Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow Computer: DDS, Attach & Ark files attached


  • This topic is locked This topic is locked
31 replies to this topic

#1 Silverbak

Silverbak

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 AM

Posted 16 June 2011 - 09:51 PM

Recently when opening, for example, AOL mail, it has taken a very long time - several minutes. My activity monitor (CPU, RAM, Disk, and Network) shows very high disk activity (~100%) when trying to load AOL, but nothing will happen until the disk activity drops to about 80%. The Page File usage during the "stall" is constant at about 20% (550 MB) This "stall" phenomenon is exhibited in any application if the disk activity is near 100%, including typing this note.

I truly appreciate any help that is given.

Robert Neary

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 26 June 2011 - 07:45 AM

Hello and welcome to Bleeping Computer

My name is etavares and I will be working with you to fix your computer.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting. If you will be unable to respond (e.g. vacation, travel, etc.), please let me know ahead of time.
  • Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • If you have already posted a log, please do so again as instructed below, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.


Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log. Thanks and again sorry for the delay.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Silverbak

Silverbak
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 AM

Posted 26 June 2011 - 07:05 PM

1. The original problem has not been resolved, but it has been improved. I removed a number of "cleaner/fixer" programs and malware remover programs. Also, since it was a week since I sent in the original data, I was not sure I would get a response. I felt I wanted to do something so I ran ComboFix. As I read more, I find this may not have been a good idea, but nonetheless that is what I did.

The problem that exists now, which existed previously, but is now clearer to me, is one of non-responsiveness. For example, when trying to open AOL mail, there will be constant disk activity, and after a 30-45 seconds the first screen of AOL comes up. Further progress (login, etc,) is extremely sluggish, and may end up with the program being non-responsive per the Task Manager. Even while writing this note, the program has become non-responsive in that the spell checker does not respond, or I may not be able to place the cursor.

2. I have the original Windows CD disks.

3. OTL.txt
OTL logfile created on: 6/26/2011 12:48:54 PM - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Documents and Settings\nanci bunten sieder\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.00 Mb Total Physical Memory | 31.48 Mb Available Physical Memory | 12.39% Memory free
1.21 Gb Paging File | 0.80 Gb Available in Paging File | 65.73% Paging File free
Paging file location(s): C:\pagefile.sys 1000 3000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 23.19 Gb Free Space | 62.30% Space Free | Partition Type: NTFS
Drive D: | 34.42 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: DDPXBQ41 | User Name: nanci bunten sieder | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/26 12:46:10 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\nanci bunten sieder\Desktop\OTL.exe
PRC - [2011/06/22 13:51:49 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/26 00:29:00 | 002,301,952 | ---- | M] (SourceForge.net) -- C:\Program Files\Password Safe\pwsafe.exe
PRC - [2009/09/17 17:47:16 | 000,670,720 | ---- | M] (FTweak) -- C:\Program Files\RAMRush\RAMRush.exe
PRC - [2007/06/13 03:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/30 20:22:50 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2005/07/20 09:28:36 | 000,210,448 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk Live\PDWebWmi.exe
PRC - [2005/02/27 10:50:06 | 003,499,008 | ---- | M] (WASEO) -- C:\Program Files\ClickTray Calendar\ClickTray.exe
PRC - [2004/04/15 02:18:38 | 000,053,248 | ---- | M] (Dell Computer Corporation) -- C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
PRC - [2004/04/15 01:32:22 | 000,270,336 | ---- | M] (Dell Computer Corporation) -- C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
PRC - [2000/06/07 13:01:38 | 000,794,112 | ---- | M] (Lexmark) -- C:\WINDOWS\SYSTEM32\LXSUPMON.EXE


========== Modules (SafeList) ==========

MOD - [2011/06/26 12:46:10 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\nanci bunten sieder\Desktop\OTL.exe
MOD - [2004/08/04 00:57:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
SRV - [2007/03/07 13:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2005/09/30 20:22:50 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2005/07/20 09:28:36 | 000,210,448 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- C:\Program Files\Raxco\PerfectDisk Live\PDWebWmi.exe -- (PDWebWmi)
SRV - [2005/07/20 09:28:32 | 000,591,376 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk Live\PDWEngine.exe -- (PDWEngine)


========== Driver Services (SafeList) ==========

DRV - [2011/01/20 14:25:31 | 000,028,256 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k)
DRV - [2010/06/10 18:00:06 | 000,022,528 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\intelsmb.sys -- (smbusp) Intel®
DRV - [2009/10/30 23:21:48 | 000,031,104 | R--- | M] (usb camera) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbcamcl.sys -- (usbcamcl)
DRV - [2007/02/25 10:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 14:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/03/02 04:30:54 | 000,618,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52)
DRV - [2005/06/28 07:31:26 | 000,061,920 | ---- | M] (Raxco Software, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\defrag32b.sys -- (Defrag32b)
DRV - [2005/06/28 07:31:26 | 000,061,920 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\defrag32.sys -- (Defrag32)
DRV - [2005/05/06 22:42:26 | 001,339,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)
DRV - [2005/05/06 22:40:50 | 000,047,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)
DRV - [2005/05/06 22:40:20 | 000,036,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -- (mohfilt)
DRV - [2004/08/03 22:29:49 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 22:29:47 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 22:29:45 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 22:29:43 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 22:29:42 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 22:29:41 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 22:29:37 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 22:29:37 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 22:29:37 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/03 22:29:36 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 22:29:26 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2003/05/23 10:58:30 | 000,043,136 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/11/08 11:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2001/08/17 10:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "Elf 1 Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2856415&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Elf 1 Customized Web Search"
FF - prefs.js..browser.startup.homepage: "http://www.foxnews.com/"
FF - prefs.js..extensions.enabledItems: {4CFC8387-5FB1-47C1-8AA4-5B7B906A591E}:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.2.5.2
FF - prefs.js..extensions.enabledItems: {22e03916-85c5-44b0-8dc9-1830c11238d9}:3.2.5.2
FF - prefs.js..extensions.enabledItems: {8ae7fdbb-2d67-40da-a8ab-b8fbbda9c9d5}:1.1.0.8


FF - HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/22 13:51:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/17 13:51:46 | 000,000,000 | ---D | M]

[2008/09/01 09:50:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Extensions
[2011/06/23 19:21:18 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions
[2009/08/12 10:50:48 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/23 19:21:18 | 000,000,000 | ---D | M] (Elf 1 Community Toolbar) -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\{22e03916-85c5-44b0-8dc9-1830c11238d9}
[2011/06/22 11:43:36 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/05/17 13:53:30 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\engine@conduit.com
[2010/12/01 18:22:54 | 000,000,913 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\searchplugins\conduit.xml
[2011/06/06 12:58:10 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/06/06 12:58:11 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2010/05/23 15:02:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2011/05/31 19:57:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2011/05/31 19:57:51 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
File not found (No name found) --
[2010/05/23 15:01:01 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/06/22 13:51:49 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2008/06/18 00:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2010/05/23 15:01:00 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/05/07 14:18:34 | 000,677,152 | ---- | M] (Medical Informatics Engineering, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npzzatif.dll
[2010/01/01 01:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/25 14:02:12 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [Dell AIO Printer A920] C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe (Dell Computer Corporation)
O4 - HKLM..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE (Lexmark)
O4 - HKLM..\Run: [PrinTray] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\2\printray.exe (Lexmark)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [ftweak_RAMRush] C:\Program Files\RAMRush\RAMRush.exe (FTweak)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\nanci bunten sieder\Start Menu\Programs\Startup\ClickTray Calendar.lnk = C:\Program Files\ClickTray Calendar\ClickTray.exe (WASEO)
O4 - Startup: C:\Documents and Settings\nanci bunten sieder\Start Menu\Programs\Startup\Password Safe.lnk = C:\Program Files\Password Safe\pwsafe.exe (SourceForge.net)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.pw.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\nanci bunten sieder\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\nanci bunten sieder\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 06:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/08 21:06:42 | 000,000,043 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk - Reg Error: Value error. - File not found
MsConfig - StartUpReg: Dell AIO Printer A920 - hkey= - key= - C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe (Dell Computer Corporation)
MsConfig - StartUpReg: HotKeysCmds - hkey= - key= - File not found
MsConfig - StartUpReg: IgfxTray - hkey= - key= - File not found
MsConfig - StartUpReg: IntelMeM - hkey= - key= - C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Intel Corporation)
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: PCMService - hkey= - key= - C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
MsConfig - StartUpReg: TkBellExe - hkey= - key= - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 1

