Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Windows XP Fix


  • This topic is locked This topic is locked
35 replies to this topic

#1 KeriT

KeriT

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 29 July 2011 - 08:07 PM

My daughter clicked on a popup :( and infected her computer with Windows XP Fix. I tried running the Uninstall Guide you provided on this site, but I can't complete it (it won't let me run or update Malwarebytes). I've now followed the Preparation Guide and am attaching all the reports for you. Thank you so much for your time and expertise!

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Keri at 15:18:44 on 2011-07-29
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1790.1131 [GMT -7:00]
.
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: McAfee Host Intrusion Prevention Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Zune\ZuneBusEnum.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.facebook.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
EB: Developer Tools: {1a6fe369-f28c-4ad9-a3e6-2bcb50807cf1} - c:\program files\internet explorer\iedvtool.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [rGDEAIvvgrLJejA] c:\documents and settings\all users\application data\rGDEAIvvgrLJejA.exe
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mExplorerRun: [RTHDBPL] c:\documents and settings\keri\application data\systemproc\lsass.exe
StartupFolder: c:\docume~1\keri\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\windows\installer\{0cd3bb5c-bbca-11d2-8c20-00c04fbbcff9}\A94AAB13.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nwepo.lnk - c:\program files\network associates\NWePO.exe
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: agencyanywhere.agency.ni.nwie.net
Trusted Zone: skilldialogue.com
Trusted Zone: skillport.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 68.238.64.12
TCP: Interfaces\{DC5BA499-E52C-4D91-A1E6-5ADA23BB62B4} : DhcpNameServer = 192.168.1.1 68.238.64.12
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-8-4 342672]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-6-8 31848]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2009-6-25 1489984]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-8-4 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-6-8 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-6-8 54608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-8-4 70728]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-6 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2009-8-4 9817]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2009-8-4 44680]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2009-8-4 110384]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2009-8-4 38200]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2009-8-4 35584]
R3 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2009-9-9 35696]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-8-4 73512]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-8-4 34408]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2010-3-4 332928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2009-8-4 117696]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2009-8-4 44680]
S3 GzOFBus;CASIO C721 USB Composite device driver;c:\windows\system32\drivers\GzOFBus.sys [2008-12-16 33408]
S3 GzOFMdm;CASIO C721 CDMA USB Modem;c:\windows\system32\drivers\GzOFMdm.sys [2008-12-16 54400]
S3 GzOFVsp;CASIO C721 USB Virtual Serial Port Driver;c:\windows\system32\drivers\GzOFVsp.sys [2008-12-16 54400]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-07-29 21:56:56 39816 ---ha-w- c:\windows\system32\HIPIS0e011aa.dll
2011-07-10 02:44:02 -------- d--h--w- c:\windows\PIF
2011-07-10 01:08:11 606188 ---ha-w- c:\windows\system32\PerfStringBackup.TMP
2011-07-09 23:58:27 378880 ---ha-w- c:\documents and settings\all users\application data\16441124.exe
2011-07-09 06:26:52 458752 ---ha-w- c:\documents and settings\all users\application data\rGDEAIvvgrLJejA.exe
.
==================== Find3M ====================
.
2011-05-02 15:31:52 692736 ---ha-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 15:19:20.22 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:16 AM

Posted 04 August 2011 - 01:28 PM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Watch Topic button, click on 'Immediate Email Notification', and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Next, please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs and the RKU log. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 KeriT

KeriT
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 04 August 2011 - 08:07 PM

Hello Shannon! Thank you for coming to our rescue :) Here are the logs you asked for. I want to mention, when I rean the OTL, I did get an error a few times with the heading Window - No Disk, exception at (numbers) module, (numbers) etc. I clicked "try Again' a few times, then ended up clicking 'Continue' a few times, and the window disappeared and the scan continued. Here you go:

OTL logfile created on: 8/4/2011 5:45:39 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Keri\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.75 Gb Total Physical Memory | 1.06 Gb Available Physical Memory | 60.72% Memory free
3.60 Gb Paging File | 2.95 Gb Available in Paging File | 81.97% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.40 Gb Total Space | 34.61 Gb Free Space | 49.87% Space Free | Partition Type: NTFS
Drive D: | 69.89 Gb Total Space | 69.81 Gb Free Space | 99.90% Space Free | Partition Type: NTFS

