Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Boot Loop and trojans


  • This topic is locked This topic is locked
41 replies to this topic

#1 Cyhex

Cyhex

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 01 July 2011 - 03:29 AM

Running Vista, getting a boot loop error with normal boot. However Safemode boots just fine. One of the services/start ups seems to be crashing it and starting the boot over and over again from what i've read.

Problem is I can't save any changes in msconfig to narrow it down. I've ran malwarebytes quite a few times always finding registry errors and this cleanddm.exe file I can't seem to get rid of. Its even in msconfig>startups

The original virus I saw on this computer was Vista Anti-virus Software 2012. Typical fake anti program that takes over normal funtions. Malware took care of most of it, but i'm stumped with this boot loop and can't alter msconfig. I can already tell someone put limewire on this computer, but i'm stuck in safe mode and having problems uninstalling programs because I can't get windows installer to start up.

These logs are all pulled while in safemode being I can't get in normal mode. And half the time restarting in safemode it doesn't properly shutdown. Hopin a massive wipe of viruses will let me have access back to normal mode so I can continue fixing this thing.

ps. I've already ran a check disk on this drive from a bootable cd, everything came back ok.


.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.6001.18000
Run by coleman1 at 1:46:06 on 2011-07-01
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1978.1537 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\coleman1\Downloads\Defogger.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [cleanddm] c:\windows\system32\config\systemprofile\appdata\local\cleanddm.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [765705838] c:\windows\system32\config\systemprofile\appdata\local\bon.exe
StartupFolder: c:\users\coleman1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8541DE38-3B81-42A4-A42F-9707DA19894D} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{F2AFB4E5-A1E8-415B-A7B3-A433B3227715} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-23 365952]
S2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2008-1-20 21504]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-23 193840]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-3-16 39984]
.
=============== File Associations ===============
.
exefile="c:\windows\system32\config\systemprofile\appdata\local\bon.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-07-01 06:11:58 54016 ----a-w- c:\windows\system32\drivers\mbakq.sys
2011-07-01 03:17:54 54016 ----a-w- c:\windows\system32\drivers\ieluj.sys
2011-07-01 02:59:28 -------- d-----w- c:\windows\pss
2011-06-30 17:55:17 54016 ----a-w- c:\windows\system32\drivers\tutnksbk.sys
2011-06-29 12:32:30 54016 ----a-w- c:\windows\system32\drivers\paqcwib.sys
2011-06-27 01:22:21 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{4a9f3282-6580-435c-a893-ec6b3ebcbdb5}\mpengine.dll
2011-06-18 00:40:32 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-18 00:40:32 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-18 00:40:02 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-17 00:06:08 563200 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-17 00:06:06 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-17 00:06:04 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-17 00:06:04 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-17 00:06:04 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-03 02:55:01 -------- d-----w- c:\users\coleman1\appdata\roaming\Kodak
2011-06-03 02:47:22 -------- d-----w- c:\program files\Kodak
2011-06-03 02:47:22 -------- d-----w- c:\program files\common files\Kodak
2011-06-03 02:46:27 -------- d-----w- c:\programdata\{A2A58654-12AA-408A-B411-58A76959BE7F}
2011-06-02 02:23:06 -------- d-----w- c:\windows\system32\EventProviders
.
==================== Find3M ====================
.
2011-06-01 03:21:47 101897 ----a-w- c:\users\coleman1\utorrent.exe
2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 00:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-21 15:00:34 833024 ----a-w- c:\windows\system32\wininet.dll
2011-04-21 14:57:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-21 13:28:42 389632 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:16:42 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-04-21 13:08:37 1383424 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 1:48:46.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 AM

Posted 02 July 2011 - 05:26 PM

Hi Cyhex,

Welcome to BC. I wounder if you still have not resolved the issue and need assistance.

#3 Cyhex

Cyhex
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 02 July 2011 - 06:01 PM

Still haven't fixed it.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 AM

Posted 02 July 2011 - 06:32 PM

Besides other thing the log shows a hijacked exe file association. Are you able to run the programs or exe files without trouble?

#5 Cyhex

Cyhex
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 02 July 2011 - 08:38 PM

every function i've done in safemode is normal other than msconfig not saving. Exe's work just fine.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 AM

Posted 03 July 2011 - 05:27 AM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Please download TDSSKiller.zip and and extract it.
    • Run TDSSKiller.exe.
    • Click Start scan.
    • When it is finished the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
    • Let reboot if needed and tell me if the tool needed a reboot.
    • Click on Report and post the contents of the text file that will open.

      Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.
  • Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Click Run Scan button.
    • Two reports will open, copy and paste OTL.txt and attacht Extra.txt to your reply:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


#7 Cyhex

Cyhex
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 03 July 2011 - 11:00 AM

TDS kill found nothing wrong. text report attached.