Drivers32: aux - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\System32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\SYSTEM32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\MSG711.ACM (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\MSG723.ACM (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\MSGSM32.ACM (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\TSSOFT32.ACM (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\IR32_32.DLL ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\IR32_32.DLL ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.IYUV - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: VIDC.MP42 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: VIDC.MPG4 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: VIDC.UYVY - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.WMV3 - C:\WINDOWS\System32\wmv9vcm.dll (Microsoft Corporation)
Drivers32: VIDC.YUY2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVU9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVYU - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\SERWVDRV.DLL (Microsoft Corporation)
Drivers32: wave2 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\MSACM32.DRV (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2011/06/26 12:46:13 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\nanci bunten sieder\Desktop\OTL.exe
[2011/06/22 15:47:28 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/06/18 12:01:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nanci bunten sieder\Local Settings\Application Data\Ocster Backup
[2011/06/18 11:57:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ocster Backup
[2011/06/18 11:56:00 | 000,000,000 | ---D | C] -- C:\Program Files\Ocster Backup
[2011/06/16 15:47:01 | 000,731,000 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\nanci bunten sieder\Desktop\autoruns.exe
[2011/06/16 15:13:43 | 000,607,310 | R--- | C] (Swearware) -- C:\Documents and Settings\nanci bunten sieder\Desktop\dds.scr
[2011/06/16 10:27:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nanci bunten sieder\Local Settings\Application Data\Safe mirror
[2011/06/16 10:27:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Cobian Backup 10
[2011/06/16 10:26:19 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 10
[2011/06/16 10:05:42 | 015,492,608 | ---- | C] (Luis Cobian, CobianSoft) -- C:\Documents and Settings\nanci bunten sieder\Desktop\cbSetup.exe
[2011/06/12 14:17:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\RAMRush
[2011/06/12 14:17:09 | 000,000,000 | ---D | C] -- C:\Program Files\RAMRush
[2011/06/12 14:15:13 | 000,547,461 | ---- | C] (FTweak, Inc. ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\ramrush.exe
[2011/06/09 19:32:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2011/06/09 12:53:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nanci bunten sieder\My Documents\Computer - Dell
[2011/06/07 09:23:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TaskManager
[2011/06/07 09:16:31 | 011,714,981 | ---- | C] (Extensoft) -- C:\Documents and Settings\nanci bunten sieder\Desktop\FreeTaskManager.exe
[2011/06/06 17:33:05 | 030,946,872 | ---- | C] (IObit ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\asc-setup_.exe
[2011/06/06 16:54:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2011/06/06 16:43:21 | 030,946,872 | ---- | C] (IObit ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\asc-setup.exe
[2011/06/06 13:05:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nanci bunten sieder\Application Data\skypePM
[2011/06/06 13:04:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype Extras
[2011/06/06 13:02:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nanci bunten sieder\Application Data\Skype
[2011/06/06 12:57:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2011/06/06 12:57:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2011/06/06 12:56:59 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2011/06/06 12:56:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2011/06/06 12:53:11 | 001,029,000 | ---- | C] (Skype Technologies S.A.) -- C:\Documents and Settings\nanci bunten sieder\Desktop\SkypeSetup.exe
[2011/06/06 12:25:03 | 000,031,104 | R--- | C] (usb camera) -- C:\WINDOWS\System32\drivers\usbcamcl.sys
[2011/06/06 12:25:03 | 000,019,968 | R--- | C] (usb camera) -- C:\WINDOWS\System32\drivers\usbDecode.sys
[2011/06/06 12:24:57 | 008,643,584 | R--- | C] (ark) -- C:\WINDOWS\System32\drivers\PictureDll.sys
[2011/06/06 12:24:57 | 000,005,632 | R--- | C] (ark) -- C:\WINDOWS\System32\drivers\FilterDll.sys
[2011/06/06 12:24:56 | 000,496,640 | R--- | C] (ark) -- C:\WINDOWS\System32\drivers\FaceDll.sys
[2011/06/06 12:24:41 | 000,000,000 | ---D | C] -- C:\Program Files\Pc Camera
[2011/06/06 12:24:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\USB Camera
[2011/05/30 21:10:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nanci bunten sieder\Application Data\IObit
[2011/05/30 21:10:22 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2011/05/30 21:05:06 | 030,475,464 | ---- | C] (IObit ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\asc4-setup.exe
[2011/05/30 18:25:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Auslogics
[2011/05/30 18:25:48 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2011/05/30 18:22:09 | 004,677,544 | ---- | C] (Auslogics Software Pty Ltd ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\disk-defrag-setup.exe
[223 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/26 12:46:10 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\nanci bunten sieder\Desktop\OTL.exe
[2011/06/26 12:41:09 | 000,000,912 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/26 09:41:12 | 000,000,908 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/26 01:00:01 | 000,000,372 | ---- | M] () -- C:\WINDOWS\tasks\Auslogics Console Defragmentation.job
[2011/06/24 09:29:16 | 266,407,936 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/24 09:29:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2011/06/22 15:46:29 | 000,000,008 | ---- | M] () -- C:\WINDOWS\System32\log-suffix.xml
[2011/06/22 15:46:28 | 000,000,748 | ---- | M] () -- C:\WINDOWS\System32\log.xml
[2011/06/22 15:46:26 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\log.xml.lock
[2011/06/22 14:03:09 | 004,134,409 | R--- | M] (Swearware) -- C:\Documents and Settings\nanci bunten sieder\Desktop\ComboFix.exe
[2011/06/19 15:38:45 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2011/06/16 16:04:34 | 000,293,977 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\gmer.zip
[2011/06/16 15:46:48 | 000,731,000 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\nanci bunten sieder\Desktop\autoruns.exe
[2011/06/16 15:13:36 | 000,607,310 | R--- | M] (Swearware) -- C:\Documents and Settings\nanci bunten sieder\Desktop\dds.scr
[2011/06/16 15:07:02 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\defogger_reenable
[2011/06/16 15:05:02 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\Defogger.exe
[2011/06/16 10:06:27 | 015,492,608 | ---- | M] (Luis Cobian, CobianSoft) -- C:\Documents and Settings\nanci bunten sieder\Desktop\cbSetup.exe
[2011/06/15 12:45:45 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/06/12 14:55:17 | 000,025,992 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2011/06/12 14:17:14 | 000,000,616 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\RAMRush.lnk
[2011/06/12 14:15:06 | 000,547,461 | ---- | M] (FTweak, Inc. ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\ramrush.exe
[2011/06/10 17:30:48 | 009,196,177 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\pwsafe-3.25.exe
[2011/06/09 19:39:24 | 000,002,636 | ---- | M] () -- C:\WINDOWS\System32\ASOROSet.bin
[2011/06/09 19:33:28 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2011/06/09 19:33:28 | 000,071,904 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2011/06/07 09:16:52 | 011,714,981 | ---- | M] (Extensoft) -- C:\Documents and Settings\nanci bunten sieder\Desktop\FreeTaskManager.exe
[2011/06/06 19:56:34 | 000,000,650 | -H-- | M] () -- C:\IPH.PH
[2011/06/06 17:33:56 | 030,946,872 | ---- | M] (IObit ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\asc-setup_.exe
[2011/06/06 16:44:19 | 030,946,872 | ---- | M] (IObit ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\asc-setup.exe
[2011/06/06 13:06:09 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/06/06 12:57:11 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/06/06 12:53:04 | 001,029,000 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\nanci bunten sieder\Desktop\SkypeSetup.exe
[2011/06/06 12:25:03 | 000,000,020 | ---- | M] () -- C:\WINDOWS\System32\camera.ini
[2011/06/06 12:24:45 | 000,000,515 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Camera Application.lnk
[2011/05/31 20:00:55 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox (2).lnk
[2011/05/31 19:58:24 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/05/31 19:58:24 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/05/31 19:47:18 | 000,070,916 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\bookmarks-2011-05-31.json
[2011/05/30 21:06:33 | 030,475,464 | ---- | M] (IObit ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\asc4-setup.exe
[2011/05/30 18:22:33 | 004,677,544 | ---- | M] (Auslogics Software Pty Ltd ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\disk-defrag-setup.exe
[2011/05/29 12:32:00 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\gmer.exe
[223 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/22 15:46:27 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\log-suffix.xml
[2011/06/22 15:46:26 | 000,000,748 | ---- | C] () -- C:\WINDOWS\System32\log.xml
[2011/06/22 15:46:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\log.xml.lock
[2011/06/16 16:07:03 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\gmer.exe
[2011/06/16 16:04:50 | 000,293,977 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\gmer.zip
[2011/06/16 15:07:02 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\defogger_reenable
[2011/06/16 15:05:28 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\Defogger.exe
[2011/06/15 18:33:30 | 266,407,936 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/12 14:17:14 | 000,000,616 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\RAMRush.lnk
[2011/06/10 17:30:14 | 009,196,177 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\pwsafe-3.25.exe
[2011/06/09 19:34:38 | 000,002,636 | ---- | C] () -- C:\WINDOWS\System32\ASOROSet.bin
[2011/06/06 19:49:40 | 000,000,650 | -H-- | C] () -- C:\IPH.PH
[2011/06/06 13:06:09 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/06/06 12:57:11 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/06/06 12:25:03 | 000,000,020 | ---- | C] () -- C:\WINDOWS\System32\camera.ini
[2011/06/06 12:24:55 | 000,073,728 | R--- | C] () -- C:\WINDOWS\System32\face.ax
[2011/06/06 12:24:55 | 000,028,672 | R--- | C] () -- C:\WINDOWS\System32\CoUninstall.dll
[2011/06/06 12:24:45 | 000,000,515 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Camera Application.lnk
[2011/05/31 20:00:55 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox (2).lnk
[2011/05/31 19:58:24 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/05/31 19:58:24 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/05/31 19:58:23 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/05/31 19:47:16 | 000,070,916 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\bookmarks-2011-05-31.json
[2010/09/18 11:27:19 | 000,083,456 | ---- | C] () -- C:\WINDOWS\System32\lxsmunin.exe
[2010/09/18 11:27:15 | 000,079,872 | ---- | C] () -- C:\WINDOWS\System32\lex_psu.exe
[2010/09/18 11:27:12 | 000,328,704 | ---- | C] () -- C:\WINDOWS\System32\dosfnt32.dll
[2010/06/10 15:18:06 | 003,914,760 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\speech.wav
[2010/01/22 18:44:55 | 000,002,560 | ---- | C] () -- C:\WINDOWS\_MSRSTRT.EXE
[2010/01/20 15:48:04 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/20 15:48:04 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/20 15:48:04 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/20 15:48:04 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/20 15:48:04 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/11/02 17:02:08 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2008/04/27 13:25:50 | 000,001,160 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2008/03/15 14:15:34 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/09 15:10:38 | 000,000,255 | ---- | C] () -- C:\WINDOWS\System32\dlbkcoin.ini
[2007/10/14 09:39:58 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\PFP110JPR.{PB
[2007/10/14 09:39:58 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\PFP110JCM.{PB
[2007/09/08 15:40:43 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2005/03/22 19:22:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\slingo.INI
[2005/03/02 19:07:58 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/02/11 15:32:03 | 000,000,105 | ---- | C] () -- C:\WINDOWS\upst.ini
[2005/02/11 15:32:03 | 000,000,024 | ---- | C] () -- C:\WINDOWS\atid.ini
[2005/02/09 16:47:58 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/11/15 12:29:48 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/06/04 17:25:57 | 000,000,823 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/04/27 13:28:26 | 000,000,098 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2004/04/27 13:23:31 | 000,000,970 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2004/04/22 18:50:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\slingox.INI
[2004/04/19 09:58:46 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/04/19 09:50:52 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/04/19 09:47:11 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/04/19 09:34:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2004/04/19 09:33:27 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/19 09:33:24 | 000,444,028 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2004/04/19 09:33:24 | 000,071,904 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2004/04/19 09:27:26 | 000,000,550 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/01/22 15:00:48 | 000,204,920 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/01/22 14:58:10 | 000,000,788 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/01/22 10:00:28 | 000,012,635 | ---- | C] () -- C:\WINDOWS\System32\DAntivirus.ini
[2003/05/30 07:00:02 | 001,962,496 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2003/04/22 13:37:50 | 000,000,141 | ---- | C] () -- C:\WINDOWS\System32\DLBKPLC.INI
[2003/03/27 13:28:44 | 000,004,955 | ---- | C] () -- C:\WINDOWS\System32\DProg.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/11/13 17:40:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbkvs.dll
[2002/09/03 06:59:14 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/09/03 06:56:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/09/03 06:31:46 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2002/09/03 06:31:44 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2002/08/29 03:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2002/08/29 03:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2002/08/29 03:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2002/08/29 03:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2002/08/29 03:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2002/08/29 03:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/29 03:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT

========== LOP Check ==========

[2010/04/09 15:38:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2004/04/27 13:23:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2011/06/06 16:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2010/06/10 15:17:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2011/06/18 11:57:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ocster Backup
[2011/06/07 09:23:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaskManager
[2010/04/09 14:46:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2004/04/19 09:48:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/03/03 20:14:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\nanci bunten sieder\Application Data\Auslogics
[2009/11/10 16:34:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\nanci bunten sieder\Application Data\FTWeak
[2011/06/06 16:57:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\nanci bunten sieder\Application Data\IObit
[2010/06/10 15:17:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\nanci bunten sieder\Application Data\NCH Swift Sound
[2010/04/19 16:55:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\nanci bunten sieder\Application Data\Smart PC Solutions
[2009/11/05 16:57:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\nanci bunten sieder\Application Data\Systweak
[2008/08/27 15:43:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\nanci bunten sieder\Application Data\Viewpoint
[2011/06/26 01:00:01 | 000,000,372 | ---- | M] () -- C:\WINDOWS\Tasks\Auslogics Console Defragmentation.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[223 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.sys /90 >
[223 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %SYSTEMDRIVE%\*.* >
[2002/09/03 06:59:58 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/03/03 17:57:38 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/01/20 15:49:58 | 000,000,281 | -HS- | M] () -- C:\BOOT.INI
[2002/09/03 06:38:46 | 000,000,512 | -HS- | M] () -- C:\BOOTSECT.DOS
[2004/08/04 00:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2011/06/22 14:47:12 | 000,012,657 | ---- | M] () -- C:\ComboFix.txt
[2002/09/03 06:59:58 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2004/04/19 09:29:56 | 000,005,576 | RH-- | M] () -- C:\DELL.SDR
[2011/06/24 09:29:16 | 266,407,936 | -HS- | M] () -- C:\hiberfil.sys
[2002/09/03 06:59:58 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2011/06/06 19:56:34 | 000,000,650 | -H-- | M] () -- C:\IPH.PH
[2011/06/24 09:29:22 | 000,005,544 | ---- | M] () -- C:\jswx.log
[2002/09/03 06:59:58 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2008/03/03 17:44:29 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/11/10 15:55:06 | 000,250,032 | RHS- | M] () -- C:\NTLDR
[2011/06/24 09:29:15 | 1048,576,000 | -HS- | M] () -- C:\pagefile.sys
[2004/04/27 13:23:56 | 000,000,168 | ---- | M] () -- C:\setupfax.log

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2003/04/30 17:43:32 | 000,078,336 | ---- | M] () -- C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\DLBKPP5C.DLL
[2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\filterpipelineprintproc.dll
[2000/06/07 15:30:02 | 000,058,880 | ---- | M] (Lexmark International) -- C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\LMPRINT.DLL
[2003/06/18 17:31:48 | 000,018,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\mdippr.dll
[2002/05/14 14:50:34 | 000,011,264 | ---- | M] (BVRP Software) -- C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\wfxprint2000.dll

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

< End of report >

4. GMER log
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-26 16:21:21
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-75DEA0 rev.05.03E05
Running: gmer.exe; Driver: C:\DOCUME~1\NANCIB~1\LOCALS~1\Temp\kxtyapog.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\System32\DRIVERS\mohfilt.sys entry point in "init" section [0xF95F5720]

---- User code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\winlogon.exe[636] C:\WINDOWS\system32\SHLWAPI.dll IMAGE_DOS_SIGNATURE not found;
.text C:\Program Files\Mozilla Firefox\firefox.exe[2732] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 78108033
Disk \Device\Harddisk0\DR0 PE file @ sector 78108055

---- EOF - GMER 1.0.15 ----

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 27 June 2011 - 05:08 PM

Hello, Silverbak.