Computer Name: EMACHINE-7AF6B9 | User Name: Keri | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/04 17:44:40 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Keri\Desktop\OTL.exe
PRC - [2011/02/25 10:46:22 | 000,249,648 | -H-- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2010/11/11 14:55:56 | 000,057,072 | -H-- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneBusEnum.exe
PRC - [2010/11/11 14:55:46 | 000,159,472 | -H-- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2010/10/27 20:17:52 | 000,207,424 | -H-- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/05/14 12:44:46 | 000,501,480 | -H-- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/03/18 12:19:26 | 000,113,152 | -H-- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/06/25 14:57:04 | 000,070,728 | -H-- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2009/06/25 14:57:04 | 000,035,696 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
PRC - [2009/06/25 14:57:02 | 001,489,984 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
PRC - [2009/06/25 14:57:00 | 000,979,104 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
PRC - [2009/06/08 20:50:00 | 000,144,704 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
PRC - [2009/06/08 20:50:00 | 000,111,952 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2009/06/08 20:50:00 | 000,054,608 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2009/04/30 16:01:10 | 000,154,136 | -H-- | M] (Logitech Inc.) -- C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/11/09 13:48:14 | 000,602,392 | -H-- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/09/25 16:10:00 | 000,136,512 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2008/09/25 16:10:00 | 000,136,512 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2008/09/25 16:09:00 | 000,169,280 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
PRC - [2008/09/25 16:09:00 | 000,103,744 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2008/09/25 16:09:00 | 000,086,016 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\Mctray.exe
PRC - [2008/07/10 16:20:54 | 000,421,888 | -H-- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
PRC - [2008/04/14 15:00:00 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/10 21:15:04 | 000,012,800 | -H-- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe


========== Modules (SafeList) ==========

MOD - [2011/08/04 17:44:40 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Keri\Desktop\OTL.exe
MOD - [2010/08/23 09:12:02 | 001,054,208 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/02/28 18:44:14 | 000,183,560 | -H-- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 10:46:22 | 000,249,648 | -H-- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2010/11/11 14:57:04 | 000,268,528 | -H-- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV - [2010/11/11 14:57:02 | 000,444,656 | -H-- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/11/11 14:55:56 | 006,351,600 | -H-- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2010/11/11 14:55:56 | 000,057,072 | -H-- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Zune\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2010/03/18 12:19:26 | 000,113,152 | -H-- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/06/25 14:57:04 | 000,070,728 | -H-- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2009/06/25 14:57:04 | 000,035,696 | -H-- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe -- (hips)
SRV - [2009/06/25 14:57:02 | 001,489,984 | -H-- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe -- (enterceptAgent)
SRV - [2009/06/08 20:50:00 | 000,144,704 | -H-- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)
SRV - [2009/06/08 20:50:00 | 000,054,608 | -H-- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2009/04/30 16:01:10 | 000,154,136 | -H-- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2008/11/09 13:48:14 | 000,602,392 | -H-- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/09/25 16:09:00 | 000,103,744 | -H-- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2008/05/05 15:25:46 | 000,165,416 | -H-- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2007/12/10 21:15:04 | 000,012,800 | -H-- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)


========== Driver Services (SafeList) ==========

DRV - [2009/06/25 14:57:04 | 000,342,672 | -H-- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/06/25 14:57:04 | 000,110,384 | -H-- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HIPK.sys -- (HIPK)
DRV - [2009/06/25 14:57:04 | 000,063,728 | -H-- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/06/25 14:57:04 | 000,038,200 | -H-- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HIPPSK.sys -- (HIPPSK)
DRV - [2009/06/25 14:57:04 | 000,035,584 | -H-- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HIPQK.sys -- (HIPQK)
DRV - [2009/06/25 14:57:02 | 000,145,616 | -H-- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\FireTDI.sys -- (FireTDI)
DRV - [2009/06/25 14:57:02 | 000,135,296 | -H-- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\FirePM.sys -- (FirePM)
DRV - [2009/06/25 14:57:02 | 000,075,704 | -H-- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/06/25 14:57:02 | 000,030,728 | -H-- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\firelm01.sys -- (firelm01)
DRV - [2009/06/25 14:57:00 | 000,044,680 | -H-- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\firehk.sys -- (FirehkMP)
DRV - [2009/06/25 14:57:00 | 000,044,680 | -H-- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\firehk.sys -- (Firehk)
DRV - [2009/06/08 20:50:00 | 000,073,512 | -H-- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/06/08 20:50:00 | 000,034,408 | -H-- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/06/08 20:50:00 | 000,031,848 | -H-- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2009/04/30 23:55:58 | 002,687,512 | -H-- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI)
DRV - [2009/04/30 16:00:12 | 000,025,624 | -H-- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2008/12/16 02:43:48 | 000,054,400 | -H-- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\GzOFVsp.sys -- (GzOFVsp)
DRV - [2008/12/16 02:43:48 | 000,054,400 | -H-- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\GzOFMdm.sys -- (GzOFMdm)
DRV - [2008/12/16 02:43:48 | 000,033,408 | -H-- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\GzOFBus.sys -- (GzOFBus)
DRV - [2008/08/21 23:49:58 | 000,008,320 | -H-- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2008/08/21 23:49:22 | 000,018,688 | -H-- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2008/06/26 18:39:42 | 000,332,928 | RH-- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8187.sys -- (RTLWUSB)
DRV - [2008/05/20 03:53:00 | 004,800,000 | -H-- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/28 22:37:48 | 000,022,016 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/01/28 22:37:46 | 000,054,016 | -H-- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2008/01/07 02:54:50 | 001,202,560 | -H-- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2007/06/18 20:18:26 | 000,023,680 | -H-- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motport.sys -- (motport)
DRV - [2007/06/18 20:18:26 | 000,023,680 | -H-- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2006/11/02 08:00:08 | 000,039,368 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2005/01/13 14:46:16 | 000,069,632 | -H-- | M] () [Kernel | On_Demand | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys)
DRV - [2004/01/26 12:25:32 | 000,009,817 | -H-- | M] (Nortel Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\eacfilt.sys -- (Eacfilt)
DRV - [2004/01/26 12:24:10 | 000,117,696 | -H-- | M] (Nortel Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipsecw2k.sys -- (IPSECSHM)
DRV - [2004/01/26 12:24:10 | 000,117,696 | -H-- | M] (Nortel Networks) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\ipsecw2k.sys -- (IPSECEXT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3593939918-463097049-743219799-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-3593939918-463097049-743219799-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-3593939918-463097049-743219799-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3593939918-463097049-743219799-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3593939918-463097049-743219799-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.com/ [binary data]
IE - HKU\S-1-5-21-3593939918-463097049-743219799-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
IE - HKU\S-1-5-21-3593939918-463097049-743219799-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.pandora.com/#/paused
IE - HKU\S-1-5-21-3593939918-463097049-743219799-1006\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-3593939918-463097049-743219799-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3593939918-463097049-743219799-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\Keri\Application Data\Facebook\npfbplugin_1_0_3.dll ( )


