Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Googe Redirect


  • This topic is locked This topic is locked
11 replies to this topic

#1 Max K

Max K

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 30 June 2011 - 12:22 AM

I am running windows xp on a emachines notebook. When I open Internet Explorer the search screen opens. I enter a topic hit search and all of my choices appear. Whenever I click on a choice the browser redirects to some random site. If I click the back button and reclick the google search choice I am taken to my desired site. I have been working with Blade snice 6/16/11. He advised me to go to the advanced team http://www.bleepingcomputer.com/forums/topic404129.html/page__p__2294580__fromsearch__1#entry2294580



Max





.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Max Keller at 0:13:46 on 2011-06-30
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.538 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Launch Manager\dsiwmis.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Documents and Settings\Max Keller\Local Settings\Application Data\ulu.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\PLFSetI.exe
C:\WINDOWS\PLFSetL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Max Keller\Application Data\Microsoft\conhost.exe
C:\DOCUME~1\MAXKEL~1\LOCALS~1\Temp\csrss.exe
C:\Documents and Settings\Max Keller\Application Data\dwm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Max Keller\Desktop\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=em250&r=0xph06103345l0444wuj5r4482623q
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=em250&r=0xph06103345l0444wuj5r4482623q
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=em250&r=0xph06103345l0444wuj5r4482623q
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:60545
uWinlogon: Shell=explorer.exe,c:\documents and settings\max keller\application data\dwm.exe
uWindows: Load=c:\docume~1\maxkel~1\locals~1\temp\csrss.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\documents and settings\max keller\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Hpibuqob] rundll32.exe "c:\windows\asrbcwdl.dll",Startup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [LManager] c:\program files\launch manager\LManager.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NortonOnlineBackupReminder] "c:\program files\symantec\norton online backup\activation\NobuActivation.exe" UNATTENDED
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [Lwadelozug] rundll32.exe "c:\windows\orinolifetah.dll",Startup
mRun: [conhost] c:\documents and settings\max keller\application data\microsoft\conhost.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9D1AC5E4-C1E7-4920-9E0E-CB2C084143A4} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R2 DsiWMIService;Dritek WMI Service;c:\program files\launch manager\dsiwmis.exe [2009-11-6 107016]
R2 Updater Service;Updater Service;c:\program files\emachines\emachines updater\UpdaterService.exe [2009-11-6 240160]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-11-6 38912]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-24 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-6 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-24 135664]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-11-6 14336]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-11-6 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S3 VCam_WDM;e2eSoft VCam;c:\windows\system32\drivers\VCam_WDM.sys [2010-8-28 95840]
.
=============== Created Last 30 ================
.
2011-06-29 21:52:21 180736 ----a-w- c:\documents and settings\max keller\application data\dwm.exe
2011-06-29 21:51:36 169472 ----a-w- c:\documents and settings\max keller\application data\microsoft\conhost.exe
2011-06-16 06:15:31 81920 ----a-w- c:\windows\eSellerateControl350.dll
2011-06-16 06:15:31 356352 ----a-w- c:\windows\eSellerateEngine.dll
2011-06-16 06:15:22 -------- d-----w- c:\program files\Adware . Rax Search Removal Tool
2011-06-16 05:54:33 388096 ----a-r- c:\documents and settings\max keller\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-16 05:54:32 -------- d-----w- c:\program files\Trend Micro
2011-06-16 03:21:16 401 ----a-w- c:\windows\ecujojulowuni.dll
.
==================== Find3M ====================
.
2011-06-29 06:29:32 0 ----a-w- c:\windows\Rdafin.bin
2011-05-18 05:00:22 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 0:14:47.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:40 PM

Posted 03 July 2011 - 08:57 AM

Hello Max K and welcome to BC. :)

Sorry about the delay, do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Max K

Max K
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 03 July 2011 - 02:12 PM

Yes I still need help.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:40 PM

Posted 04 July 2011 - 07:35 AM

Hi,

2011-06-29 21:52:21 180736 ----a-w- c:\documents and settings\max keller\application data\dwm.exe
2011-06-29 21:51:36 169472 ----a-w- c:\documents and settings\max keller\application data\microsoft\conhost.exe

These infections are backdoor trojans, please refer to this Trend Micro Threat Encyclopedia.


One or more of the identified infections is a backdoor trojan/rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.


======================================


Please follow these instructions ONLY IF you do not wish to reformat and want to proceed with the cleaning process.


:step1: Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Unchecked the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.


:step2: Download OTL by OldTimer from one of the links below:

Link 1
Link 2

  • Save it to your desktop.
  • Close all open windows on the Task Bar.
  • Double click the OTL icon to run the program (run as Administrator for Windows Vista/7).
  • Put a check mark on Scan All Users.
  • Click the Run Scan button and let it run uninterrupted.
  • It will create two reports namely OTL.txt (will be opened) and Extras.txt (will be minimized).
  • Post the contents of both reports when you reply.
  • Exit OTL.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Max K

Max K
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 06 July 2011 - 06:00 PM

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-06 17:47:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.11.0
Running: gmer.exe; Driver: C:\DOCUME~1\MAXKEL~1\LOCALS~1\Temp\kgxcqkoc.sys


---- User code sections - GMER 1.0.15 ----

? C:\DOCUME~1\MAXKEL~1\LOCALS~1\Temp\csrss.exe[1992] number of sections mismatch; time/date stamp mismatch; unknown module: conhost.exeunknown module: OLEAUT32.dllunknown module: RASAPI32.dllunknown module: WINHTTP.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2420] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2956] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2956] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2956] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2956] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2956] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2956] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2956] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2956] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2956] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040211900063D11C8EF10054038389C\Usage@ProductFiles 1055195734
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040211900063D11C8EF10054038389C\Usage@EXCELFiles 1055196818
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040211900063D11C8EF10054038389C\Usage@VBAFiles 1055195216
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Deskjet D1400 series@ChangeID 9342593
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Deskjet D1400 series@Attributes 3584