Conduit Toolbar Warning"

I see you have the a Conduit toolbar installed. This often is recognized as trackware and I recommend you remove it.

If you would like to remove it, please go to add/Remove Programs and uninstall Elf1 Toolbar.


Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1


Please copy/paste the contents of C:\combofix.txt into a reply here. It's strongly not advised to run it unsupervised it requires manual interventions to completely clean and it can render your computer unbootable). Glad to see it worked out here, though.

It does appear you have a rootkit. I'll wait until I see the results of these requests to confirm.



Step 2

I see you have IOBit installed on your computer. This is a known rogue antivirus that steals definitions from legitimate antiviruses. Please read about it here. Before I can help you, please uninstall IOBit via Add/Remove Programs. If you need another antivirus, some good free ones (for personal use) are Avast and Avira AntiVir



Step 3

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Silverbak

Silverbak
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 AM

Posted 27 June 2011 - 11:15 PM

Hello Etavares,

Thank you very much for your detailed reply.

Please be aware that the ComboFix log (pasted below) was created several days before the logs I recently pasted. I believe that during the period of time between the ComboFix run and the recent logs, was the time I removed a bunch of "clean and fix" programs.

I cannot find Elf1 in the add/remove listing, nor in the Program Files listings, yet it sits at the top of the page to the right of the URL box: "Elf 1 Customized Web Search". If you feel that in any way it might be an issue, I definitely would like to remove it.

I looked for Trusted Files using the Internet Explorer, and none were listed. Therefore, I assume that I have none. I tried to look for Trusted Files using Tools>Options of Firefox, but could find no such listing for Trusted Files.

ComboFix.txt

ComboFix 11-06-22.02 - nanci bunten sieder 06/22/2011 14:27:33.12.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.120 [GMT -7:00]
Running from: c:\documents and settings\nanci bunten sieder\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))
.
.
2011-06-22 20:51 . 2011-06-22 20:51 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-22 20:51 . 2011-06-22 20:51 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-18 19:01 . 2011-06-18 19:01 -------- d-----w- c:\documents and settings\nanci bunten sieder\Local Settings\Application Data\Ocster Backup
2011-06-18 18:58 . 2011-06-18 18:58 -------- d-----w- c:\documents and settings\_ocster_backup_
2011-06-18 18:57 . 2011-06-18 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Ocster Backup
2011-06-18 18:56 . 2011-06-18 19:01 -------- d-----w- c:\program files\Ocster Backup
2011-06-16 17:27 . 2011-06-16 17:27 -------- d-----w- c:\documents and settings\nanci bunten sieder\Local Settings\Application Data\Safe mirror
2011-06-16 17:26 . 2011-06-16 17:27 -------- d-----w- c:\program files\Cobian Backup 10
2011-06-15 22:39 . 2011-06-15 22:41 -------- d-----w- c:\documents and settings\Administrator
2011-06-12 21:17 . 2011-06-12 21:17 -------- d-----w- c:\program files\RAMRush
2011-06-10 02:34 . 2011-06-10 02:39 2636 ----a-w- c:\windows\system32\ASOROSet.bin
2011-06-10 02:32 . 2011-06-10 02:32 -------- dc----w- c:\windows\system32\DRVSTORE
2011-06-07 16:23 . 2011-06-07 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\TaskManager
2011-06-06 23:54 . 2011-06-06 23:58 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-06-06 20:05 . 2011-06-22 18:42 -------- d-----w- c:\documents and settings\nanci bunten sieder\Application Data\skypePM
2011-06-06 20:04 . 2011-06-14 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-06-06 20:02 . 2011-06-22 20:47 -------- d-----w- c:\documents and settings\nanci bunten sieder\Application Data\Skype
2011-06-06 19:57 . 2011-06-06 19:57 -------- d-----w- c:\program files\Common Files\Skype
2011-06-06 19:56 . 2011-06-06 19:58 -------- d-----r- c:\program files\Skype
2011-06-06 19:56 . 2011-06-06 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-06-06 19:25 . 2009-10-31 06:21 31104 ------r- c:\windows\system32\drivers\usbcamcl.sys
2011-06-06 19:25 . 2008-06-18 02:28 19968 ------r- c:\windows\system32\drivers\usbDecode.sys
2011-06-06 19:24 . 2009-09-24 07:12 8643584 ------r- c:\windows\system32\drivers\PictureDll.sys
2011-06-06 19:24 . 2007-11-15 06:03 5632 ------r- c:\windows\system32\drivers\FilterDll.sys
2011-06-06 19:24 . 2009-05-25 02:57 496640 ------r- c:\windows\system32\drivers\FaceDll.sys
2011-06-06 19:24 . 2010-03-05 06:57 73728 ------r- c:\windows\system32\face.ax
2011-06-06 19:24 . 2009-12-22 08:51 28672 ------r- c:\windows\system32\CoUninstall.dll
2011-06-06 19:24 . 2001-05-11 20:18 420240 ----a-w- c:\windows\system32\mpg4c32.dll
2011-06-06 19:24 . 2011-06-06 19:30 -------- d-----w- c:\program files\Pc Camera
2011-06-06 19:21 . 2004-08-04 07:07 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2011-06-06 19:21 . 2004-08-04 07:07 59264 ----a-w- c:\windows\system32\dllcache\usbaudio.sys
2011-06-06 19:21 . 2004-08-04 08:56 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2011-06-06 19:21 . 2004-08-04 08:56 53760 ----a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2011-06-06 19:20 . 2004-08-04 08:56 20992 ----a-w- c:\windows\system32\dshowext.ax
2011-05-31 04:10 . 2011-06-06 23:57 -------- d-----w- c:\documents and settings\nanci bunten sieder\Application Data\IObit
2011-05-31 04:10 . 2011-06-06 23:55 -------- d-----w- c:\program files\IObit
2011-05-31 01:25 . 2011-05-31 01:25 -------- d-----w- c:\program files\Auslogics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-16 23:57 . 2004-04-19 16:30 90112 ----a-w- c:\windows\DUMP0e33.tmp
2011-06-12 21:55 . 2009-11-07 20:12 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2011-06-22 20:51 . 2011-06-01 02:57 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-08 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-05-27 15147400]
"ftweak_RAMRush"="c:\program files\RAMRush\RAMRush.exe" [2009-09-18 670720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 270336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-04-19 77824]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-04-19 151597]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-06-07 36864]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2000-06-07 794112]
"Ocster Backup"="c:\program files\Ocster Backup\bin\backupClient-ox.exe" [2011-04-11 310048]
.
c:\documents and settings\nanci bunten sieder\Start Menu\Programs\Startup\
ClickTray Calendar.lnk - c:\program files\ClickTray Calendar\ClickTray.exe [2005-2-27 3499008]
Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2009-9-26 2301952]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
2004-04-15 08:32 270336 ----a-w- c:\program files\Dell AIO Printer A920\dlbkbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 05:07 114688 ----a-w- c:\windows\SYSTEM32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-04-07 05:19 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-04-19 16:48 77824 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-04-19 16:48 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-15 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-15 136176]
R3 PDWEngine;PDWEngine;c:\program files\Raxco\PerfectDisk Live\PDWEngine.exe [2005-07-20 591376]
S2 ocster_backup;Ocster Backup;c:\program files\Ocster Backup\bin\backupService-ox.exe [2011-04-11 18208]
S2 PDWebWmi;PDWebWmi;c:\program files\Raxco\PerfectDisk Live\PDWebWmi.exe [2005-07-20 210448]
S3 usbcamcl;Driver for video Device;c:\windows\system32\DRIVERS\usbcamcl.sys [2009-10-31 31104]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-22 c:\windows\Tasks\Auslogics Console Defragmentation.job
- c:\program files\Auslogics\AusLogics Disk Defrag\cdefrag.exe [2011-05-31 17:07]
.
2011-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-15 01:13]
.
2011-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-15 01:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
FF - ProfilePath - c:\documents and settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2856415&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Elf 1 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{74F6C5A9-0EAD-4a71-891E-376A838DF1F0} - (no file)
WebBrowser-{E8558D71-5E4E-4217-B608-D2F5D3623AE3} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-22 14:40
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3532)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-06-22 14:47:10
ComboFix-quarantined-files.txt 2011-06-22 21:47
ComboFix2.txt 2011-06-01 01:28
ComboFix3.txt 2011-05-25 21:08
ComboFix4.txt 2011-01-20 07:08
ComboFix5.txt 2011-06-22 21:06
.
Pre-Run: 24,620,044,288 bytes free
Post-Run: 24,608,956,416 bytes free
.
- - End Of File - - 52610710EF8984D578F30C5372B3511E