[2010/11/14 23:48:45 | 000,000,000 | -H-D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/14 23:48:45 | 000,000,000 | -H-D | M] (Firefox security) -- C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}

O1 HOSTS File: ([2008/04/14 15:00:00 | 000,000,734 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll ()
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe (Acer Inc.)
O4 - HKLM..\Run: [McAfee Host Intrusion Prevention Tray] C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3593939918-463097049-743219799-1006..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-3593939918-463097049-743219799-1006..\Run: [rGDEAIvvgrLJejA] C:\Documents and Settings\All Users\Application Data\rGDEAIvvgrLJejA.exe (CACE Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk = C:\WINDOWS\Installer\{0CD3BB5C-BBCA-11D2-8C20-00C04FBBCFF9}\A94AAB13.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NWepo.lnk = C:\Program Files\Network Associates\NWePO.exe ()
O4 - Startup: C:\Documents and Settings\Keri\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: RTHDBPL = C:\Documents and Settings\Keri\Application Data\SystemProc\lsass.exe
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3593939918-463097049-743219799-1006\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-3593939918-463097049-743219799-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3593939918-463097049-743219799-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O15 - HKU\S-1-5-21-3593939918-463097049-743219799-1006\..Trusted Domains: agencyanywhere.agency.ni.nwie.net ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3593939918-463097049-743219799-1006\..Trusted Domains: agencyanywhere.agency.ni.nwie.net ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3593939918-463097049-743219799-1006\..Trusted Domains: skilldialogue.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3593939918-463097049-743219799-1006\..Trusted Domains: skilldialogue.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3593939918-463097049-743219799-1006\..Trusted Domains: skillport.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3593939918-463097049-743219799-1006\..Trusted Domains: skillport.com ([]https in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.238.64.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Keri\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Keri\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/28 17:52:04 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{98b211ae-60cd-11de-8c68-001d72af437a}\Shell\AutoRun\command - "" = G:\AllTool.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/08/04 17:44:39 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Keri\Desktop\OTL.exe
[2011/07/29 15:24:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Keri\Desktop\gmer
[2011/07/29 15:18:07 | 000,607,017 | R--- | C] (Swearware) -- C:\Documents and Settings\Keri\Desktop\dds.scr
[2011/07/29 15:16:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Keri\Start Menu\Programs\Administrative Tools
[2011/07/29 14:58:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Keri\Recent
[2011/07/29 14:56:56 | 000,039,816 | -H-- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\HIPIS0e011aa.dll
[2011/07/09 19:44:02 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2011/07/09 16:59:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Keri\Start Menu\Programs\Windows XP Fix
[2011/07/09 16:58:27 | 000,378,880 | -H-- | C] (CACE Technologies, Inc.) -- C:\Documents and Settings\All Users\Application Data\16441124.exe
[2011/07/08 23:26:52 | 000,458,752 | -H-- | C] (CACE Technologies, Inc.) -- C:\Documents and Settings\All Users\Application Data\rGDEAIvvgrLJejA.exe
[2009/06/24 07:46:28 | 000,016,384 | -H-- | C] ( ) -- C:\WINDOWS\System32\ClearEvent.exe
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/04 17:44:40 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Keri\Desktop\OTL.exe
[2011/07/29 15:24:19 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Keri\Desktop\gmer.zip
[2011/07/29 15:17:32 | 000,000,419 | -H-- | M] () -- C:\WINDOWS\BRWMARK.INI
[2011/07/29 15:17:32 | 000,000,027 | -H-- | M] () -- C:\WINDOWS\BRPP2KA.INI
[2011/07/29 15:16:08 | 000,607,017 | R--- | M] (Swearware) -- C:\Documents and Settings\Keri\Desktop\dds.scr
[2011/07/29 14:56:56 | 000,000,113 | -H-- | M] () -- C:\WINDOWS\System32\api_hook_list.dat
[2011/07/29 14:55:01 | 000,001,158 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/29 14:55:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/29 14:54:58 | 1877,463,040 | -HS- | M] () -- C:\hiberfil.sys
[2011/07/09 20:26:03 | 000,000,040 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~16441124
[2011/07/09 20:24:47 | 000,002,565 | -H-- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
[2011/07/09 20:14:55 | 001,008,041 | -H-- | M] () -- C:\Documents and Settings\Keri\Desktop\rkill.scr
[2011/07/09 20:08:04 | 001,008,041 | -H-- | M] () -- C:\Documents and Settings\Keri\Desktop\iExplore.exe
[2011/07/09 17:01:10 | 000,504,014 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/07/09 17:01:10 | 000,088,868 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/07/09 16:59:17 | 000,000,811 | -H-- | M] () -- C:\Documents and Settings\Keri\Desktop\Windows XP Fix.lnk
[2011/07/09 16:58:28 | 000,378,880 | -H-- | M] (CACE Technologies, Inc.) -- C:\Documents and Settings\All Users\Application Data\16441124.exe