---- EOF - GMER 1.0.15 ----


----------------------------------------------------------------------------------------------------------------

OTL logfile created on: 7/6/2011 5:48:40 PM - Run 1
OTL by OldTimer - Version 3.2.26.0 Folder = C:\Documents and Settings\Max Keller\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.87 Mb Total Physical Memory | 406.22 Mb Available Physical Memory | 40.07% Memory free
2.38 Gb Paging File | 1.88 Gb Available in Paging File | 78.70% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.04 Gb Total Space | 105.15 Gb Free Space | 75.63% Space Free | Partition Type: NTFS

Computer Name: EMACHINE-97610C | User Name: Max Keller | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/06 17:47:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Max Keller\Desktop\OTL.exe
PRC - [2011/07/05 14:22:40 | 000,168,960 | ---- | M] () -- C:\Documents and Settings\Max Keller\Application Data\Microsoft\conhost.exe
PRC - [2011/07/05 14:22:16 | 000,187,392 | ---- | M] () -- C:\Documents and Settings\Max Keller\Local Settings\Temp\csrss.exe
PRC - [2011/07/05 14:21:15 | 000,180,224 | ---- | M] () -- C:\Documents and Settings\Max Keller\Application Data\dwm.exe
PRC - [2011/05/07 20:53:25 | 001,679,360 | -HS- | M] (Microsoft Corporation) -- C:\Documents and Settings\Max Keller\Local Settings\Application Data\ulu.exe
PRC - [2011/03/01 23:14:08 | 000,190,808 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
PRC - [2010/01/15 07:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/10/07 02:49:50 | 001,157,640 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
PRC - [2009/08/23 21:30:12 | 000,107,016 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\dsiwmis.exe
PRC - [2009/08/12 19:20:00 | 000,200,704 | ---- | M] () -- C:\WINDOWS\PLFSetI.exe
PRC - [2009/07/03 21:47:12 | 000,240,160 | ---- | M] (Acer) -- C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/07/03 18:58:22 | 000,094,208 | ---- | M] (sonix) -- C:\WINDOWS\PLFSetL.exe
PRC - [2008/06/24 17:06:06 | 001,840,424 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
PRC - [2008/04/18 00:54:02 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/04/18 00:53:58 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/07/06 17:47:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Max Keller\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/14 07:00:00 | 000,270,336 | ---- | M] () -- C:\WINDOWS\orinolifetah.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (nosGetPlusHelper) getPlus®
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/01/15 07:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/08/23 21:30:12 | 000,107,016 | ---- | M] (Dritek System Inc.) [Auto | Running] -- C:\Program Files\Launch Manager\dsiwmis.exe -- (DsiWMIService)
SRV - [2009/07/03 21:47:12 | 000,240,160 | ---- | M] (Acer) [Auto | Running] -- C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe -- (Updater Service)
SRV - [2009/05/22 13:02:20 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/04/18 00:54:02 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®


========== Driver Services (SafeList) ==========

DRV - [2011/03/03 20:30:26 | 004,333,024 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech Webcam 300(UVC)
DRV - [2011/03/03 20:29:00 | 000,291,424 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2010/06/30 22:57:42 | 000,095,840 | ---- | M] (e2eSoft) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VCam_WDM.sys -- (VCam_WDM)
DRV - [2009/08/31 05:18:16 | 005,891,584 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/05/06 21:15:38 | 001,759,744 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2uvc.sys -- (SNP2UVC) USB2.0 PC Camera (SNP2UVC)
DRV - [2009/03/02 00:03:48 | 000,038,912 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1c51x86.sys -- (L1c)
DRV - [2009/02/20 03:53:18 | 001,952,512 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2009/02/03 01:42:30 | 000,162,816 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV - [2008/08/05 07:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2007/02/21 07:53:22 | 000,192,512 | ---- | M] (MorningSound Co., Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\VirtualCam.sys -- (VirtualCam)
DRV - [2006/01/04 02:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=em250&r=0xph06103345l0444wuj5r4482623q
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=em250&r=0xph06103345l0444wuj5r4482623q


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-270800707-460486182-3293823761-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=em250&r=0xph06103345l0444wuj5r4482623q
IE - HKU\S-1-5-21-270800707-460486182-3293823761-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-270800707-460486182-3293823761-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-270800707-460486182-3293823761-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-270800707-460486182-3293823761-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:60545