OTL Extras logfile created on: 7/3/2011 10:53:16 AM - Run 1
OTL by OldTimer - Version 3.2.25.0 Folder = C:\Users\coleman1\Downloads
Windows Vista Home Basic Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.93 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 76.33% Memory free
2.11 Gb Paging File | 1.81 Gb Available in Paging File | 85.91% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.70 Gb Total Space | 107.00 Gb Free Space | 77.15% Space Free | Partition Type: NTFS
Drive D: | 10.34 Gb Total Space | 1.78 Gb Free Space | 17.17% Space Free | Partition Type: NTFS

Computer Name: COLEMAN1-PC | User Name: coleman1 | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*

[HKEY_USERS\S-1-5-21-3455773754-680829388-558989387-1000\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{28ADEDE1-A4D5-42D8-9B05-BF7C283C4061}" = lport=10725 | protocol=6 | dir=in | name=spport |
"{28ADEDE1-A4D5-42D8-9B05-BF7C283C4062}" = lport=10725 | protocol=6 | dir=out | name=spport |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00F1A93B-502C-449E-AA33-4161A25D37DF}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{04D038ED-5A9E-45B5-99F5-63B3F46AEFBA}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{28ADEDE1-A4D5-42D8-9B05-BF7C283C4059}" = protocol=6 | dir=in | app=c:\windows\system32\svchost.exe |
"{28ADEDE1-A4D5-42D8-9B05-BF7C283C4060}" = protocol=6 | dir=out | app=c:\windows\system32\svchost.exe |
"{9ED681DE-0FCB-4862-934C-E7A6B010BA82}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{A85E7FA2-D7DE-4E94-8F8D-59BF3812FF78}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{AD53FB05-39B5-48E3-B342-77B5BDC6EAC7}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{B5039AFF-9D80-4F9C-83D8-84BC709EFBD6}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{BCFB0516-15EC-4FD6-A30A-83E98F368413}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{D53B8B7E-D3B8-4479-B152-393894654F29}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{E6F24DE9-A58D-4E0E-BEE7-AC097A96C666}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{E96EDA60-46EA-4A10-A40C-30DBB39DFA3C}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{E990DB64-E82A-490C-9BFC-58A0A9DBB922}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{F3B215A1-F050-4DEE-932D-30EA7D61BEBD}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{F6AB66A4-FAEA-4269-8E9C-6A93387E142F}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
"TCP Query User{F1160241-D469-4183-97B8-C66729F3C1FA}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{034A953E-B8C5-4B54-A92D-F51561CEDD8E}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0054A0F6-00C9-4498-B821-B5C9578F433E}" = HP Help and Support
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1E5E2F9A-17D3-45CA-8FF0-B0C2927D4B03}" = MobileMe Control Panel
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{2A697B53-0DE3-42DA-B41D-C3F804B1C538}" = iTunes
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}" = Apple Application Support
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 H2
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZero Preloader
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Vista
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.7
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{57A5AEC1-97FC-474D-92C4-908FCC2253D4}" = HP Customer Experience Enhancements
"{6423EF83-6E1D-4D22-A36F-689CD19FD4D2}" = Juno Preloader
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{846DDADA-0239-4B67-A6B1-33658863793B}" = HPTCSSetup
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{96384578-C6A2-4EC6-92CD-B62A60713040}" = Microsoft Live Search Toolbar
"{9A5909B3-8CF3-4E06-92A8-F3CB7C97EF20}" = KODAK Share Button App
"{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A67BB21E-D419-45BB-AB86-7D87D14BBCE2}" = Safari
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player
"{B6D0B141-B2BE-4DD0-B08F-B9186F3E36B3}" = HP User Guides 0118
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DD35C328-F115-BEDA-6EEE-E00C5AACCCBC}" = muvee Reveal
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{FB26A501-6BA6-459B-89AA-9736730752FB}" = VoiceOver Kit
"3D970B9F930E7AAE23C06D39A1AC98548C90B442" = Windows Driver Package - Eastman Kodak KODAK Digital Camera (01/29/2010 1.4.1.0)
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATX Kleinrock 2007 Tax Products" = ATX / Kleinrock Tax Products 2007 (Remove Only)
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_HERMOSA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"HDMI" = Intel® Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"LimeWire" = LimeWire 5.3.6
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WildTangent hp Master Uninstall" = My HP Games