[2011/07/08 23:26:41 | 000,458,752 | -H-- | M] (CACE Technologies, Inc.) -- C:\Documents and Settings\All Users\Application Data\rGDEAIvvgrLJejA.exe
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/29 15:24:18 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Keri\Desktop\gmer.zip
[2011/07/29 14:56:56 | 000,000,113 | -H-- | C] () -- C:\WINDOWS\System32\api_hook_list.dat
[2011/07/29 14:54:58 | 1877,463,040 | -HS- | C] () -- C:\hiberfil.sys
[2011/07/09 20:14:53 | 001,008,041 | -H-- | C] () -- C:\Documents and Settings\Keri\Desktop\rkill.scr
[2011/07/09 20:10:23 | 001,008,041 | -H-- | C] () -- C:\Documents and Settings\Keri\Desktop\iExplore.exe
[2011/07/09 20:05:30 | 000,002,006 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\NTI Media Maker 8.lnk
[2011/07/09 20:05:30 | 000,001,863 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\eMachines Games.lnk
[2011/07/09 20:05:30 | 000,001,852 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Logitech Webcam Software.lnk
[2011/07/09 20:05:30 | 000,001,819 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Kodak EasyShare.lnk
[2011/07/09 20:05:30 | 000,001,806 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office 60 Day Trial - Online.lnk
[2011/07/09 20:05:30 | 000,001,731 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 8.lnk
[2011/07/09 20:05:30 | 000,001,707 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Math 3.0.lnk
[2011/07/09 20:05:30 | 000,001,666 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\P-touch Editor 4.2.lnk
[2011/07/09 20:05:30 | 000,001,629 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\eMachines Recovery Management.lnk
[2011/07/09 20:05:30 | 000,001,623 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Home Publishing 2000.lnk
[2011/07/09 20:05:30 | 000,001,548 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Nationwide VPN.lnk
[2011/07/09 20:05:30 | 000,001,519 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\eBay.lnk
[2011/07/09 20:05:30 | 000,001,104 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\TI Connect.lnk
[2011/07/09 20:05:30 | 000,000,962 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Play Nancy Drew Games.lnk
[2011/07/09 20:05:30 | 000,000,916 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Play Ransom of the Seven Ships.lnk
[2011/07/09 20:05:30 | 000,000,885 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\OpenOffice.org 3.2.lnk
[2011/07/09 20:05:30 | 000,000,884 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Works.lnk
[2011/07/09 20:05:30 | 000,000,876 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
[2011/07/09 20:05:30 | 000,000,820 | -H-- | C] () -- C:\Documents and Settings\Keri\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2011/07/09 20:05:30 | 000,000,802 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2011/07/09 20:05:30 | 000,000,761 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Picasa 3.lnk
[2011/07/09 20:05:30 | 000,000,630 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Zune.lnk
[2011/07/09 20:05:30 | 000,000,222 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\Forgotten Password Reset.url
[2011/07/09 20:05:29 | 000,002,491 | -H-- | C] () -- C:\Documents and Settings\Keri\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk
[2011/07/09 20:05:29 | 000,000,817 | -H-- | C] () -- C:\Documents and Settings\Keri\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/07/09 20:05:29 | 000,000,814 | -H-- | C] () -- C:\Documents and Settings\Keri\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger (2).lnk
[2011/07/09 20:05:29 | 000,000,802 | -H-- | C] () -- C:\Documents and Settings\Keri\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/07/09 20:05:29 | 000,000,104 | -H-- | C] () -- C:\Documents and Settings\Keri\Application Data\Microsoft\Internet Explorer\Quick Launch\E-mail.lnk
[2011/07/09 20:05:29 | 000,000,079 | -H-- | C] () -- C:\Documents and Settings\Keri\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/07/09 20:05:28 | 000,002,565 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
[2011/07/09 20:05:28 | 000,001,839 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
[2011/07/09 20:05:28 | 000,001,727 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2011/07/09 20:05:28 | 000,000,675 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NWepo.lnk
[2011/07/09 20:05:24 | 000,002,479 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
[2011/07/09 20:05:24 | 000,002,391 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2007.lnk
[2011/07/09 20:05:24 | 000,002,046 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Outlook.lnk
[2011/07/09 20:05:24 | 000,002,030 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Excel.lnk
[2011/07/09 20:05:24 | 000,001,990 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN.lnk
[2011/07/09 20:05:24 | 000,001,830 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2011/07/09 20:05:24 | 000,001,804 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 8.lnk
[2011/07/09 20:05:24 | 000,001,745 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\NetZero Internet.lnk
[2011/07/09 20:05:24 | 000,001,629 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Home Publishing 2000.lnk
[2011/07/09 20:05:24 | 000,001,079 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Live ID.lnk
[2011/07/09 20:05:24 | 000,001,079 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Default Manager.lnk
[2011/07/09 20:05:24 | 000,000,890 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Works Task Launcher.lnk
