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 5641

Error - 5/27/2011 11:32:47 AM | Computer Name = INARISHU | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 5641

Error - 5/29/2011 9:09:51 PM | Computer Name = INARISHU | Source = MPSampleSubmission | ID = 5000
Description =

Error - 5/29/2011 9:40:35 PM | Computer Name = INARISHU | Source = MPSampleSubmission | ID = 5000
Description =

Error - 5/29/2011 10:31:12 PM | Computer Name = INARISHU | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module unknown, version 0.0.0.0, fault address 0x80000000.

Error - 5/30/2011 12:00:42 PM | Computer Name = INARISHU | Source = MsiInstaller | ID = 11719
Description = Product: Windows Defender -- Error 1719. The Windows Installer Service
could not be accessed. This can occur if you are running Windows in safe mode,
or if the Windows Installer is not correctly installed. Contact your support personnel
for assistance.

Error - 5/30/2011 12:01:05 PM | Computer Name = INARISHU | Source = MsiInstaller | ID = 11719
Description = Product: Windows Defender -- Error 1719. The Windows Installer Service
could not be accessed. This can occur if you are running Windows in safe mode,
or if the Windows Installer is not correctly installed. Contact your support personnel
for assistance.

[ System Events ]
Error - 6/2/2011 2:49:17 PM | Computer Name = INARISHU | Source = Service Control Manager | ID = 7034
Description = The Print Spooler service terminated unexpectedly. It has done this
1 time(s).

Error - 6/2/2011 2:49:21 PM | Computer Name = INARISHU | Source = IdeChnDr | ID = 262153
Description = The device, \Device\Ide\IdeDeviceP1T0L0, did not respond within the
timeout period.

Error - 6/2/2011 2:49:30 PM | Computer Name = INARISHU | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 6/2/2011 2:49:46 PM | Computer Name = INARISHU | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 6/2/2011 2:53:17 PM | Computer Name = INARISHU | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 6/2/2011 2:53:20 PM | Computer Name = INARISHU | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 6/2/2011 2:54:10 PM | Computer Name = INARISHU | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service SSScsiSV with
arguments "-Service" in order to run the server: {C671F780-ADB4-4D15-A97C-F0F5596DB6C9}

Error - 6/2/2011 2:54:10 PM | Computer Name = INARISHU | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service SSScsiSV with
arguments "-Service" in order to run the server: {C671F780-ADB4-4D15-A97C-F0F5596DB6C9}

Error - 6/2/2011 2:54:33 PM | Computer Name = INARISHU | Source = Service Control Manager | ID = 7034
Description = The Print Spooler service terminated unexpectedly. It has done this
1 time(s).

Error - 6/2/2011 5:08:03 PM | Computer Name = INARISHU | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.


< End of report >

#10 isseng

isseng
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 02 June 2011 - 04:53 PM

Also, in the middle of the OTL scan, I got a pop-up from McAfee telling me that "McAfee has removed a trojan virus from your computer. No further action needed."
Or something along those lines.. So, is the trojan virus gone?

#11 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:38 PM

Posted 02 June 2011 - 11:41 PM

Hi isseng,

It appears you are indeed still infected. Please minimize use of this machine beyond what I instruct you to do until such time that the infection is removed.

Is the OTL log you posted from the clean user profile? I'm currently arranging the next set of instructions for you and will have them out to you asap.

Thanks for your patience.
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#12 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:38 PM

Posted 03 June 2011 - 06:54 PM

Hi,

First, we need to enable System Restore

Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
Click OK.
=====
Next, we need to upload some suspicious files.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

C:\WINDOWS\wa.INI
C:\WINDOWS\EReg515.dat


Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
====

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :OTL
    [2011/04/07 21:53:22 | 000,012,296 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\82n6u1y5v2x4155u05qfmjh637ph4uoluj8
    [2010/04/03 19:02:18 | 000,012,614 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8s32
    [2010/04/01 16:45:27 | 000,001,048 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\8Cq4r
    [2010/04/01 16:45:27 | 000,001,048 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8Cq4r
    
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" =-
    "AntiVirusDisableNotify" =-
    "FirewallDisableNotify" =-
    "UpdatesDisableNotify" =-
    "AntiVirusOverride" =-
    "FirewallOverride" =-
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

===

Lastly...

  • Please download MGADiag and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Push Posted Image
  • Push Posted Image
  • Go to Start -> Run and type in "Notepad"
  • Go to Edit -> Paste in notepad.
  • x out all of the numbers and letters in the line beginning with "Windows Product Key:"
  • Copy and paste that log here.

Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#13 isseng

isseng
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 03 June 2011 - 09:10 PM

Yes, the OTL scan was taken on the clean user profile

#14 isseng

isseng
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 03 June 2011 - 09:19 PM

My results from Jotti:

Filename: wa.INI
Status: Scan finished. 0 out of 20 scanners reported malware.

Filename: EReg515.dat
Status: Scan finished. 0 out of 20 scanners reported malware.


Here is the OTL log:

========== OTL ==========
C:\Documents and Settings\All Users\Application Data\82n6u1y5v2x4155u05qfmjh637ph4uoluj8 moved successfully.
C:\Documents and Settings\All Users\Application Data\8s32 moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\8Cq4r moved successfully.
C:\Documents and Settings\All Users\Application Data\8Cq4r moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride deleted successfully.

OTL by OldTimer - Version 3.2.23.0 log created on 06032011_222134





AND here's the last log:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
Windows Product Key Hash: pi5qj7TXWjWs3MvHB44+KJaNMxY=
Windows Product ID: 76477-OEM-2111907-00238
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {9E850792-4758-438A-8B6E-B46160BDB655}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.5.723.1
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Standard Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{9E850792-4758-438A-8B6E-B46160BDB655}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-8QVCG</PKey><PID>76477-OEM-2111907-00238</PID><PIDType>2</PIDType><SID>S-1-5-21-370030131-3186773635-3883207141</SID><SYSTEM><Manufacturer>vpr Matrix, Inc. </Manufacturer><Model>D400A </Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>VA84510A.86A.0045.P16.0408112353</Version><SMBIOSVersion major="2" minor="3"/><Date>20040811000000.000000+000</Date><SLPBIOS>vpr Matrix</SLPBIOS></BIOS><HWID>F56E314F01842072</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Insignia Products</name><model>D300a/D400a</model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>4528BE59B0BEDD6</Val><Hash>ETNWvoWuYOOq1XX5R4EstYoXw9A=</Hash><Pid>70141-747-6685737-56273</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1A75D:GENUINE C&C INC|1C496:vpr Matrix
Marker string from OEMBIOS.DAT: vpr Matrix

OEM Activation 2.0 Data-->
N/A

Edited by thcbytes, 04 June 2011 - 05:29 AM.


#15 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:38 PM

Posted 04 June 2011 - 01:50 PM

Hi,

We have a little bit of work to do. Please boot into Safe Mode With Networking on the affected machine. This is done via hitting F8 while booting up and choosing Safe Mode With Networking.

Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  • Please post its log in your next reply.
  • After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.
===

Please download DDS by sUBs from one of these locations:

Link 1
Link 2

Link 3


Double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt

Save both reports to your Desktop. Post them back here for review.
====

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users