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >








OTL logfile created on: 7/3/2011 10:53:16 AM - Run 1
OTL by OldTimer - Version 3.2.25.0 Folder = C:\Users\coleman1\Downloads
Windows Vista Home Basic Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.93 Gb Total Physical Memory | 1.47 Gb Available Physical Memory | 76.33% Memory free
2.11 Gb Paging File | 1.81 Gb Available in Paging File | 85.91% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.70 Gb Total Space | 107.00 Gb Free Space | 77.15% Space Free | Partition Type: NTFS
Drive D: | 10.34 Gb Total Space | 1.78 Gb Free Space | 17.17% Space Free | Partition Type: NTFS

Computer Name: COLEMAN1-PC | User Name: coleman1 | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/03 10:53:00 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\coleman1\Downloads\OTL.exe
PRC - [2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/07/03 10:53:00 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\coleman1\Downloads\OTL.exe
MOD - [2010/08/31 10:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SPService)
SRV - [2008/10/06 11:54:52 | 000,365,952 | ---- | M] () [Auto | Stopped] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)


========== Driver Services (SafeList) ==========

DRV - [2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2008/06/29 09:52:26 | 000,112,128 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV - [2008/06/10 13:54:36 | 000,123,904 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/06/05 11:58:42 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/04/27 14:07:44 | 000,909,824 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/01/20 21:32:45 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2007/10/17 18:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/18 19:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/02/22 17:26:46 | 000,071,168 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swmx00.sys -- (SWMX00) Sierra Wireless USB MUX Driver (#00)
DRV - [2007/01/12 14:26:42 | 000,102,144 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SWNC5E00.sys -- (SWNC5E00) Sierra Wireless MUX NDIS Driver (#00)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.com/ [binary data]
IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


[2009/06/01 23:33:56 | 000,000,000 | ---D | M] (No name found) -- C:\Users\coleman1\AppData\Roaming\Mozilla\Extensions
[2009/06/01 23:33:56 | 000,000,000 | ---D | M] (No name found) -- C:\Users\coleman1\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org

Hosts file not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKU\S-1-5-21-3455773754-680829388-558989387-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-21-3455773754-680829388-558989387-1000\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [cleanddm] File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePDIRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [765705838] File not found
O4 - HKU\S-1-5-18..\Run: [765705838] File not found
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Windows\System32\config\systemprofile\AppData\Roaming\gog.exe) - File not found
O20 - HKU\S-1-5-18 Winlogon: Shell - (C:\Windows\System32\config\systemprofile\AppData\Roaming\gog.exe) - File not found
O24 - Desktop WallPaper: C:\Users\coleman1\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\coleman1\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{6ed95809-103a-11e0-b9a2-001f166c78e0}\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\{d24a5a6f-8180-11e0-bd11-001f166c78e0}\Shell - "" = AutoRun
O33 - MountPoints2\{d24a5a6f-8180-11e0-bd11-001f166c78e0}\Shell\AutoRun\command - "" = G:\DTVP_Launcher.exe
O33 - MountPoints2\{f372fe64-1726-11df-8836-001f166c78e0}\Shell - "" = AutoRun
O33 - MountPoints2\{f372fe64-1726-11df-8836-001f166c78e0}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*
O35 - HKU\S-1-5-21-3455773754-680829388-558989387-1000..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*
O37 - HKU\S-1-5-21-3455773754-680829388-558989387-1000\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/30 21:59:28 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2011/06/17 19:39:37 | 000,380,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2011/06/17 19:39:36 | 000,467,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/06/17 19:39:34 | 000,389,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/06/17 19:39:33 | 000,389,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/06/17 19:39:33 | 000,230,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2011/06/17 19:39:33 | 000,193,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/06/17 19:39:32 | 000,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2011/06/17 19:39:31 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/06/17 19:39:30 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll
[2011/06/17 19:39:28 | 001,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/06/04 22:12:48 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/06/04 16:56:35 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/08/25 18:59:08 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll

========== Files - Modified Within 30 Days ==========

[2011/07/03 10:43:00 | 000,594,698 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/07/03 10:43:00 | 000,100,766 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/07/03 10:38:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/07/03 10:38:38 | 268,435,456 | -HS- | M] () -- C:\Windows\System32\temppf.sys
[2011/07/03 00:21:42 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\ubjgcvlc.sys
[2011/07/03 00:21:42 | 000,000,214 | ---- | M] () -- C:\Windows\tasks\aexevwvv
[2011/07/01 07:09:21 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\tguhgi.sys
[2011/07/01 01:43:56 | 000,000,000 | ---- | M] () -- C:\Users\coleman1\defogger_reenable
[2011/07/01 01:11:58 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\mbakq.sys
[2011/07/01 00:54:10 | 000,000,284 | ---- | M] () -- C:\ProgramData\hpqp.ini
[2011/06/30 22:17:54 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\ieluj.sys
[2011/06/30 13:01:27 | 000,001,356 | ---- | M] () -- C:\Users\coleman1\AppData\Local\d3d9caps.dat
[2011/06/30 12:55:17 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\tutnksbk.sys
[2011/06/29 07:32:30 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\paqcwib.sys
[2011/06/29 07:21:38 | 000,010,976 | -HS- | M] () -- C:\Users\coleman1\AppData\Local\448fqp1244v2itbh10ux24jwrf07
[2011/06/29 07:21:38 | 000,010,976 | -HS- | M] () -- C:\ProgramData\448fqp1244v2itbh10ux24jwrf07
[2011/06/26 20:46:50 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/26 20:46:50 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/21 20:11:42 | 219,846,714 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/06/17 19:40:40 | 000,000,127 | ---- | M] () -- C:\Windows\System32\MRT.INI
[2011/06/17 19:33:14 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2011/06/17 19:33:14 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/06/05 19:49:32 | 000,005,632 | ---- | M] () -- C:\Users\coleman1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2011/07/03 00:21:42 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\ubjgcvlc.sys
[2011/07/03 00:21:42 | 000,000,214 | ---- | C] () -- C:\Windows\tasks\aexevwvv
[2011/07/01 07:09:21 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\tguhgi.sys
[2011/07/01 01:43:56 | 000,000,000 | ---- | C] () -- C:\Users\coleman1\defogger_reenable
[2011/07/01 01:11:58 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\mbakq.sys
[2011/06/30 22:17:54 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\ieluj.sys
[2011/06/30 12:55:17 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\tutnksbk.sys
[2011/06/29 07:32:30 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\paqcwib.sys
[2011/06/29 07:19:12 | 000,010,976 | -HS- | C] () -- C:\Users\coleman1\AppData\Local\448fqp1244v2itbh10ux24jwrf07
[2011/06/29 07:17:09 | 268,435,456 | -HS- | C] () -- C:\Windows\System32\temppf.sys
[2011/06/26 20:36:36 | 000,010,976 | -HS- | C] () -- C:\ProgramData\448fqp1244v2itbh10ux24jwrf07
[2011/06/17 19:40:40 | 000,000,127 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2011/06/17 19:33:14 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2011/06/17 19:33:14 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2011/06/04 16:55:51 | 219,846,714 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/04/04 11:03:34 | 004,447,574 | ---- | C] () -- C:\Users\coleman1\AppData\Roaming\Wiz Khalifa - No Sleep.zip
[2010/08/25 19:30:02 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2010/08/25 19:30:00 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2010/08/25 19:30:00 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2010/08/25 18:57:00 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2010/08/25 18:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll
[2010/08/25 18:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll
[2010/05/19 06:18:06 | 000,016,384 | ---- | C] () -- C:\Users\coleman1\AppData\Roaming\nn8.exe
[2009/05/03 21:39:49 | 000,000,214 | ---- | C] () -- C:\Users\coleman1\AppData\Roaming\wklnhst.dat
[2009/04/25 19:21:25 | 000,001,356 | ---- | C] () -- C:\Users\coleman1\AppData\Local\d3d9caps.dat
[2009/04/03 21:44:55 | 000,005,632 | ---- | C] () -- C:\Users\coleman1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/16 12:53:28 | 000,000,284 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2008/10/23 00:43:24 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2008/10/23 00:43:24 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/07/06 15:29:46 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1518.dll
[2008/07/06 15:14:06 | 000,147,172 | ---- | C] () -- C:\Windows\System32\igfcg550.bin
[2008/06/29 09:52:14 | 000,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2006/11/02 07:53:49 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:44:53 | 000,317,688 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 05:33:01 | 000,594,698 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,100,766 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 04:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

< End of report >

Attached Files



#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 AM

Posted 03 July 2011 - 12:44 PM

  • Please download ExeFix.reg and save it to a flashdrive or on the root of the system drive (usually C:).
    • Double-click it and confirm the prompt to allow it to merge.
  • Please open OTL.
    • Copy the text in code box and paste it to Custom Scans/Fixes section:
      :Services
      SPService
      :otl
      O4 - HKLM..\Run: [cleanddm] File not found
      O4 - HKU\.DEFAULT..\Run: [765705838] File not found
      O4 - HKU\S-1-5-18..\Run: [765705838] File not found
      O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Windows\System32\config\systemprofile\AppData\Roaming\gog.exe) - File not found
      O20 - HKU\S-1-5-18 Winlogon: Shell - (C:\Windows\System32\config\systemprofile\AppData\Roaming\gog.exe) - File not found
      O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*
      O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*
      [2011/07/03 00:21:42 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\ubjgcvlc.sys
      [2011/07/03 00:21:42 | 000,000,214 | ---- | C] () -- C:\Windows\tasks\aexevwvv
      [2011/07/01 07:09:21 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\tguhgi.sys
      [2011/07/01 01:11:58 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\mbakq.sys
      [2011/06/30 22:17:54 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\ieluj.sys
      [2011/06/30 12:55:17 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\tutnksbk.sys
      [2011/06/29 07:32:30 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\paqcwib.sys
      [2011/06/29 07:19:12 | 000,010,976 | -HS- | C] () -- C:\Users\coleman1\AppData\Local\448fqp1244v2itbh10ux24jwrf07
      