[2011/07/09 20:05:24 | 000,000,790 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2011/07/09 20:05:24 | 000,000,609 | -H-- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2011/07/09 16:59:28 | 000,000,040 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~16441124
[2011/07/09 16:59:17 | 000,000,811 | -H-- | C] () -- C:\Documents and Settings\Keri\Desktop\Windows XP Fix.lnk
[2011/02/09 00:00:14 | 000,400,050 | -H-- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/02/04 16:57:00 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Keri\Application Data\wklnhst.dat
[2010/12/23 16:21:12 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\Ransom.INI
[2010/01/31 19:21:49 | 000,000,376 | -H-- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/16 17:30:18 | 000,000,008 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2009/12/07 17:20:01 | 000,061,440 | -H-- | C] () -- C:\WINDOWS\System32\PTQL5F.DLL
[2009/12/07 17:20:01 | 000,001,235 | -H-- | C] () -- C:\WINDOWS\System32\PTQL5L.INI
[2009/08/04 08:52:58 | 000,087,552 | -H-- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/08/04 08:48:15 | 000,000,419 | -H-- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/08/04 08:48:15 | 000,000,027 | -H-- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/08/04 08:38:31 | 000,000,280 | -H-- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2009/08/04 08:26:18 | 000,430,608 | -H-- | C] () -- C:\WINDOWS\Status.exe
[2009/08/03 13:48:31 | 000,028,160 | -H-- | C] () -- C:\Documents and Settings\Keri\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/01 02:50:04 | 000,000,016 | -H-- | C] () -- C:\WINDOWS\popcinfo.dat
[2009/06/24 06:37:35 | 000,009,728 | -H-- | C] () -- C:\WINDOWS\HWID_detect.exe
[2009/06/24 06:37:35 | 000,000,030 | -H-- | C] () -- C:\WINDOWS\1440X900.INI
[2009/05/08 10:13:04 | 000,013,584 | -H-- | C] () -- C:\WINDOWS\System32\drivers\iKeyLFT2.dll
[2009/04/30 22:39:36 | 000,082,289 | -H-- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/04/30 16:00:12 | 000,025,624 | -H-- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2009/04/07 05:32:10 | 000,022,723 | -H-- | C] () -- C:\WINDOWS\System32\cl31cl3.dll
[2008/10/29 08:55:48 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/10/29 08:55:34 | 000,000,061 | -H-- | C] () -- C:\WINDOWS\smscfg.ini
[2008/10/28 18:34:08 | 000,504,014 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/10/28 18:34:08 | 000,088,868 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/10/28 18:24:18 | 000,403,920 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/10/28 18:05:12 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIOFM4.dll
[2008/10/28 18:05:12 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN5.dll
[2008/10/28 18:04:30 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2008/10/28 18:04:30 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2008/10/28 17:51:54 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/10/28 17:50:50 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/08/25 01:17:58 | 000,023,634 | -H-- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/07/09 23:06:32 | 000,524,288 | -H-- | C] () -- C:\WINDOWS\Alaunch.exe
[2008/04/14 15:00:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 15:00:00 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 15:00:00 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 15:00:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 15:00:00 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 15:00:00 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 15:00:00 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 15:00:00 | 000,001,793 | -H-- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/14 15:00:00 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/02/24 22:29:00 | 001,703,936 | -H-- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/02/24 22:29:00 | 001,626,112 | -H-- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2008/02/24 22:29:00 | 001,482,752 | -H-- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/02/24 22:29:00 | 001,339,392 | -H-- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2008/02/24 22:29:00 | 001,019,904 | -H-- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/02/24 22:29:00 | 000,466,944 | -H-- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/02/24 22:29:00 | 000,442,368 | -H-- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2008/02/24 22:29:00 | 000,425,984 | -H-- | C] () -- C:\WINDOWS\System32\keystone.exe
[2008/02/24 22:29:00 | 000,286,720 | -H-- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/01/16 16:17:56 | 000,003,948 | -H-- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2006/08/01 01:02:32 | 000,049,152 | -H-- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2005/03/28 00:45:26 | 000,000,097 | -H-- | C] () -- C:\WINDOWS\ALaunch.ini
[2002/05/30 23:24:48 | 000,013,312 | -H-- | C] () -- C:\WINDOWS\APanel.exe
[2002/05/24 01:34:46 | 000,032,768 | -H-- | C] () -- C:\WINDOWS\AMove.exe
[2001/12/26 17:12:30 | 000,065,536 | -H-- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/04 00:46:38 | 000,110,592 | -H-- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/08/26 02:04:08 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/26 02:02:42 | 000,004,524 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/07/30 17:33:56 | 000,118,784 | -H-- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/23 23:04:36 | 000,118,784 | -H-- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll

< End of report >


OTL Extras logfile created on: 8/4/2011 5:45:39 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Keri\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.75 Gb Total Physical Memory | 1.06 Gb Available Physical Memory | 60.72% Memory free
3.60 Gb Paging File | 2.95 Gb Available in Paging File | 81.97% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.40 Gb Total Space | 34.61 Gb Free Space | 49.87% Space Free | Partition Type: NTFS
Drive D: | 69.89 Gb Total Space | 69.81 Gb Free Space | 99.90% Space Free | Partition Type: NTFS

Computer Name: EMACHINE-7AF6B9 | User Name: Keri | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 1
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"8910:TCP" = 8910:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"8221:TCP" = 8221:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"8910:TCP" = 8910:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"8221:TCP" = 8221:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)
"C:\Program Files\Nationwide VPN\Extranet.exe" = C:\Program Files\Nationwide VPN\Extranet.exe:*:Enabled:Contivity VPN Client -- (Nortel Networks NA, Inc.)
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- (Eastman Kodak Company)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
"{003447F5-0058-4B77-9C1E-50488F77C4A7}" = Brother P-touch Editor 4.2
"{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
"{07043840-8EBE-4287-85D8-8EC76D88B906}" = Microsoft Math 3.0
"{07EEE598-5F21-4B57-B40B-46592625B3D9}" = Zune Language Pack (PTB)
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0CD3BB5C-BBCA-11D2-8C20-00C04FBBCFF9}" = Microsoft Home Publishing 2000
"{1088F929-91D9-4FD5-8AE8-E9593CD47CD7}" = Nancy Drew: Ransom of the Seven Ships
"{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"{2656D0AB-9EA4-4C58-A117-635F3CED8B93}" = Microsoft UI Engine
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 22
"{26A24AE4-039D-4CA4-87B4-2F83216020F0}" = Java™ 6 Update 20
"{2C4E2E4E-A7C9-4CCB-BF03-FE6EBD5D4AB7}" = Windows Mobile Device Updater Component
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35C03C04-3F1F-42C2-A989-A757EE691F65}" = McAfee VirusScan Enterprise
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
"{59B88BC0-460B-457B-842D-F75A31C4DD5A}" = Citrix XenApp Plugin for Hosted Apps
"{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
"{5C93E291-A1CC-4E51-85C6-E194209FCDB4}" = Zune Language Pack (PTG)
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{61BEA823-ECAF-49F1-8378-A59B3B8AD247}" = Microsoft Default Manager
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{6740BCB0-5863-47F4-80F4-44F394DE4FE2}" = Zune Language Pack (NLD)
"{67E03279-F703-408F-B4BF-46B5FC8D70CD}" = Microsoft Works
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = CyberLink PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B33492E-FBBC-4EC3-8738-09E16E395A10}" = Zune Language Pack (ESP)
"{7006ED29-58F2-40C3-AE87-039287AD20B6}" = Zune
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77F8A71E-3515-4832-B8B2-2F1EDBD2E0F1}" = Bing Bar
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{935B40F5-6994-4868-9155-F9FB77A5048F}" = Microsoft Expression Encoder 4
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{952DCCD8-4039-46C8-BC8B-5C1EB6C8E130}" = Microsoft Expression Encoder 4 Screen Capture Codec
"{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A8B94669-8654-4126-BD28-D0D2412CDED6}" = TI Connect 1.6
"{A93762E6-8EA6-4E7F-9557-64E51AA3AB84}" = CASIO USB Driver V1.0.8003.1229
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.0
"{AC96671C-2001-432C-9826-5266D84EF1DC}" = Logitech Webcam Software
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B332732A-4958-41DD-B439-DDA2D32753C5}" = McAfee Host Intrusion Prevention
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{BE236D9A-52EC-4A17-82DA-84B5EAD31E3E}" = Zune Language Pack (DEU)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5D37FFA-7483-410B-982B-91E93FD3B7DA}" = Zune Language Pack (ITA)
"{C68D33B1-0204-4EBE-BC45-A6E432B1D13A}" = Zune Language Pack (FRA)
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E6B4117F-AC59-4B13-9274-EB136E8897EE}" = ArcSoft Print Creations - Album Page
"{EF964A78-078C-11D1-B7A7-0000C0134CE6}" = Nationwide VPN
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"Agere Systems Soft Modem" = Agere Systems PCI-SV92EX Soft Modem
"Any Video Converter_is1" = Any Video Converter 3.0.1
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"CutePDF Writer Installation" = CutePDF Writer 2.7
"Encoder_4.0.1651.0" = Microsoft Expression Encoder 4
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{003447F5-0058-4B77-9C1E-50488F77C4A7}" = Brother P-touch Editor 4.2
"InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"Search Toolbar" = Search Toolbar
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WildTangent emachines Master Uninstall" = eMachines Games
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"Xilisoft Video Converter Ultimate" = Xilisoft Video Converter Ultimate
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update
"Zune" = Zune