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@photodex.com/PhotodexPresenter: C:\Program Files\Photodex Presenter\npPxPlay.dll ( )
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Yahoo!\Common\npyaxmpb.dll File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Max Keller\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Documents and Settings\Max Keller\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Max Keller\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\software\mozilla\Firefox\Extensions\\{3FD26EA0-FABA-4E96-BC98-7F92BC0A1A57}: C:\Documents and Settings\Max Keller\Local Settings\Application Data\{3FD26EA0-FABA-4E96-BC98-7F92BC0A1A57} [2011/04/30 00:05:52 | 000,000,000 | ---D | M]
FF - HKCU\software\mozilla\Firefox\Extensions\\{3FD26EA0-FABA-4E96-BC98-7F92BC0A1A57}: C:\Documents and Settings\Max Keller\Local Settings\Application Data\{3FD26EA0-FABA-4E96-BC98-7F92BC0A1A57} [2011/04/30 00:05:52 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-270800707-460486182-3293823761-1006\..\Toolbar\WebBrowser: (no name) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - No CLSID value found.
O3 - HKU\S-1-5-21-270800707-460486182-3293823761-1006\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [conhost] C:\Documents and Settings\Max Keller\Application Data\Microsoft\conhost.exe ()
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [Lwadelozug] C:\WINDOWS\orinolifetah.dll ()
O4 - HKLM..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe (Logitech Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NortonOnlineBackupReminder] C:\Program Files\Symantec\Norton Online Backup\Activation\NobuActivation.exe (Symantec Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PLFSetI] C:\WINDOWS\PLFSetI.exe ()
O4 - HKLM..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe (sonix)
O4 - HKLM..\Run: [snp2uvc] C:\WINDOWS\System32\csnp2uvc.dll ( )
O4 - HKU\S-1-5-21-270800707-460486182-3293823761-1006..\Run: [Hpibuqob] C:\WINDOWS\asrbcwdl.dll (madshi.net)
O4 - HKU\S-1-5-21-270800707-460486182-3293823761-1006..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)
O4 - HKU\S-1-5-21-270800707-460486182-3293823761-1006..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
F3 - HKU\S-1-5-21-270800707-460486182-3293823761-1006 WinNT: Load - (C:\DOCUME~1\MAXKEL~1\LOCALS~1\Temp\csrss.exe) - C:\Documents and Settings\Max Keller\Local Settings\Temp\csrss.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-270800707-460486182-3293823761-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab (Device Detection)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} http://www.photodex.com/pxplay.cab (Photodex Presenter AX control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-270800707-460486182-3293823761-1006 Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-270800707-460486182-3293823761-1006 Winlogon: Shell - (C:\Documents and Settings\Max Keller\Application Data\dwm.exe) - C:\Documents and Settings\Max Keller\Application Data\dwm.exe ()
O24 - Desktop WallPaper: C:\Documents and Settings\Max Keller\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Max Keller\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/06 11:46:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{ff5f7346-21d4-11e0-9f94-705ab61b3631}\Shell\Open\command - "" = C:\Program Files\VideoLAN\VLC\vlc.exe -- [2011/04/11 19:45:30 | 000,107,520 | ---- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-270800707-460486182-3293823761-1006..exefile [open] -- "C:\Documents and Settings\Max Keller\Local Settings\Application Data\ulu.exe" -a "%1" %* (Microsoft Corporation)
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-270800707-460486182-3293823761-1006\...exe [@ = exefile] -- "C:\Documents and Settings\Max Keller\Local Settings\Application Data\ulu.exe" -a "%1" %* (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/07/06 12:24:41 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Max Keller\Desktop\OTL.exe
[2011/07/05 10:59:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2011/07/05 10:59:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Security Scan Plus
[2011/07/02 01:27:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
[2011/07/02 01:27:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2011/07/02 01:27:45 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Security Scan
[2011/07/02 01:21:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/07/02 01:21:08 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/07/02 01:21:08 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/07/02 01:21:08 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/06/30 00:13:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Max Keller\Start Menu\Programs\Administrative Tools
[2011/06/30 00:13:34 | 000,607,017 | R--- | C] (Swearware) -- C:\Documents and Settings\Max Keller\Desktop\dds.scr
[2011/06/16 01:15:31 | 000,356,352 | ---- | C] (eSellerate Inc.) -- C:\WINDOWS\eSellerateEngine.dll
[2011/06/16 01:15:31 | 000,081,920 | ---- | C] (eSellerate Inc.) -- C:\WINDOWS\eSellerateControl350.dll
[2011/06/16 01:15:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Adware . Rax Search Removal Tool
[2011/06/16 01:15:22 | 000,000,000 | ---D | C] -- C:\Program Files\Adware . Rax Search Removal Tool
[2011/06/16 01:14:53 | 021,138,402 | ---- | C] (Security Stronghold ) -- C:\Documents and Settings\Max Keller\Desktop\Adware.RaxSearchRemovalTool.exe
[2011/06/16 01:07:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Max Keller\Desktop\tdsskiller
[2011/06/16 00:54:32 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/06/16 00:54:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Max Keller\Start Menu\Programs\HiJackThis
[2011/06/16 00:46:15 | 001,441,584 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Max Keller\Desktop\tdsskiller.exe