IObit file
Once again, I cannot find this file in the add/remove list or the Program Files list. Perhaps I removed it when I removed the bunch of "clean/fix" programs, but that was before the logs I recently pasted were created. It stikes me as odd there would be tracks of that program if it had been removed.

aswMBR

During the course of this scan, a Warning message box asked if I wanted aswMBR to rewrite the Master Boot Record. I selected "No"


aswMBR version 0.9.7.675 Copyright© 2011 AVAST Software
Run date: 2011-06-27 18:21:19
-----------------------------
18:21:19.843 OS Version: Windows 5.1.2600 Service Pack 2
18:21:19.843 Number of processors: 1 586 0x209
18:21:19.875 ComputerName: DDPXBQ41 UserName:
18:21:30.718 Initialize success
18:26:39.000 AVAST engine defs: 11062701
18:27:44.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:27:44.625 Disk 0 Vendor: WDC_WD400BB-75DEA0 05.03E05 Size: 38146MB BusType: 3
18:27:44.859 Disk 0 MBR read successfully
18:27:44.859 Disk 0 MBR scan
18:27:44.906 Disk 0 Windows XP default MBR code
18:27:44.937 Disk 0 scanning sectors +78108030
18:27:45.000 Disk 0 malicious Win32:MBRoot code @ sector 78108033 !
18:27:45.015 Disk 0 PE file @ sector 78108055 !
18:27:45.015 Disk 0 scanning C:\WINDOWS\system32\drivers
18:29:57.031 Service scanning
18:30:13.750 Disk 0 trace - called modules:
18:30:13.765 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
18:30:13.765 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x81b16ab8]
18:30:13.812 3 CLASSPNP.SYS[f92a305b] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x81af88e8]
18:30:17.937 AVAST engine scan C:\WINDOWS
20:04:13.453 AVAST engine scan C:\Documents and Settings\nanci bunten sieder
20:11:18.265 AVAST engine scan C:\Documents and Settings\All Users
20:13:53.171 Scan finished successfully
21:10:04.906 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\nanci bunten sieder\Desktop\MBR.dat"
21:10:05.234 The log file has been saved successfully to "C:\Documents and Settings\nanci bunten sieder\Desktop\aswMBR.txt"


Thanks for your help,
Robert

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 28 June 2011 - 08:47 PM

Hello, Silverbak.


Step 1

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom.
    :OTL
    O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
    FF - prefs.js..browser.search.defaultthis.engineName: "Elf 1 Customized Web Search"
    FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2856415&SearchSource=3&q={searchTerms}"
    FF - prefs.js..browser.search.selectedEngine: "Elf 1 Customized Web Search"
    FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.2.5.2
    [2011/06/23 19:21:18 | 000,000,000 | ---D | M] (Elf 1 Community Toolbar) -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\{22e03916-85c5-44b0-8dc9-1830c11238d9}
    [2011/05/17 13:53:30 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\engine@conduit.com
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab (Reg Error: Key error.)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} Reg Error: Key error. (Reg Error: Key error.)
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.pw.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab (Reg Error: Key error.)
    MsConfig - StartUpReg: HotKeysCmds - hkey= - key= - File not found
    MsConfig - StartUpReg: IgfxTray - hkey= - key= - File not found
    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    :files
    c:\documents and settings\nanci bunten sieder\Application Data\IObit
    c:\program files\IObit
    c:\documents and settings\All Users\Application Data\IObit
    C:\Documents and Settings\nanci bunten sieder\Desktop\asc-setup_.exe
    C:\Documents and Settings\nanci bunten sieder\Desktop\asc-setup.exe
    C:\Documents and Settings\nanci bunten sieder\Desktop\asc4-setup.exe
    :Commands
    [EmptyTemp]
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 Silverbak

Silverbak
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 AM

Posted 29 June 2011 - 02:05 PM

Hello Etavares,

AS part of my work on this computer, I plan to increase the RAM from 256M to 2G. If I do this now will that interfere with the help that you are giving me?

06292011_102203

All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\aol.com\objects\ deleted successfully.
Prefs.js: "Elf 1 Customized Web Search" removed from browser.search.defaultthis.engineName
Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2856415&SearchSource=3&q={searchTerms}" removed from browser.search.defaulturl
Prefs.js: "Elf 1 Customized Web Search" removed from browser.search.selectedEngine
Prefs.js: engine@conduit.com:3.2.5.2 removed from extensions.enabledItems
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\{22e03916-85c5-44b0-8dc9-1830c11238d9}\searchplugin folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\{22e03916-85c5-44b0-8dc9-1830c11238d9}\modules folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\{22e03916-85c5-44b0-8dc9-1830c11238d9}\META-INF folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\{22e03916-85c5-44b0-8dc9-1830c11238d9}\defaults folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\{22e03916-85c5-44b0-8dc9-1830c11238d9}\components folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\{22e03916-85c5-44b0-8dc9-1830c11238d9}\chrome folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\{22e03916-85c5-44b0-8dc9-1830c11238d9} folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\engine@conduit.com\searchplugin folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\engine@conduit.com\META-INF folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\engine@conduit.com\lib folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\engine@conduit.com\DualPackage folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\engine@conduit.com\defaults folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\engine@conduit.com\components folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\engine@conduit.com\chrome folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\engine@conduit.com folder moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Starting removal of ActiveX control {32505657-9980-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\wmvadvd.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{32505657-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32505657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{32505657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32505657-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {33564D57-0000-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-0000-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
Starting removal of ActiveX control {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
C:\WINDOWS\Downloaded Program Files\McGDMgr.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\HotKeysCmds\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\IgfxTray\ deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.
========== FILES ==========
c:\documents and settings\nanci bunten sieder\Application Data\IObit\Smart Defrag 2 folder moved successfully.
c:\documents and settings\nanci bunten sieder\Application Data\IObit\IObit Malware Fighter folder moved successfully.
c:\documents and settings\nanci bunten sieder\Application Data\IObit\Advanced SystemCare V4\Toolbox folder moved successfully.
c:\documents and settings\nanci bunten sieder\Application Data\IObit\Advanced SystemCare V4\Smart RAM folder moved successfully.
c:\documents and settings\nanci bunten sieder\Application Data\IObit\Advanced SystemCare V4\PMonitor folder moved successfully.
c:\documents and settings\nanci bunten sieder\Application Data\IObit\Advanced SystemCare V4\Log folder moved successfully.
c:\documents and settings\nanci bunten sieder\Application Data\IObit\Advanced SystemCare V4\Internet Booster folder moved successfully.
c:\documents and settings\nanci bunten sieder\Application Data\IObit\Advanced SystemCare V4\DiskCheck folder moved successfully.
c:\documents and settings\nanci bunten sieder\Application Data\IObit\Advanced SystemCare V4\Backup folder moved successfully.
c:\documents and settings\nanci bunten sieder\Application Data\IObit\Advanced SystemCare V4 folder moved successfully.
c:\documents and settings\nanci bunten sieder\Application Data\IObit folder moved successfully.
File\Folder c:\program files\IObit not found.
c:\documents and settings\All Users\Application Data\IObit\Game Booster folder moved successfully.
c:\documents and settings\All Users\Application Data\IObit\Advanced SystemCare V4 folder moved successfully.
c:\documents and settings\All Users\Application Data\IObit folder moved successfully.
C:\Documents and Settings\nanci bunten sieder\Desktop\asc-setup_.exe moved successfully.
C:\Documents and Settings\nanci bunten sieder\Desktop\asc-setup.exe moved successfully.
C:\Documents and Settings\nanci bunten sieder\Desktop\asc4-setup.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: All Users
->Flash cache emptied: 35 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: HelpAssistant
->Temp folder emptied: 596713 bytes
->Temporary Internet Files folder emptied: 3025794 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 3250580 bytes
->Google Chrome cache emptied: 557424 bytes
->Flash cache emptied: 17720 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: nanci bunten sieder
->Temp folder emptied: 66022246 bytes
->Temporary Internet Files folder emptied: 53920307 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 59152319 bytes
->Google Chrome cache emptied: 557424 bytes
->Flash cache emptied: 3266 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner

User: _ocster_backup_
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 90112 bytes
%systemroot%\System32 .tmp files removed: 56048209 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 40960 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33726 bytes
RecycleBin emptied: 22814310 bytes

Total Files Cleaned = 254.00 mb


OTL by OldTimer - Version 3.2.24.1 log created on 06292011_102203

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

OTL logfile created on: 6/29/2011 10:50:44 AM - Run 3

OTL by OldTimer - Version 3.2.24.1 Folder = C:\Documents and Settings\nanci bunten sieder\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

254.00 Mb Total Physical Memory | 38.32 Mb Available Physical Memory | 15.09% Memory free
1.21 Gb Paging File | 0.84 Gb Available in Paging File | 69.02% Paging File free
Paging file location(s): C:\pagefile.sys 1000 3000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 23.21 Gb Free Space | 62.37% Space Free | Partition Type: NTFS
Drive D: | 34.42 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: DDPXBQ41 | User Name: nanci bunten sieder | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/26 12:46:10 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\nanci bunten sieder\Desktop\OTL.exe
PRC - [2011/06/22 13:51:49 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/26 00:29:00 | 002,301,952 | ---- | M] (SourceForge.net) -- C:\Program Files\Password Safe\pwsafe.exe
PRC - [2009/09/17 17:47:16 | 000,670,720 | ---- | M] (FTweak) -- C:\Program Files\RAMRush\RAMRush.exe
PRC - [2007/06/13 03:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/30 20:22:50 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2005/07/20 09:28:36 | 000,210,448 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk Live\PDWebWmi.exe
PRC - [2005/02/27 10:50:06 | 003,499,008 | ---- | M] (WASEO) -- C:\Program Files\ClickTray Calendar\ClickTray.exe
PRC - [2004/04/15 02:18:38 | 000,053,248 | ---- | M] (Dell Computer Corporation) -- C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
PRC - [2004/04/15 01:32:22 | 000,270,336 | ---- | M] (Dell Computer Corporation) -- C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
PRC - [2000/06/07 13:01:38 | 000,794,112 | ---- | M] (Lexmark) -- C:\WINDOWS\SYSTEM32\LXSUPMON.EXE


========== Modules (SafeList) ==========

MOD - [2011/06/26 12:46:10 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\nanci bunten sieder\Desktop\OTL.exe
MOD - [2004/08/04 00:57:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
SRV - [2007/03/07 13:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2005/09/30 20:22:50 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2005/07/20 09:28:36 | 000,210,448 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- C:\Program Files\Raxco\PerfectDisk Live\PDWebWmi.exe -- (PDWebWmi)
SRV - [2005/07/20 09:28:32 | 000,591,376 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk Live\PDWEngine.exe -- (PDWEngine)


========== Driver Services (SafeList) ==========

DRV - [2011/01/20 14:25:31 | 000,028,256 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k)
DRV - [2010/06/10 18:00:06 | 000,022,528 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\intelsmb.sys -- (smbusp) Intel®
DRV - [2009/10/30 23:21:48 | 000,031,104 | R--- | M] (usb camera) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\usbcamcl.sys -- (usbcamcl)
DRV - [2007/02/25 10:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 14:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/03/02 04:30:54 | 000,618,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys -- (IntelC52)
DRV - [2005/06/28 07:31:26 | 000,061,920 | ---- | M] (Raxco Software, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\defrag32b.sys -- (Defrag32b)
DRV - [2005/06/28 07:31:26 | 000,061,920 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\defrag32.sys -- (Defrag32)
DRV - [2005/05/06 22:42:26 | 001,339,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys -- (IntelC51)
DRV - [2005/05/06 22:40:50 | 000,047,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys -- (IntelC53)
DRV - [2005/05/06 22:40:20 | 000,036,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys -- (mohfilt)
DRV - [2004/08/03 22:29:49 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 22:29:47 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 22:29:45 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 22:29:43 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 22:29:42 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 22:29:41 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 22:29:37 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 22:29:37 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 22:29:37 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/03 22:29:36 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2004/08/03 22:29:26 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2003/05/23 10:58:30 | 000,043,136 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/11/08 11:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2001/08/17 10:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1802421826-2456566677-1406560120-1008\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1802421826-2456566677-1406560120-1008\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-1802421826-2456566677-1406560120-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
IE - HKU\S-1-5-21-1802421826-2456566677-1406560120-1008\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1802421826-2456566677-1406560120-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: ""
FF - prefs.js..browser.search.defaulturl: ""
FF - prefs.js..browser.search.selectedEngine: ""
FF - prefs.js..browser.startup.homepage: "http://www.foxnews.com/"


FF - HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/22 13:51:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/17 13:51:46 | 000,000,000 | ---D | M]