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3593939918-463097049-743219799-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In
"Smilebox" = Smilebox

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xB8C9B000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6868992 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 164.01 )
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 5787648 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 164.01 )
0xB5FC7000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4968448 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9328000 C:\WINDOWS\system32\DRIVERS\AGRSM.sys 1204224 bytes (Agere Systems, SoftModem Device Driver)
0xB9471000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 950272 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xB9E24000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB8AD4000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0xB5D68000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB8BE5000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB5EBD000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB4E85000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB9D8B000 mfehidk.sys 335872 bytes (McAfee, Inc., McAfee Link Driver)
0xB5C76000 C:\WINDOWS\system32\DRIVERS\RTL8187.sys 335872 bytes (Realtek Semiconductor Corporation , Realtek RTL8187 NDIS Driver)
0xBF597000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB39B6000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB5288000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9DF7000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB3560000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB5DD8000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB9559000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB5E25000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB5E75000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB38CA000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB5FA3000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9581000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB944E000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB4848000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xB5E03000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB5E9B000 C:\WINDOWS\system32\Drivers\FireTDI.sys 139264 bytes (McAfee, Inc., McAfee HIP Application Firewall Driver)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EB1000 FirePM.sys 131072 bytes (McAfee, Inc., McAfee HIP Policy Manager)
0xB9F11000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB8C43000 C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys 114688 bytes (Nortel Networks, Contivity VPN Client Adapter)
0xB3720000 C:\WINDOWS\system32\drivers\HIPK.sys 106496 bytes (McAfee, Inc., HIPS Content Driver)
0xB9DDD000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB358B000 C:\DOCUME~1\Keri\LOCALS~1\Temp\pwacqaog.sys 102400 bytes
0xB9F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9EE8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8C70000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB9ED1000 WudfPf.sys 94208 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xB5093000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB8C87000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB5F16000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9EFF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB370F000 C:\Acer\Empowering Technology\eRecovery\int15.sys 69632 bytes
0xB453F000 C:\WINDOWS\system32\drivers\mfeapfk.sys 69632 bytes (McAfee, Inc., Access Protection Filter Driver)
0xB452E000 C:\WINDOWS\system32\drivers\mfeavfk.sys 69632 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB8C5F000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB8B55000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA2D8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA1B8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA2E8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xBA288000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA188000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA1D8000 C:\WINDOWS\system32\drivers\mfetdik.sys 57344 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 57344 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.)
0xBA158000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA2A8000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA308000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA118000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA1F8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA2C8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA318000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA148000 C:\WINDOWS\system32\DRIVERS\zumbus.sys 45056 bytes (Microsoft Corporation, Zune User-Mode Bus Enumerator)
0xBA2F8000 C:\WINDOWS\system32\DRIVERS\firehk.sys 40960 bytes (McAfee, Inc., McAfee HIP Firewall NDIS Driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA168000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA2B8000 C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 40960 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xBA138000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB36CF000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA128000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xBA298000 C:\WINDOWS\system32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA208000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA4A8000 C:\WINDOWS\system32\drivers\HIPPSK.sys 32768 bytes (McAfee, Inc., Process Start Monitor Driver)
0xBA420000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xBA478000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA418000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA460000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA380000 C:\WINDOWS\system32\drivers\HIPQK.sys 28672 bytes (McAfee, Inc., HipsCore Query interface)
0xBA3D8000 C:\DOCUME~1\Keri\LOCALS~1\Temp\mbr.sys 28672 bytes
0xBA390000 C:\WINDOWS\system32\drivers\mfebopk.sys 28672 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xBA480000 C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys 28672 bytes (McAfee, Inc., VSCore Code Analysis Driver)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA488000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA3B8000 C:\WINDOWS\system32\drivers\firelm01.sys 24576 bytes (McAfee, Inc., McAfee HIP Firewall Content Driver)
0xBA408000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA400000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA3B0000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xBA468000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA490000 C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys 20480 bytes (-, -)
0xBA470000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA430000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA438000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA428000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA410000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xBA3C0000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB9D63000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB55C1000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB64D1000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB9D67000 C:\WINDOWS\system32\DRIVERS\eacfilt.sys 12288 bytes (Nortel Networks, NDIS Filter Intermediate Driver)
0xBA590000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA554000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA57C000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA5D8000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5D6000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5DA000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5C8000 C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys 8192 bytes (NewTech Infosystems, Inc., NTI CD-ROM Filter Driver)
0xBA5DC000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5D0000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5AC000 UBHelper.sys 8192 bytes (NewTech Infosystems Corporation, NTI CDROM Filter Driver)
0xBA5CA000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7D1000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA720000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA79B000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

Wow...sure looks like a lot of junk!
Thanks again!