[2011/05/07 20:53:25 | 001,679,360 | -HS- | C] (Microsoft Corporation) -- C:\Documents and Settings\Max Keller\Local Settings\Application Data\ulu.exe
[2010/01/08 23:48:05 | 000,196,608 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2uvc.dll
[2010/01/08 23:47:59 | 000,225,280 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2uvc.dll
[24 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/06 17:47:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Max Keller\Desktop\OTL.exe
[2011/07/06 17:27:00 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-270800707-460486182-3293823761-1006UA.job
[2011/07/06 17:25:35 | 000,014,112 | -HS- | M] () -- C:\Documents and Settings\Max Keller\Local Settings\Application Data\124m11kv487y04u456u06gavfn5303746288g8m2f7
[2011/07/06 17:25:35 | 000,014,112 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\124m11kv487y04u456u06gavfn5303746288g8m2f7
[2011/07/06 17:22:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/06 17:01:00 | 000,000,244 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/07/06 12:18:47 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Max Keller\Desktop\gmer.exe
[2011/07/06 11:40:54 | 000,085,302 | ---- | M] () -- C:\Documents and Settings\Max Keller\Application Data\292A.5D1
[2011/07/06 11:25:56 | 000,002,001 | ---- | M] () -- C:\WINDOWS\Pzesabobit.dat
[2011/07/06 08:37:31 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Rdafin.bin
[2011/07/06 08:35:54 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/06 08:35:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/06 08:35:47 | 1063,194,624 | -HS- | M] () -- C:\hiberfil.sys
[2011/07/05 20:33:36 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/07/05 14:21:15 | 000,180,224 | ---- | M] () -- C:\Documents and Settings\Max Keller\Application Data\dwm.exe
[2011/07/05 13:23:02 | 000,152,064 | ---- | M] () -- C:\Documents and Settings\Max Keller\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/07/05 10:59:28 | 000,001,619 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2011/07/05 10:59:28 | 000,001,611 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/07/03 21:53:57 | 000,003,422 | ---- | M] () -- C:\WINDOWS\oleqikodadodexa.dll
[2011/07/01 09:27:01 | 000,000,946 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-270800707-460486182-3293823761-1006Core.job
[2011/06/30 22:43:42 | 000,456,548 | ---- | M] () -- C:\Documents and Settings\Max Keller\Desktop\hpqscan0001.jpg
[2011/06/30 10:18:22 | 000,002,303 | ---- | M] () -- C:\Documents and Settings\Max Keller\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/06/30 10:18:21 | 000,002,325 | ---- | M] () -- C:\Documents and Settings\Max Keller\Desktop\Google Chrome.lnk
[2011/06/30 00:26:10 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/06/30 00:13:45 | 000,607,017 | R--- | M] (Swearware) -- C:\Documents and Settings\Max Keller\Desktop\dds.scr
[2011/06/30 00:11:27 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Max Keller\defogger_reenable
[2011/06/30 00:11:07 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Max Keller\Desktop\Defogger.exe
[2011/06/20 21:14:38 | 001,441,584 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Max Keller\Desktop\tdsskiller.exe
[2011/06/16 01:15:32 | 000,001,903 | ---- | M] () -- C:\Documents and Settings\Max Keller\Desktop\Adware . Rax Search Removal Tool.lnk
[2011/06/16 01:15:07 | 021,138,402 | ---- | M] (Security Stronghold ) -- C:\Documents and Settings\Max Keller\Desktop\Adware.RaxSearchRemovalTool.exe
[2011/06/16 01:07:00 | 001,305,136 | ---- | M] () -- C:\Documents and Settings\Max Keller\Desktop\tdsskiller.zip
[2011/06/16 00:54:32 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Max Keller\Desktop\HiJackThis.lnk
[2011/06/15 22:21:16 | 000,000,401 | ---- | M] () -- C:\WINDOWS\ecujojulowuni.dll
[24 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/03 21:53:57 | 000,003,422 | ---- | C] () -- C:\WINDOWS\oleqikodadodexa.dll
[2011/07/02 01:27:47 | 000,001,619 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2011/07/02 01:27:47 | 000,001,611 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/06/30 22:43:42 | 000,456,548 | ---- | C] () -- C:\Documents and Settings\Max Keller\Desktop\hpqscan0001.jpg
[2011/06/30 00:11:27 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Max Keller\defogger_reenable
[2011/06/30 00:11:07 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Max Keller\Desktop\Defogger.exe
[2011/06/29 16:52:21 | 000,180,224 | ---- | C] () -- C:\Documents and Settings\Max Keller\Application Data\dwm.exe
[2011/06/16 01:15:32 | 000,001,903 | ---- | C] () -- C:\Documents and Settings\Max Keller\Desktop\Adware . Rax Search Removal Tool.lnk
[2011/06/16 01:06:57 | 001,305,136 | ---- | C] () -- C:\Documents and Settings\Max Keller\Desktop\tdsskiller.zip
[2011/06/16 00:54:32 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Max Keller\Desktop\HiJackThis.lnk
[2011/06/15 22:21:16 | 000,000,401 | ---- | C] () -- C:\WINDOWS\ecujojulowuni.dll
[2011/06/11 14:40:44 | 000,085,302 | ---- | C] () -- C:\Documents and Settings\Max Keller\Application Data\292A.5D1
[2011/05/07 20:53:51 | 000,014,112 | -HS- | C] () -- C:\Documents and Settings\Max Keller\Local Settings\Application Data\124m11kv487y04u456u06gavfn5303746288g8m2f7
[2011/05/07 20:53:51 | 000,014,112 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\124m11kv487y04u456u06gavfn5303746288g8m2f7
[2011/05/07 20:38:03 | 000,014,200 | -HS- | C] () -- C:\Documents and Settings\Max Keller\Local Settings\Application Data\gr8v2p81pd5c1
[2011/05/07 20:38:03 | 000,014,200 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\gr8v2p81pd5c1
[2011/04/30 00:05:53 | 000,002,001 | ---- | C] () -- C:\WINDOWS\Pzesabobit.dat
[2011/04/30 00:05:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Rdafin.bin