[2008/09/01 09:50:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Extensions
[2011/06/29 10:22:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions
[2009/08/12 10:50:48 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/22 11:43:36 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/12/01 18:22:54 | 000,000,913 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\Mozilla\Firefox\Profiles\0s6fezst.default\searchplugins\conduit.xml
[2011/06/06 12:58:10 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/06/06 12:58:11 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2010/05/23 15:02:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2011/05/31 19:57:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
[2011/05/31 19:57:51 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
File not found (No name found) --
[2010/05/23 15:01:01 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/06/22 13:51:49 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2008/06/18 00:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2010/05/23 15:01:00 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/05/07 14:18:34 | 000,677,152 | ---- | M] (Medical Informatics Engineering, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npzzatif.dll
[2010/01/01 01:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/25 14:02:12 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [Dell AIO Printer A920] C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe (Dell Computer Corporation)
O4 - HKLM..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE (Lexmark)
O4 - HKLM..\Run: [PrinTray] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\2\printray.exe (Lexmark)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-1802421826-2456566677-1406560120-1008..\Run: [ftweak_RAMRush] C:\Program Files\RAMRush\RAMRush.exe (FTweak)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Startup\ClickTray Calendar.lnk = C:\Program Files\ClickTray Calendar\ClickTray.exe (WASEO)
O4 - Startup: C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Startup\Password Safe.lnk = C:\Program Files\Password Safe\pwsafe.exe (SourceForge.net)
O4 - Startup: C:\Documents and Settings\nanci bunten sieder\Start Menu\Programs\Startup\ClickTray Calendar.lnk = C:\Program Files\ClickTray Calendar\ClickTray.exe (WASEO)
O4 - Startup: C:\Documents and Settings\nanci bunten sieder\Start Menu\Programs\Startup\Password Safe.lnk = C:\Program Files\Password Safe\pwsafe.exe (SourceForge.net)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1802421826-2456566677-1406560120-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1802421826-2456566677-1406560120-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1802421826-2456566677-1406560120-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1802421826-2456566677-1406560120-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\nanci bunten sieder\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\nanci bunten sieder\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 06:59:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/08 21:06:42 | 000,000,043 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/29 10:22:03 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/06/29 10:15:59 | 009,435,312 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\mbam-setup-1.51.0.1200.exe
[2011/06/27 18:20:28 | 001,904,128 | ---- | C] (AVAST Software) -- C:\Documents and Settings\nanci bunten sieder\Desktop\aswMBR.exe
[2011/06/26 12:46:13 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\nanci bunten sieder\Desktop\OTL.exe
[2011/06/22 15:47:28 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/06/18 12:01:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nanci bunten sieder\Local Settings\Application Data\Ocster Backup
[2011/06/18 11:57:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ocster Backup
[2011/06/18 11:56:00 | 000,000,000 | ---D | C] -- C:\Program Files\Ocster Backup
[2011/06/16 15:47:01 | 000,731,000 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\nanci bunten sieder\Desktop\autoruns.exe
[2011/06/16 15:13:43 | 000,607,310 | R--- | C] (Swearware) -- C:\Documents and Settings\nanci bunten sieder\Desktop\dds.scr
[2011/06/16 10:27:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nanci bunten sieder\Local Settings\Application Data\Safe mirror
[2011/06/16 10:27:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Cobian Backup 10
[2011/06/16 10:26:19 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 10
[2011/06/16 10:05:42 | 015,492,608 | ---- | C] (Luis Cobian, CobianSoft) -- C:\Documents and Settings\nanci bunten sieder\Desktop\cbSetup.exe
[2011/06/12 14:17:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\RAMRush
[2011/06/12 14:17:09 | 000,000,000 | ---D | C] -- C:\Program Files\RAMRush
[2011/06/12 14:15:13 | 000,547,461 | ---- | C] (FTweak, Inc. ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\ramrush.exe
[2011/06/09 19:32:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2011/06/09 12:53:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nanci bunten sieder\My Documents\Computer - Dell
[2011/06/07 09:23:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TaskManager
[2011/06/07 09:16:31 | 011,714,981 | ---- | C] (Extensoft) -- C:\Documents and Settings\nanci bunten sieder\Desktop\FreeTaskManager.exe
[2011/06/06 13:05:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nanci bunten sieder\Application Data\skypePM
[2011/06/06 13:04:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype Extras
[2011/06/06 13:02:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\nanci bunten sieder\Application Data\Skype
[2011/06/06 12:57:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2011/06/06 12:57:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2011/06/06 12:56:59 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2011/06/06 12:56:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2011/06/06 12:53:11 | 001,029,000 | ---- | C] (Skype Technologies S.A.) -- C:\Documents and Settings\nanci bunten sieder\Desktop\SkypeSetup.exe
[2011/06/06 12:25:03 | 000,031,104 | R--- | C] (usb camera) -- C:\WINDOWS\System32\drivers\usbcamcl.sys
[2011/06/06 12:25:03 | 000,019,968 | R--- | C] (usb camera) -- C:\WINDOWS\System32\drivers\usbDecode.sys
[2011/06/06 12:24:57 | 008,643,584 | R--- | C] (ark) -- C:\WINDOWS\System32\drivers\PictureDll.sys
[2011/06/06 12:24:57 | 000,005,632 | R--- | C] (ark) -- C:\WINDOWS\System32\drivers\FilterDll.sys
[2011/06/06 12:24:56 | 000,496,640 | R--- | C] (ark) -- C:\WINDOWS\System32\drivers\FaceDll.sys
[2011/06/06 12:24:41 | 000,000,000 | ---D | C] -- C:\Program Files\Pc Camera
[2011/06/06 12:24:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\USB Camera
[2011/06/06 12:21:35 | 000,059,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbaudio.sys
[2011/06/06 12:21:00 | 000,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vfwwdm32.dll
[2011/06/06 12:21:00 | 000,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\vfwwdm32.dll
[2011/06/06 12:20:59 | 000,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dshowext.ax
[2011/06/06 12:20:59 | 000,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dshowext.ax
[2011/05/31 19:53:27 | 012,775,568 | ---- | C] (Mozilla) -- C:\Documents and Settings\nanci bunten sieder\Desktop\yahoo_firefox_4.0.1_setup_us.exe
[2011/05/30 18:25:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Auslogics
[2011/05/30 18:25:48 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2011/05/30 18:22:09 | 004,677,544 | ---- | C] (Auslogics Software Pty Ltd ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\disk-defrag-setup.exe

========== Files - Modified Within 30 Days ==========

[2011/06/29 10:41:11 | 000,000,912 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/29 10:27:37 | 000,000,908 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/29 10:27:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2011/06/29 10:27:30 | 266,407,936 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/29 10:15:08 | 009,435,312 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\mbam-setup-1.51.0.1200.exe
[2011/06/29 01:00:00 | 000,000,372 | ---- | M] () -- C:\WINDOWS\tasks\Auslogics Console Defragmentation.job
[2011/06/28 13:46:35 | 000,997,786 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\2011-06-28_12.41.34.jpg
[2011/06/27 21:10:05 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\MBR.dat
[2011/06/27 18:20:27 | 001,904,128 | ---- | M] (AVAST Software) -- C:\Documents and Settings\nanci bunten sieder\Desktop\aswMBR.exe
[2011/06/27 18:10:32 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2011/06/26 12:46:10 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\nanci bunten sieder\Desktop\OTL.exe
[2011/06/22 15:46:29 | 000,000,008 | ---- | M] () -- C:\WINDOWS\System32\log-suffix.xml
[2011/06/22 15:46:28 | 000,000,748 | ---- | M] () -- C:\WINDOWS\System32\log.xml
[2011/06/22 15:46:26 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\log.xml.lock
[2011/06/22 14:03:09 | 004,134,409 | R--- | M] (Swearware) -- C:\Documents and Settings\nanci bunten sieder\Desktop\ComboFix.exe
[2011/06/16 16:04:34 | 000,293,977 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\gmer.zip
[2011/06/16 15:46:48 | 000,731,000 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\nanci bunten sieder\Desktop\autoruns.exe
[2011/06/16 15:13:36 | 000,607,310 | R--- | M] (Swearware) -- C:\Documents and Settings\nanci bunten sieder\Desktop\dds.scr
[2011/06/16 15:07:02 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\defogger_reenable
[2011/06/16 15:05:02 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\Defogger.exe
[2011/06/16 10:06:27 | 015,492,608 | ---- | M] (Luis Cobian, CobianSoft) -- C:\Documents and Settings\nanci bunten sieder\Desktop\cbSetup.exe
[2011/06/15 12:45:45 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/06/12 14:55:17 | 000,025,992 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\WINDOWS\System32\pgdfgsvc.exe
[2011/06/12 14:17:14 | 000,000,616 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\RAMRush.lnk
[2011/06/12 14:15:06 | 000,547,461 | ---- | M] (FTweak, Inc. ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\ramrush.exe
[2011/06/10 17:30:48 | 009,196,177 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\pwsafe-3.25.exe
[2011/06/09 19:39:24 | 000,002,636 | ---- | M] () -- C:\WINDOWS\System32\ASOROSet.bin
[2011/06/09 19:33:28 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2011/06/09 19:33:28 | 000,071,904 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2011/06/07 09:16:52 | 011,714,981 | ---- | M] (Extensoft) -- C:\Documents and Settings\nanci bunten sieder\Desktop\FreeTaskManager.exe
[2011/06/06 19:56:34 | 000,000,650 | -H-- | M] () -- C:\IPH.PH
[2011/06/06 13:06:09 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/06/06 12:57:11 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/06/06 12:53:04 | 001,029,000 | ---- | M] (Skype Technologies S.A.) -- C:\Documents and Settings\nanci bunten sieder\Desktop\SkypeSetup.exe
[2011/06/06 12:25:03 | 000,000,020 | ---- | M] () -- C:\WINDOWS\System32\camera.ini
[2011/06/06 12:24:45 | 000,000,515 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Camera Application.lnk
[2011/05/31 20:00:55 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox (2).lnk
[2011/05/31 19:58:24 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/05/31 19:58:24 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/05/31 19:53:59 | 012,775,568 | ---- | M] (Mozilla) -- C:\Documents and Settings\nanci bunten sieder\Desktop\yahoo_firefox_4.0.1_setup_us.exe
[2011/05/31 19:47:18 | 000,070,916 | ---- | M] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\bookmarks-2011-05-31.json
[2011/05/30 18:22:33 | 004,677,544 | ---- | M] (Auslogics Software Pty Ltd ) -- C:\Documents and Settings\nanci bunten sieder\Desktop\disk-defrag-setup.exe