    • Click Run Fix button.
    • If the fix needed a reboot please do it.
    • After finished a log will open. Copy and paste the log to your reply.
  • Disable automatic restart, to do that:
    • Use F8 key to enter Windows Advance Options Menu.
    • Use the up and down arrow keys to select Disable automatic restart on system failure and then press the Enter key.
    • Press the Enter key.
    • Windows should start. This time when you get a BSOD it will not restart. What we need is the information of the type of error, the error code and more important the description of error and any file is mentioned.


#9 Cyhex

Cyhex
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 03 July 2011 - 02:30 PM

OTL did not open a log when I clicked "OK" to open a log when the code was complete. Do you want me to run a scan again with it and repost in my reply?

the BSOD error is:


Technical information:
0x0000008e (0xC0000005, 0x82056759, 0xA6CCE91C, 0x 00000000)

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 AM

Posted 03 July 2011 - 03:02 PM

Yes please run a scan again, I would like to confirm that the fix has been done.

The code doesn't give us much info.

Please download MiniToolBox and save it to your desktop and run it.

Checkmark following checkboxes:
  • List last 10 Event Viewer log
  • List Minidump Files.
Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 AM

Posted 03 July 2011 - 03:04 PM

Please don't miss my previous post.

We need only otl.txt no need for Extras.txt

#12 Cyhex

Cyhex
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 03 July 2011 - 05:09 PM

Here's the 2 logs from OTL scan and log from Minitoolbox. A new problem seems to be accuring now, having a hard time opening internet explorer, it asks which program I want to open it, only option is Internet Explorer, and loops like that a couple times then opens just fine. Thanks for your help so far!




OTL logfile created on: 7/3/2011 5:02:55 PM - Run 1
OTL by OldTimer - Version 3.2.25.0 Folder = C:\Users\coleman1\Downloads
Windows Vista Home Basic Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.93 Gb Total Physical Memory | 1.59 Gb Available Physical Memory | 82.14% Memory free
2.11 Gb Paging File | 1.91 Gb Available in Paging File | 90.87% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.70 Gb Total Space | 107.00 Gb Free Space | 77.14% Space Free | Partition Type: NTFS
Drive D: | 10.34 Gb Total Space | 1.78 Gb Free Space | 17.17% Space Free | Partition Type: NTFS

Computer Name: COLEMAN1-PC | User Name: coleman1 | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/03 10:53:00 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\coleman1\Downloads\OTL.exe
PRC - [2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/07/03 10:53:00 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\coleman1\Downloads\OTL.exe
MOD - [2010/08/31 10:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (SPService)
SRV - [2008/10/06 11:54:52 | 000,365,952 | ---- | M] () [Auto | Stopped] -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows)


========== Driver Services (SafeList) ==========

DRV - [2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2008/06/29 09:52:26 | 000,112,128 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV - [2008/06/10 13:54:36 | 000,123,904 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/06/05 11:58:42 | 000,222,208 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2008/04/27 14:07:44 | 000,909,824 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/01/20 21:32:45 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2007/10/17 18:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/06/18 19:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/02/22 17:26:46 | 000,071,168 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swmx00.sys -- (SWMX00) Sierra Wireless USB MUX Driver (#00)
DRV - [2007/01/12 14:26:42 | 000,102,144 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SWNC5E00.sys -- (SWNC5E00) Sierra Wireless MUX NDIS Driver (#00)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.com/ [binary data]
IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3455773754-680829388-558989387-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


[2009/06/01 23:33:56 | 000,000,000 | ---D | M] (No name found) -- C:\Users\coleman1\AppData\Roaming\Mozilla\Extensions
[2009/06/01 23:33:56 | 000,000,000 | ---D | M] (No name found) -- C:\Users\coleman1\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org