[2011/04/26 23:36:19 | 000,221,696 | ---- | C] () -- C:\WINDOWS\System32\vid_conv2.dll
[2011/04/26 23:36:19 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\vid_core2.dll
[2011/04/26 23:36:18 | 006,088,192 | ---- | C] () -- C:\WINDOWS\System32\vid_trans2.dll
[2011/04/26 23:36:18 | 000,731,136 | ---- | C] () -- C:\WINDOWS\System32\vid_format2.dll
[2011/04/26 23:36:18 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\viscomgifenc.dll
[2011/04/26 23:36:18 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\viscomtran.dll
[2011/04/26 23:36:18 | 000,069,560 | ---- | C] () -- C:\WINDOWS\System32\vid_multi2.dll
[2011/04/26 23:36:17 | 006,963,712 | ---- | C] () -- C:\WINDOWS\System32\videotrans.dll
[2011/04/26 23:36:17 | 000,452,608 | ---- | C] () -- C:\WINDOWS\System32\videoformat.dll
[2011/04/26 23:36:17 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2011/04/26 23:36:17 | 000,154,624 | ---- | C] () -- C:\WINDOWS\System32\imgscaler.dll
[2011/04/26 23:36:17 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\img_utils.dll
[2011/04/26 23:36:17 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\videocore.dll
[2011/03/22 23:58:22 | 000,014,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2011/03/03 20:26:22 | 010,877,272 | ---- | C] () -- C:\WINDOWS\System32\LogiDPP.dll
[2011/03/03 20:26:22 | 000,102,744 | ---- | C] () -- C:\WINDOWS\System32\LogiDPPApp.exe
[2011/03/03 20:26:16 | 000,331,608 | ---- | C] () -- C:\WINDOWS\System32\DevManagerCore.dll
[2011/03/03 20:14:50 | 000,027,362 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2011/01/16 20:24:11 | 000,000,141 | ---- | C] () -- C:\Documents and Settings\Max Keller\Application Data\default.pls
[2011/01/16 20:23:07 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/01/12 19:02:19 | 000,056,308 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/09/25 20:51:29 | 000,121,278 | ---- | C] () -- C:\WINDOWS\HPHins15.dat
[2010/09/25 20:51:29 | 000,002,885 | ---- | C] () -- C:\WINDOWS\hphmdl15.dat
[2010/07/20 16:04:53 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/07/19 10:32:16 | 001,053,056 | ---- | C] () -- C:\WINDOWS\System32\drivers\V2WCDRV.sys
[2010/07/11 17:14:57 | 000,152,064 | ---- | C] () -- C:\Documents and Settings\Max Keller\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/05 12:48:15 | 000,433,032 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/07/04 13:31:41 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/08 23:48:27 | 000,626,688 | ---- | C] () -- C:\WINDOWS\Image.dll
[2010/01/08 23:48:27 | 000,200,704 | ---- | C] () -- C:\WINDOWS\PLFSetI.exe
[2010/01/08 23:48:27 | 000,020,480 | ---- | C] () -- C:\WINDOWS\USB_VIDEO_REG.exe
[2010/01/08 23:48:05 | 000,028,544 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncduvc.sys
[2010/01/08 23:48:04 | 001,759,744 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys
[2010/01/08 23:48:04 | 000,000,323 | ---- | C] () -- C:\WINDOWS\PidList.ini
[2009/11/06 15:16:36 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/11/06 14:15:58 | 000,000,168 | ---- | C] () -- C:\WINDOWS\ZH.INI
[2009/11/06 14:15:58 | 000,000,168 | ---- | C] () -- C:\WINDOWS\S3.INI
[2009/11/06 14:15:58 | 000,000,168 | ---- | C] () -- C:\WINDOWS\FR-CA.INI
[2009/11/06 14:15:58 | 000,000,168 | ---- | C] () -- C:\WINDOWS\EN-GB.INI
[2009/11/06 14:15:58 | 000,000,168 | ---- | C] () -- C:\WINDOWS\EN-CA.INI
[2009/11/06 14:14:47 | 000,189,796 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTConvEQ.dat
[2009/11/06 14:14:47 | 000,001,112 | ---- | C] () -- C:\WINDOWS\System32\drivers\RtHdatEx.dat
[2009/11/06 14:14:47 | 000,000,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\SamSfPa.dat
[2009/11/06 14:14:47 | 000,000,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTEQEX2.dat
[2009/11/06 14:14:47 | 000,000,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTEQEX1.dat
[2009/11/06 14:14:47 | 000,000,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTEQEX0.dat
[2009/11/06 14:14:47 | 000,000,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTHDAEQ0.dat
[2009/11/06 14:14:47 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\rtkhdaud.dat
[2009/11/06 14:14:03 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/11/06 11:49:54 | 000,032,768 | ---- | C] () -- C:\WINDOWS\AMove.exe
[2009/11/06 11:49:54 | 000,024,264 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/11/06 11:48:58 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/11/06 11:44:53 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/11/06 11:44:07 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/11/06 11:26:24 | 000,270,336 | ---- | C] () -- C:\WINDOWS\orinolifetah.dll
[2009/11/06 11:26:20 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/11/06 11:26:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2009/11/06 11:26:17 | 000,443,034 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/06 11:26:17 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2009/11/06 11:26:17 | 000,072,134 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/06 11:26:17 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2009/11/06 11:26:17 | 000,004,524 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2009/11/06 11:26:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2009/11/06 11:26:13 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2009/11/06 11:26:13 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2009/11/06 11:26:06 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2009/11/06 11:26:04 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2009/11/06 03:41:51 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/11/06 03:41:06 | 000,255,064 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Max Keller\Desktop\BBQ Guide.pdf:Roxio EMC Stream
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BA9BD0C2