========== Files Created - No Company Name ==========

[2011/06/28 13:46:53 | 000,997,786 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\2011-06-28_12.41.34.jpg
[2011/06/27 21:10:04 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\MBR.dat
[2011/06/22 15:46:27 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\log-suffix.xml
[2011/06/22 15:46:26 | 000,000,748 | ---- | C] () -- C:\WINDOWS\System32\log.xml
[2011/06/22 15:46:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\log.xml.lock
[2011/06/16 16:07:03 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\gmer.exe
[2011/06/16 16:04:50 | 000,293,977 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\gmer.zip
[2011/06/16 15:07:02 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\defogger_reenable
[2011/06/16 15:05:28 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\Defogger.exe
[2011/06/15 18:33:30 | 266,407,936 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/12 14:17:14 | 000,000,616 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\RAMRush.lnk
[2011/06/10 17:30:14 | 009,196,177 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\pwsafe-3.25.exe
[2011/06/09 19:34:38 | 000,002,636 | ---- | C] () -- C:\WINDOWS\System32\ASOROSet.bin
[2011/06/06 19:49:40 | 000,000,650 | -H-- | C] () -- C:\IPH.PH
[2011/06/06 13:06:09 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/06/06 12:57:11 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/06/06 12:25:03 | 000,000,020 | ---- | C] () -- C:\WINDOWS\System32\camera.ini
[2011/06/06 12:24:55 | 000,073,728 | R--- | C] () -- C:\WINDOWS\System32\face.ax
[2011/06/06 12:24:55 | 000,028,672 | R--- | C] () -- C:\WINDOWS\System32\CoUninstall.dll
[2011/06/06 12:24:45 | 000,000,515 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Camera Application.lnk
[2011/05/31 20:00:55 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox (2).lnk
[2011/05/31 19:58:24 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/05/31 19:58:24 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/05/31 19:58:23 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/05/31 19:47:16 | 000,070,916 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Desktop\bookmarks-2011-05-31.json
[2010/09/18 11:27:19 | 000,083,456 | ---- | C] () -- C:\WINDOWS\System32\lxsmunin.exe
[2010/09/18 11:27:15 | 000,079,872 | ---- | C] () -- C:\WINDOWS\System32\lex_psu.exe
[2010/09/18 11:27:12 | 000,328,704 | ---- | C] () -- C:\WINDOWS\System32\dosfnt32.dll
[2010/06/10 15:18:06 | 003,914,760 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\speech.wav
[2010/01/22 18:44:55 | 000,002,560 | ---- | C] () -- C:\WINDOWS\_MSRSTRT.EXE
[2010/01/20 15:48:04 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/20 15:48:04 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/20 15:48:04 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/20 15:48:04 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/20 15:48:04 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/11/02 17:02:08 | 000,000,004 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2008/04/27 13:25:50 | 000,001,160 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2008/03/15 14:15:34 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/09 15:10:38 | 000,000,255 | ---- | C] () -- C:\WINDOWS\System32\dlbkcoin.ini
[2007/10/14 09:39:58 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\PFP110JPR.{PB
[2007/10/14 09:39:58 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Application Data\PFP110JCM.{PB
[2007/09/08 15:40:43 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2005/03/22 19:22:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\slingo.INI
[2005/03/02 19:07:58 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/02/11 15:32:03 | 000,000,105 | ---- | C] () -- C:\WINDOWS\upst.ini
[2005/02/11 15:32:03 | 000,000,024 | ---- | C] () -- C:\WINDOWS\atid.ini
[2005/02/09 16:47:58 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\nanci bunten sieder\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/11/15 12:29:48 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2004/06/04 17:25:57 | 000,000,823 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/04/27 13:28:26 | 000,000,098 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2004/04/27 13:23:31 | 000,000,970 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2004/04/22 18:50:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\slingox.INI
[2004/04/19 09:58:46 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/04/19 09:50:52 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/04/19 09:47:11 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/04/19 09:34:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2004/04/19 09:33:27 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/19 09:33:24 | 000,444,028 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2004/04/19 09:33:24 | 000,071,904 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2004/04/19 09:27:26 | 000,000,550 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/01/22 15:00:48 | 000,204,920 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/01/22 14:58:10 | 000,000,788 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/01/22 10:00:28 | 000,012,635 | ---- | C] () -- C:\WINDOWS\System32\DAntivirus.ini
[2003/05/30 07:00:02 | 001,962,496 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2003/04/22 13:37:50 | 000,000,141 | ---- | C] () -- C:\WINDOWS\System32\DLBKPLC.INI
[2003/03/27 13:28:44 | 000,004,955 | ---- | C] () -- C:\WINDOWS\System32\DProg.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/11/13 17:40:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbkvs.dll
[2002/09/03 06:59:14 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/09/03 06:56:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/09/03 06:31:46 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2002/09/03 06:31:44 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2002/08/29 03:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2002/08/29 03:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2002/08/29 03:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2002/08/29 03:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2002/08/29 03:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2002/08/29 03:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2002/08/29 03:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT

< End of report >

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6977

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

6/29/2011 11:39:40 AM
mbam-log-2011-06-29 (11-39-39).txt

Scan type: Quick scan
Objects scanned: 187413
Time elapsed: 22 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Addins\Ad-Protect.Addin.1 (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell\1das (Rogue.ContraVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell\dnl7 (Rogue.ContraVirus) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\helpassistant\application data\contravirus antispam (Rogue.ContraVirus) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\helpassistant\application data\contravirus antispam\Settings.xml (Rogue.ContraVirus) -> Quarantined and deleted successfully.

Thank you,
Robert

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 29 June 2011 - 06:14 PM

Hello, Silverbak.

I would prefer you wait a bit...if it's not properly seated or a stick is bad, the errors and blue screen could confound our work here. Do you mind waiting? I was goign to suggest that upgrade at the end..that will improve speed tremendously versus 256MB.

I did see something concerning in that last log, so we will take a deeper look.

Download and run HAMeb_check.exe
Post the contents of the resulting log.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 Silverbak

Silverbak
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 AM

Posted 29 June 2011 - 09:14 PM

Hello Etavares,

I'll be happy to wait until we are through before installing the RAM.

C:\Documents and Settings\nanci bunten sieder\Desktop\HAMeb_check.exe
Wed 06/29/2011 at 19:10:39.82

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-1802421826-2456566677-1406560120-1006
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3246:TCP"=3246:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Enabled:Services
80:TCP=80:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3246:TCP"=3246:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 30 June 2011 - 05:24 PM

OK, you may have had a MebRoot infection in the past. Did you have a virus issue on this computer before this? The "HelpAssistant" user profile can be legitimate, but it is more commonly related to the MebRoot infection. The log shows that it is not active. However, I do see signs the MBR was infected at some point. That leads me to believe you had this virus at some point and it is not legitimate. I'm inclined to remove the HelpAssistant profile and leftovers as a result, but wanted to ask this first.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 Silverbak

Silverbak
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 AM

Posted 30 June 2011 - 05:43 PM

Hello Etavares,

From time to time I run various malware removal programs, and sometimes something would be found and removed. I do not recall anything about MebRoot or "Help Assistant." If you feel the profile, etc., should be removed, that is fine with me.

Best,
Robert

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 30 June 2011 - 05:59 PM

Hello, Silverbak.

Given that your MBR shows signs of a past infection, I would remove it on my machine, so I'll do the same for you.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer. (it shouldn't)
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 Silverbak

Silverbak
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 AM

Posted 30 June 2011 - 07:30 PM

Hello Etavares,

C:\Documents and Settings\nanci bunten sieder\Desktop\HelpAsst_mebroot_fix.exe
Thu 06/30/2011 at 17:10:58.30


HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
80:TCP=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1802421826-2456566677-1406560120-1006
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 06/30/2011 at 17:23:04.72

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
80:TCP=80:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 06/30/2011 at 17:28:46.56

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
80:TCP=80:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 01 July 2011 - 05:04 PM

Hello, Silverbak.

OK, much better. We'll do so updates to close security holes and an online scan. HOw is it running?



Step 1

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.

Please download the latest version from:
http://get.adobe.com/reader/download/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 2

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 25..
  • Save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
    Java 6 Update 20
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586-s.exe to install the newest version.




Step 3

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 Silverbak

Silverbak
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 AM

Posted 02 July 2011 - 07:59 PM

Hello Etavares,

1. Re "How is it running?" I see no difference in the responsiveness :( . Shutting down and restarting into BleepingComputer.com takes about 3-5 minutes.

2. Changes made as requested to Adobe and Java.

3. Scan made with ESET. For some reason the text file was not saved (could having the Caps Lock on been the problem?). However, I got a screen shot of the quarantine file that has all the infected files (11), and it is attached.

Best,
Robert

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users