Hosts file not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKU\S-1-5-21-3455773754-680829388-558989387-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-21-3455773754-680829388-558989387-1000\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [cleanddm] File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePDIRShortCut] C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [765705838] File not found
O4 - HKU\S-1-5-18..\Run: [765705838] File not found
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3455773754-680829388-558989387-1000..\RunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil10n_ActiveX.exe (Adobe Systems, Inc.)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKU\.DEFAULT Winlogon: Shell - (C:\Windows\System32\config\systemprofile\AppData\Roaming\gog.exe) - File not found
O20 - HKU\S-1-5-18 Winlogon: Shell - (C:\Windows\System32\config\systemprofile\AppData\Roaming\gog.exe) - File not found
O24 - Desktop WallPaper: C:\Users\coleman1\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\coleman1\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{6ed95809-103a-11e0-b9a2-001f166c78e0}\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\{d24a5a6f-8180-11e0-bd11-001f166c78e0}\Shell - "" = AutoRun
O33 - MountPoints2\{d24a5a6f-8180-11e0-bd11-001f166c78e0}\Shell\AutoRun\command - "" = G:\DTVP_Launcher.exe
O33 - MountPoints2\{f372fe64-1726-11df-8836-001f166c78e0}\Shell - "" = AutoRun
O33 - MountPoints2\{f372fe64-1726-11df-8836-001f166c78e0}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/03 14:24:47 | 000,634,648 | ---- | C] (Microsoft Corporation) -- C:\iexplore.exe
[2011/07/03 14:17:24 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/06/30 21:59:28 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2011/06/17 19:39:37 | 000,380,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2011/06/17 19:39:36 | 000,467,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/06/17 19:39:34 | 000,389,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/06/17 19:39:33 | 000,389,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/06/17 19:39:33 | 000,230,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2011/06/17 19:39:33 | 000,193,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/06/17 19:39:32 | 000,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2011/06/17 19:39:31 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/06/17 19:39:30 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll
[2011/06/17 19:39:28 | 001,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/06/04 22:12:48 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/06/04 16:56:35 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/08/25 18:59:08 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll

========== Files - Modified Within 30 Days ==========

[2011/07/03 17:01:13 | 000,594,698 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/07/03 17:01:13 | 000,100,766 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/07/03 17:01:11 | 000,369,085 | ---- | M] () -- C:\Users\coleman1\Desktop\MiniToolBox.exe
[2011/07/03 16:56:41 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/07/03 16:56:31 | 268,435,456 | -HS- | M] () -- C:\Windows\System32\temppf.sys
[2011/07/03 14:15:43 | 000,003,014 | ---- | M] () -- C:\ExeFix.reg
[2011/07/01 01:43:56 | 000,000,000 | ---- | M] () -- C:\Users\coleman1\defogger_reenable
[2011/07/01 00:54:10 | 000,000,284 | ---- | M] () -- C:\ProgramData\hpqp.ini
[2011/06/30 13:01:27 | 000,001,356 | ---- | M] () -- C:\Users\coleman1\AppData\Local\d3d9caps.dat
[2011/06/29 07:21:38 | 000,010,976 | -HS- | M] () -- C:\ProgramData\448fqp1244v2itbh10ux24jwrf07
[2011/06/26 20:46:50 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/06/26 20:46:50 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/06/21 20:11:42 | 219,846,714 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/06/17 19:40:40 | 000,000,127 | ---- | M] () -- C:\Windows\System32\MRT.INI
[2011/06/17 19:33:14 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2011/06/17 19:33:14 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/06/05 19:49:32 | 000,005,632 | ---- | M] () -- C:\Users\coleman1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2011/07/03 17:01:06 | 000,369,085 | ---- | C] () -- C:\Users\coleman1\Desktop\MiniToolBox.exe
[2011/07/03 14:15:30 | 000,003,014 | ---- | C] () -- C:\ExeFix.reg
[2011/07/01 01:43:56 | 000,000,000 | ---- | C] () -- C:\Users\coleman1\defogger_reenable
[2011/06/29 07:17:09 | 268,435,456 | -HS- | C] () -- C:\Windows\System32\temppf.sys
[2011/06/26 20:36:36 | 000,010,976 | -HS- | C] () -- C:\ProgramData\448fqp1244v2itbh10ux24jwrf07
[2011/06/17 19:40:40 | 000,000,127 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2011/06/17 19:33:14 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2011/06/17 19:33:14 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2011/06/04 16:55:51 | 219,846,714 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/04/04 11:03:34 | 004,447,574 | ---- | C] () -- C:\Users\coleman1\AppData\Roaming\Wiz Khalifa - No Sleep.zip
[2010/08/25 19:30:02 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2010/08/25 19:30:00 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2010/08/25 19:30:00 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2010/08/25 18:57:00 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2010/08/25 18:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll
[2010/08/25 18:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll
[2010/05/19 06:18:06 | 000,016,384 | ---- | C] () -- C:\Users\coleman1\AppData\Roaming\nn8.exe
[2009/05/03 21:39:49 | 000,000,214 | ---- | C] () -- C:\Users\coleman1\AppData\Roaming\wklnhst.dat
[2009/04/25 19:21:25 | 000,001,356 | ---- | C] () -- C:\Users\coleman1\AppData\Local\d3d9caps.dat
[2009/04/03 21:44:55 | 000,005,632 | ---- | C] () -- C:\Users\coleman1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/16 12:53:28 | 000,000,284 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2008/10/23 00:43:24 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2008/10/23 00:43:24 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/07/06 15:29:46 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1518.dll
[2008/07/06 15:14:06 | 000,147,172 | ---- | C] () -- C:\Windows\System32\igfcg550.bin
[2008/06/29 09:52:14 | 000,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2006/11/02 07:53:49 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:44:53 | 000,317,688 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 05:33:01 | 000,594,698 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,100,766 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/03/09 04:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