< End of report >

-----------------------------------------------------------------------------------------------------------------

OTL Extras logfile created on: 7/6/2011 5:48:40 PM - Run 1
OTL by OldTimer - Version 3.2.26.0 Folder = C:\Documents and Settings\Max Keller\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.87 Mb Total Physical Memory | 406.22 Mb Available Physical Memory | 40.07% Memory free
2.38 Gb Paging File | 1.88 Gb Available in Paging File | 78.70% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 139.04 Gb Total Space | 105.15 Gb Free Space | 75.63% Space Free | Partition Type: NTFS

Computer Name: EMACHINE-97610C | User Name: Max Keller | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-270800707-460486182-3293823761-1006\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- C:\Documents and Settings\Max Keller\Local Settings\Application Data\ulu.exe (Microsoft Corporation)
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007 -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = Bing Bar
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{08610298-29AE-445B-B37D-EFBE05802967}" = LWS Pictures And Video
"{0A2B20E9-C2DF-4A56-9560-F158102ECE2F}" = CourseSmart Bookshelf
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4803" = CanoScan 4400F
"{138A4072-9E64-46BD-B5F9-DB2BB395391F}" = LWS VideoEffects
"{15634701-BACE-4449-8B25-1567DA8C9FD3}" = CameraHelperMsi
"{1651216E-E7AD-4250-92A1-FB8ED61391C9}" = LWS Help_main
"{174A3B31-4C43-43DD-866F-73C9DB887B48}" = LWS Twitter
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{21DF0294-6B9D-4741-AB6F-B2ABFBD2387E}" = LWS YouTube Plugin
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 26
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
"{33F42836-EDFF-44E2-99ED-525CCE864C90}" = Adobe Flash Media Live Encoder 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = WebCam
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = erLT
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{67E03279-F703-408F-B4BF-46B5FC8D70CD}" = Microsoft Works
"{6F76EC3C-34B1-436E-97FB-48C58D7BEDCD}" = LWS Gallery
"{71E66D3F-A009-44AB-8784-75E2819BA4BA}" = LWS Motion Detection
"{75C22B40-6D12-4439-80DC-CAB3313EADA5}" = dj_sf_software_req
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7760D94E-B1B5-40A0-9AA0-ABF942108755}" = Video Web Camera
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = eMachines Recovery Management
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{82EF29B1-9B60-4142-A155-0599216DD053}" = LightScribe System Software
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83C8FA3C-F4EA-46C4-8392-D3CE353738D6}" = LWS Launcher
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{8937D274-C281-42E4-8CDB-A0B2DF979189}" = LWS Webcam Software
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = USB2.0 Card Reader Software
"{9DAEA76B-E50F-4272-A595-0124E826553D}" = LWS WLM Plugin
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC0232B4-2B5B-4C2A-8ED4-E66064161033}" = Nero 8 Essentials
"{AC76BA86-7AD7-FFFF-7B44-A91000000001}" = Adobe Reader 9.1 MUI
"{BCC7E198-1D10-4B55-956E-550A196F8056}" = Microsoft Office Live Meeting 2007
"{BD01E97F-2A6A-495E-BE38-22C7B80F3CD7}" = Cheetah DVD Burner
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}" = Norton Online Backup
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D40EB009-0499-459c-A8AF-C9C110766215}" = Logitech Webcam Software
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E0B19DF7-B1C7-4937-82C4-0E4B1E346965}" = eBay Worldwide
"{E0C18BB0-32CA-4679-B422-9B9FA825378F}" = HP Deskjet Printer Driver Software 9.0
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{EE171732-BEB4-4576-887D-CB62727F01CA}" = eMachines Updater
"{EED027B7-0DB6-404B-8F45-6DFEE34A0441}" = LWS Video Mask Maker
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FF167195-9EE4-46C0-8CD7-FBA3457E88AB}" = LWS Facebook
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adware . Rax Search Removal Tool_is1" = Adware . Rax Search Removal Tool
"Amazon Kindle For PC" = Amazon Kindle For PC v1.1
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.12 (Unicode)
"CanoScan Toolbox 5.0" = Canon CanoScan Toolbox 5.0
"eMachines Screensaver" = eMachines ScreenSaver
"HDMI" = Intel® Graphics Media Accelerator Driver
"Identity Card" = Identity Card
"ie8" = Windows Internet Explorer 8
"LManager" = Launch Manager
"ManyCam" = ManyCam 2.6.1 (remove only)
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Photodex Presenter" = Photodex Presenter
"Plagiarism-Detector" = Plagiarism-Detector
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Viper" = Viper 1.5.00
"VLC media player" = VLC media player 1.1.9
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WildTangent emachines Master Uninstall" = eMachines Games
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-270800707-460486182-3293823761-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/2/2011 4:38:14 PM | Computer Name = EMACHINE-97610C | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 15656

Error - 7/5/2011 1:36:16 PM | Computer Name = EMACHINE-97610C | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 7/5/2011 1:36:29 PM | Computer Name = EMACHINE-97610C | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module urlmon.dll, version 8.0.6001.19048, fault address 0x00007157.

Error - 7/5/2011 1:58:42 PM | Computer Name = EMACHINE-97610C | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 7/5/2011 1:58:42 PM | Computer Name = EMACHINE-97610C | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 62094

Error - 7/5/2011 1:58:42 PM | Computer Name = EMACHINE-97610C | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 62094

Error - 7/6/2011 12:05:08 AM | Computer Name = EMACHINE-97610C | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19046, fault address 0x000ec585.

Error - 7/6/2011 12:05:37 AM | Computer Name = EMACHINE-97610C | Source = Application Error | ID = 1001
Description = Fault bucket -1899440295.

Error - 7/6/2011 12:06:59 AM | Computer Name = EMACHINE-97610C | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19046, fault address 0x000ec585.

Error - 7/6/2011 12:07:11 AM | Computer Name = EMACHINE-97610C | Source = Application Error | ID = 1001
Description = Fault bucket -1899440295.

[ System Events ]
Error - 7/3/2011 6:15:35 PM | Computer Name = EMACHINE-97610C | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address C417FE2B40EB. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

Error - 7/3/2011 8:19:10 PM | Computer Name = EMACHINE-97610C | Source = Service Control Manager | ID = 7000
Description = The VirtualCamera service failed to start due to the following error:
%%1058

Error - 7/3/2011 10:51:49 PM | Computer Name = EMACHINE-97610C | Source = Service Control Manager | ID = 7000
Description = The VirtualCamera service failed to start due to the following error:
%%1058

Error - 7/3/2011 11:50:37 PM | Computer Name = EMACHINE-97610C | Source = Service Control Manager | ID = 7000
Description = The VirtualCamera service failed to start due to the following error:
%%1058

Error - 7/4/2011 10:29:01 AM | Computer Name = EMACHINE-97610C | Source = Service Control Manager | ID = 7000
Description = The VirtualCamera service failed to start due to the following error:
%%1058

Error - 7/4/2011 11:20:02 AM | Computer Name = EMACHINE-97610C | Source = Service Control Manager | ID = 7000
Description = The VirtualCamera service failed to start due to the following error:
%%1058

Error - 7/4/2011 4:45:27 PM | Computer Name = EMACHINE-97610C | Source = Service Control Manager | ID = 7000
Description = The VirtualCamera service failed to start due to the following error:
%%1058

Error - 7/5/2011 1:20:14 AM | Computer Name = EMACHINE-97610C | Source = Service Control Manager | ID = 7000
Description = The VirtualCamera service failed to start due to the following error:
%%1058

Error - 7/5/2011 11:23:30 AM | Computer Name = EMACHINE-97610C | Source = Service Control Manager | ID = 7000
Description = The VirtualCamera service failed to start due to the following error:
%%1058

Error - 7/6/2011 9:35:57 AM | Computer Name = EMACHINE-97610C | Source = Service Control Manager | ID = 7000
Description = The VirtualCamera service failed to start due to the following error:
%%1058


< End of report >

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:40 PM

Posted 07 July 2011 - 09:04 AM

Hi,

The computer is heavily infected. Do not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.