< End of report >











OTL Extras logfile created on: 7/3/2011 5:02:55 PM - Run 1
OTL by OldTimer - Version 3.2.25.0 Folder = C:\Users\coleman1\Downloads
Windows Vista Home Basic Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.93 Gb Total Physical Memory | 1.59 Gb Available Physical Memory | 82.14% Memory free
2.11 Gb Paging File | 1.91 Gb Available in Paging File | 90.87% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.70 Gb Total Space | 107.00 Gb Free Space | 77.14% Space Free | Partition Type: NTFS
Drive D: | 10.34 Gb Total Space | 1.78 Gb Free Space | 17.17% Space Free | Partition Type: NTFS

Computer Name: COLEMAN1-PC | User Name: coleman1 | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- "C:\Windows\system32\config\systemprofile\AppData\Local\bon.exe" -a "%1" %*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{28ADEDE1-A4D5-42D8-9B05-BF7C283C4061}" = lport=10725 | protocol=6 | dir=in | name=spport |
"{28ADEDE1-A4D5-42D8-9B05-BF7C283C4062}" = lport=10725 | protocol=6 | dir=out | name=spport |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00F1A93B-502C-449E-AA33-4161A25D37DF}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{04D038ED-5A9E-45B5-99F5-63B3F46AEFBA}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{28ADEDE1-A4D5-42D8-9B05-BF7C283C4059}" = protocol=6 | dir=in | app=c:\windows\system32\svchost.exe |
"{28ADEDE1-A4D5-42D8-9B05-BF7C283C4060}" = protocol=6 | dir=out | app=c:\windows\system32\svchost.exe |
"{9ED681DE-0FCB-4862-934C-E7A6B010BA82}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{A85E7FA2-D7DE-4E94-8F8D-59BF3812FF78}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{AD53FB05-39B5-48E3-B342-77B5BDC6EAC7}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{B5039AFF-9D80-4F9C-83D8-84BC709EFBD6}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{BCFB0516-15EC-4FD6-A30A-83E98F368413}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{D53B8B7E-D3B8-4479-B152-393894654F29}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{E6F24DE9-A58D-4E0E-BEE7-AC097A96C666}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{E96EDA60-46EA-4A10-A40C-30DBB39DFA3C}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{E990DB64-E82A-490C-9BFC-58A0A9DBB922}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{F3B215A1-F050-4DEE-932D-30EA7D61BEBD}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{F6AB66A4-FAEA-4269-8E9C-6A93387E142F}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
"TCP Query User{F1160241-D469-4183-97B8-C66729F3C1FA}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{034A953E-B8C5-4B54-A92D-F51561CEDD8E}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0054A0F6-00C9-4498-B821-B5C9578F433E}" = HP Help and Support
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1E5E2F9A-17D3-45CA-8FF0-B0C2927D4B03}" = MobileMe Control Panel
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{2A697B53-0DE3-42DA-B41D-C3F804B1C538}" = iTunes
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2DC94AFD-A6E2-4AB4-9132-4A3F8E07B386}" = Apple Application Support
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 H2
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZero Preloader
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Vista
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.7
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{57A5AEC1-97FC-474D-92C4-908FCC2253D4}" = HP Customer Experience Enhancements
"{6423EF83-6E1D-4D22-A36F-689CD19FD4D2}" = Juno Preloader
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{846DDADA-0239-4B67-A6B1-33658863793B}" = HPTCSSetup
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{96384578-C6A2-4EC6-92CD-B62A60713040}" = Microsoft Live Search Toolbar
"{9A5909B3-8CF3-4E06-92A8-F3CB7C97EF20}" = KODAK Share Button App
"{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A67BB21E-D419-45BB-AB86-7D87D14BBCE2}" = Safari
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player
"{B6D0B141-B2BE-4DD0-B08F-B9186F3E36B3}" = HP User Guides 0118
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DD35C328-F115-BEDA-6EEE-E00C5AACCCBC}" = muvee Reveal
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{FB26A501-6BA6-459B-89AA-9736730752FB}" = VoiceOver Kit
"3D970B9F930E7AAE23C06D39A1AC98548C90B442" = Windows Driver Package - Eastman Kodak KODAK Digital Camera (01/29/2010 1.4.1.0)
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATX Kleinrock 2007 Tax Products" = ATX / Kleinrock Tax Products 2007 (Remove Only)
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_HERMOSA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"HDMI" = Intel® Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"LimeWire" = LimeWire 5.3.6
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WildTangent hp Master Uninstall" = My HP Games

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >






MiniToolBox by Farbar
Ran by coleman1 (administrator) on 03-07-2011 at 17:07:08
Windows Vista ™ Home Basic Service Pack 1 (X86)

***************************************************************************


========================= Event log errors: ===============================

Application errors:
==================

System errors:
=============

Microsoft Office Sessions:
=========================

========================= End of Event log errors =========================

=========================== Minidump Files ====================

C:\Windows\Minidump\Mini060411-01.dmp
C:\Windows\Minidump\Mini060911-01.dmp
C:\Windows\Minidump\Mini061711-01.dmp
C:\Windows\Minidump\Mini061811-01.dmp
C:\Windows\Minidump\Mini061811-02.dmp
C:\Windows\Minidump\Mini062111-01.dmp

=========================== End oF Minidump Files =============

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 AM

Posted 04 July 2011 - 05:41 AM

I see a copy of Internet Explorer on C drive, do you have any idea about it?

Please go to start => Run, copy/paste the following line in the run box and click OK.

C:\Windows\Minidump

We need the following files to be uploaded:

  • C:\Windows\Minidump\Mini060411-01.dmp
    C:\Windows\Minidump\Mini060911-01.dmp
    C:\Windows\Minidump\Mini061711-01.dmp
    C:\Windows\Minidump\Mini061811-01.dmp
    C:\Windows\Minidump\Mini061811-02.dmp
    C:\Windows\Minidump\Mini062111-01.dmp

  • Zip them first, to do that:
    • Hold down the Ctrl key and select the files one by one until you have selected all of them.
    • Right-click one of the selected file and select Send To from the Context menu => select Compressed (zip) Folder
    • Click Yes to any prompt. A zip file will be created in the same directory.
  • Click on this link: http://www.bleepingcomputer.com/submit-malware.php?channel=66
  • Click Browse... and navigate to: C:\Windows\Minidump
  • Highlight the zipped file and click Open.
  • Click Send File.


#14 Cyhex

Cyhex
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 04 July 2011 - 10:41 AM

Minidump files have been zipped and uploaded.

the iexplorer got there when I was trying to get iexplore to open up, it was giving me the run/save/cancel option. Looks that error has now stopped though and iexplore is working fine again. I removed the filed from the root C: and i'm using the correct one in program files.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:26 AM

Posted 04 July 2011 - 12:33 PM

Thanks for the upload. All those crash dumps point to ntkrpamp.exe. That could be many things, driver issues leading to memory problems. I see also Windows has made a temporary page file. That is why the changes to the system configuration don't hold.

  • Please download MiniRegTool.zip and unzip it.
    • Run the tool.
    • Copy and paste the content of code box into the edit box:

      HKLM\SYSTEM\CurrentControlSet\Control\Lsa
      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
      HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
    • Check the List Permissions radio button.
    • Press Go button, a log will be made (Result.txt) on the same directory the tool is run. Name it result1.txt before it get overwritten by the next run of the tool.
  • Run the tool again, this time copy and paste the following:

    HKLM\SOFTWARE\Classes\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}
    HKLM\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8} 
    HKLM\SOFTWARE\Classes\CLSID\{B54F3742-5B07-11cf-A4B0-00AA004A55E8}
    HKLM\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}
    HKLM\SOFTWARE\Classes\TypeLib\{3F4DACA7-160D-11D2-A8E9-00104B365C9F}
    HKLM\SOFTWARE\Classes\TypeLib\{3F4DACA7-160D-11D2-A8E9-00104B365C9F}
    HKLM\SYSTEM\CurrentControlSet\Control\Lsa
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

    Check the List Only Null-embedded radio button.
    Please rename the Result.txt to result2.txt.
  • Run the tool again, copy and paste the following:


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPService

    Check the Delete Key(s)/Value(s) including Locked/Null embedded radio button.

    Now please post the content of result1.txt, result2.txt and the last log (Result.txt).





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users