:step1: Backup Your Registry with ERUNT
  • Please download ERUNT.
  • Follow the detailed instructions HERE on how to install and run ERUNT.
  • Make sure that you have successfully installed and ran ERUNT before proceeding with the next instruction.



:step2: Please reopen OTL on your desktop.
  • Copy and Paste the following code into the Custom Scan/Fixes text box.

    :OTL
    PRC - [2011/07/05 14:22:40 | 000,168,960 | ---- | M] () -- C:\Documents and Settings\Max Keller\Application Data\Microsoft\conhost.exe
    PRC - [2011/07/05 14:22:16 | 000,187,392 | ---- | M] () -- C:\Documents and Settings\Max Keller\Local Settings\Temp\csrss.exe
    PRC - [2011/07/05 14:21:15 | 000,180,224 | ---- | M] () -- C:\Documents and Settings\Max Keller\Application Data\dwm.exe
    PRC - [2011/05/07 20:53:25 | 001,679,360 | -HS- | M] (Microsoft Corporation) -- C:\Documents and Settings\Max Keller\Local Settings\Application Data\ulu.exe
    IE - HKU\S-1-5-21-270800707-460486182-3293823761-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-21-270800707-460486182-3293823761-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
    IE - HKU\S-1-5-21-270800707-460486182-3293823761-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:60545
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Yahoo!\Common\npyaxmpb.dll File not found
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Documents and Settings\Max Keller\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll File not found
    FF - HKLM\software\mozilla\Firefox\Extensions\\{3FD26EA0-FABA-4E96-BC98-7F92BC0A1A57}: C:\Documents and Settings\Max Keller\Local Settings\Application Data\{3FD26EA0-FABA-4E96-BC98-7F92BC0A1A57} [2011/04/30 00:05:52 | 000,000,000 | ---D | M]
    FF - HKCU\software\mozilla\Firefox\Extensions\\{3FD26EA0-FABA-4E96-BC98-7F92BC0A1A57}: C:\Documents and Settings\Max Keller\Local Settings\Application Data\{3FD26EA0-FABA-4E96-BC98-7F92BC0A1A57} [2011/04/30 00:05:52 | 000,000,000 | ---D | M]
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3 - HKU\S-1-5-21-270800707-460486182-3293823761-1006\..\Toolbar\WebBrowser: (no name) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - No CLSID value found.
    O4 - HKLM..\Run: [conhost] C:\Documents and Settings\Max Keller\Application Data\Microsoft\conhost.exe ()
    O4 - HKLM..\Run: [Lwadelozug] C:\WINDOWS\orinolifetah.dll ()
    O4 - HKU\S-1-5-21-270800707-460486182-3293823761-1006..\Run: [Hpibuqob] C:\WINDOWS\asrbcwdl.dll (madshi.net)
    F3 - HKU\S-1-5-21-270800707-460486182-3293823761-1006 WinNT: Load - (C:\DOCUME~1\MAXKEL~1\LOCALS~1\Temp\csrss.exe) - C:\Documents and Settings\Max Keller\Local Settings\Temp\csrss.exe ()
    O20 - HKU\S-1-5-21-270800707-460486182-3293823761-1006 Winlogon: Shell - (C:\Documents and Settings\Max Keller\Application Data\dwm.exe) - C:\Documents and Settings\Max Keller\Application Data\dwm.exe ()
    O35 - HKU\S-1-5-21-270800707-460486182-3293823761-1006..exefile [open] -- "C:\Documents and Settings\Max Keller\Local Settings\Application Data\ulu.exe" -a "%1" %* (Microsoft Corporation)
    O37 - HKU\S-1-5-21-270800707-460486182-3293823761-1006\...exe [@ = exefile] -- "C:\Documents and Settings\Max Keller\Local Settings\Application Data\ulu.exe" -a "%1" %* (Microsoft Corporation
    [2011/07/06 17:25:35 | 000,014,112 | -HS- | M] () -- C:\Documents and Settings\Max Keller\Local Settings\Application Data\124m11kv487y04u456u06gavfn5303746288g8m2f7
    [2011/07/06 17:25:35 | 000,014,112 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\124m11kv487y04u456u06gavfn5303746288g8m2f7
    [2011/07/06 11:40:54 | 000,085,302 | ---- | M] () -- C:\Documents and Settings\Max Keller\Application Data\292A.5D1
    [2011/07/06 11:25:56 | 000,002,001 | ---- | M] () -- C:\WINDOWS\Pzesabobit.dat
    [2011/07/06 08:37:31 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Rdafin.bin
    [2011/07/03 21:53:57 | 000,003,422 | ---- | M] () -- C:\WINDOWS\oleqikodadodexa.dll
    [2011/06/15 22:21:16 | 000,000,401 | ---- | M] () -- C:\WINDOWS\ecujojulowuni.dll
    [2011/05/07 20:38:03 | 000,014,200 | -HS- | C] () -- C:\Documents and Settings\Max Keller\Local Settings\Application Data\gr8v2p81pd5c1
    [2011/05/07 20:38:03 | 000,014,200 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\gr8v2p81pd5c1
    
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "AntiVirusDisableNotify"=-
    "FirewallDisableNotify"=-
    "UpdatesDisableNotify"=-
    "AntiVirusOverride"=-
    "FirewallOverride"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications"=dword:00000000
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [REBOOT] 
    
  • Push the Run Fix button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • A massage box "Fix complete! Click OK to open the fix log." will pop-up.
  • Click the OK button and a report will open.
  • Copy and Paste that report in your next reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Max K

Max K
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 07 July 2011 - 11:51 AM

When I enter the code in otl and hit run fix the I get a blue screen and then the system reboots.

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:40 PM

Posted 08 July 2011 - 04:30 AM

Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Max K

Max K
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:40 AM

Posted 09 July 2011 - 04:51 PM

ComboFix 11-07-08.03 - Max Keller 07/09/2011 9:03.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.592 [GMT -5:00]
Running from: c:\documents and settings\Max Keller\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Max Keller\Application Data\dwm.exe
c:\documents and settings\Max Keller\Application Data\Microsoft\conhost.exe
c:\documents and settings\Max Keller\Local Settings\Application Data\{3FD26EA0-FABA-4E96-BC98-7F92BC0A1A57}
c:\documents and settings\Max Keller\Local Settings\Application Data\{3FD26EA0-FABA-4E96-BC98-7F92BC0A1A57}\chrome.manifest
c:\documents and settings\Max Keller\Local Settings\Application Data\{3FD26EA0-FABA-4E96-BC98-7F92BC0A1A57}\chrome\content\_cfg.js
c:\documents and settings\Max Keller\Local Settings\Application Data\{3FD26EA0-FABA-4E96-BC98-7F92BC0A1A57}\chrome\content\overlay.xul
c:\documents and settings\Max Keller\Local Settings\Application Data\{3FD26EA0-FABA-4E96-BC98-7F92BC0A1A57}\install.rdf
c:\windows\asrbcwdl.dll
c:\windows\ecujojulowuni.dll
c:\windows\oleqikodadodexa.dll
c:\windows\orinolifetah.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000023_.tmp.dll
c:\windows\system32\_000024_.tmp.dll
c:\windows\system32\_000025_.tmp.dll
c:\windows\system32\_000026_.tmp.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\vid_conv2.dll
c:\windows\system32\vid_core2.dll
c:\windows\system32\vid_format2.dll
c:\windows\system32\vid_multi2.dll
c:\windows\vb.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-06-09 to 2011-07-09 )))))))))))))))))))))))))))))))
.
.
2011-07-07 15:43 . 2011-07-07 15:43 -------- d-----w- C:\_OTL
2011-07-07 15:39 . 2011-07-07 15:39 -------- d-----w- c:\program files\ERUNT
2011-07-05 15:59 . 2011-07-05 15:59 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2011-07-02 06:27 . 2011-07-02 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-07-02 06:27 . 2011-07-02 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2011-07-02 06:27 . 2011-07-05 15:59 -------- d-----w- c:\program files\McAfee Security Scan
2011-07-02 06:21 . 2011-07-02 06:21 -------- d-----w- c:\program files\Common Files\Java
2011-06-16 06:15 . 2010-10-13 14:38 81920 ----a-w- c:\windows\eSellerateControl350.dll
2011-06-16 06:15 . 2010-10-13 14:38 356352 ----a-w- c:\windows\eSellerateEngine.dll
2011-06-16 06:15 . 2011-06-16 06:17 -------- d-----w- c:\program files\Adware . Rax Search Removal Tool
2011-06-16 05:54 . 2011-06-16 05:54 388096 ----a-r- c:\documents and settings\Max Keller\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-16 05:54 . 2011-06-16 05:54 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-30 05:26 . 2011-05-18 05:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-08 01:53 . 2011-05-08 01:53 1679360 --sha-w- c:\documents and settings\Max Keller\Local Settings\Application Data\ulu.exe
2011-05-04 09:52 . 2010-09-23 01:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 07:25 . 2010-09-23 01:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-20 05:18 . 2011-04-20 05:18 53248 ----a-r- c:\documents and settings\Max Keller\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 20:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-06 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-18 178712]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-10-07 1157640]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-17 53248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-07-25 588648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]
"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2009-02-17 196608]
"PLFSetI"="c:\windows\PLFSetI.exe" [2009-08-13 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-09-03 1557800]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\Max Keller\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
R2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [11/6/2009 11:27 AM 107016]
R2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [11/6/2009 2:36 PM 240160]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [11/6/2009 11:27 AM 38912]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/24/2010 7:37 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/6/2009 2:14 PM 1684736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/24/2010 7:37 PM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [11/6/2009 11:26 AM 14336]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [11/6/2009 2:09 PM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 VCam_WDM;e2eSoft VCam;c:\windows\system32\drivers\VCam_WDM.sys [8/28/2010 2:49 PM 95840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 18:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 00:37]
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 00:37]
.
2011-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-270800707-460486182-3293823761-1006Core.job
- c:\documents and settings\Max Keller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 14:17]
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-270800707-460486182-3293823761-1006UA.job
- c:\documents and settings\Max Keller\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 14:17]
.
2011-07-08 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=em250&r=0xph06103345l0444wuj5r4482623q
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:60545
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Hpibuqob - c:\windows\asrbcwdl.dll
HKLM-Run-Lwadelozug - c:\windows\orinolifetah.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-09 09:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-07-09 09:13:52
ComboFix-quarantined-files.txt 2011-07-09 14:13
.
Pre-Run: 112,570,449,920 bytes free
Post-Run: 113,390,784,512 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 81B09B72B7DDE3BB0AC90392B2AF75B3

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:40 PM

Posted 10 July 2011 - 09:00 AM

Asksbar/Ask Toolbar warning:
I strongly suggest that you uninstall Asksbar/Ask Toolbar. Some of the bad practices of this toolbar are:
  • Promoting its toolbars on sites targeted to kids. Details.
  • Promoting its toolbars through ads that appear to be part of other companies' sites. Details.
  • Promoting its toolbars through other companies' spyware. Details.
  • Installing without any disclosure whatsoever and without any consent whatsoever. Details.
  • Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link. Details.
  • Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit. Details.
Please read the full details HERE.



We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

File::
c:\documents and settings\Max Keller\Local Settings\Application Data\ulu.exe

DDS::
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:60545

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=dword:00000000

4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:40 PM

Posted 14 July 2011 - 06:54 AM

Do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:40 PM

Posted 16 July 2011 - 08:15 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users