#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:16 AM

Posted 05 August 2011 - 02:10 PM

Hi-

Thank you for all the logs - interesting reading.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • If the AV Scan window appears, select (none).
  • Click Scan (if asked to update the Avast anti-virus definitions, click on No).
  • When you get the "Scan finished successfully" message, click the save log button, save it to your desktop (MBR.txt) and post it in your next reply.
  • It will also copy the MBR (Master Boot Record) into a file on your desktop as MBR.dat.

In your reply, please copy in the MBR.txt file.
Shannon

#5 KeriT

KeriT
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 05 August 2011 - 04:32 PM

I hope 'interesting' doesn't mean 'terrible' :)...here is the log you requested:

aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-05 14:27:45
-----------------------------
14:27:45.052 OS Version: Windows 5.1.2600 Service Pack 3
14:27:45.052 Number of processors: 1 586 0x7F02
14:27:45.052 ComputerName: EMACHINE-7AF6B9 UserName: Keri
14:27:45.927 Initialize success
14:28:20.723 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7
14:28:20.723 Disk 0 Vendor: Hitachi_HDP725016GLA380 GMBOA52A Size: 152627MB BusType: 3
14:28:22.817 Disk 0 MBR read successfully
14:28:22.817 Disk 0 MBR scan
14:28:22.817 Disk 0 unknown MBR code
14:28:22.864 Disk 0 scanning sectors +312576705
14:28:22.973 Disk 0 malicious Win32:MBRoot code @ sector 312576708 !
14:28:23.020 Disk 0 PE file @ sector 312576730 !
14:28:23.239 Disk 0 scanning C:\WINDOWS\system32\drivers
14:29:13.255 Service scanning
14:29:14.536 Modules scanning
14:30:29.786 Disk 0 trace - called modules:
14:30:29.848 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
14:30:29.895 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a2b7ab8]
14:30:29.895 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000007b[0x8a3ccca8]
14:30:29.942 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-7[0x8a3b6940]
14:30:29.942 Scan finished successfully
14:31:12.645 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Keri\Desktop\MBR.dat"
14:31:12.708 The log file has been saved successfully to "C:\Documents and Settings\Keri\Desktop\aswMBR.txt"

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:16 AM

Posted 05 August 2011 - 05:27 PM

Hi-

The 'interesting' was more in response to your 'Wow...sure looks like a lot of junk!'.

Re-Run aswMBR

  • In the AV Scan window, select (none).
  • Click Scan (if asked to update the Avast anti-virus definitions, click on No.)
  • When you get the "Scan finished successfully" message, click the FIX or the FixMBR button, whichever is lit.
  • There is a slight pause after clicking either the 'Fix' or 'FixMBR' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing above message will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.

Shannon

#7 KeriT

KeriT
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 05 August 2011 - 06:23 PM

:) Thanks...quick question, when I reboot the machine, will I need to also re-run the utility that shuts down all processes, and also re-do the procedure to show the hidden files before I do anything else? Since this whole thing started, I've left the machine running because if I restart or reboot, the malware just starts running the fake scan all over again and my desktop icons all disappear again...or is it that the fix you want me to run will stop it from there? Thanks!

#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:16 AM

Posted 05 August 2011 - 07:20 PM

I don't know for sure - every infection can be different, but I think you will ok. We are not finished though. There is more to do after this step.
Shannon

#9 KeriT

KeriT
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 05 August 2011 - 07:23 PM

OK, thanks...thought I'd ask...here we go :)

#10 KeriT

KeriT
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 05 August 2011 - 07:45 PM

OK, Shannon...after reboot, the malware started running again, just like before, so I ran RKill, and followed your instructions for unhiding everything (I hope that was all I needed to do?). Here is the log:

swMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-05 17:27:02
-----------------------------
17:27:02.411 OS Version: Windows 5.1.2600 Service Pack 3
17:27:02.411 Number of processors: 1 586 0x7F02
17:27:02.411 ComputerName: EMACHINE-7AF6B9 UserName: Keri
17:27:02.583 Initialize success
17:27:23.598 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7
17:27:23.598 Disk 0 Vendor: Hitachi_HDP725016GLA380 GMBOA52A Size: 152627MB BusType: 3
17:27:25.661 Disk 0 MBR read successfully
17:27:25.661 Disk 0 MBR scan
17:27:25.661 Disk 0 unknown MBR code
17:27:25.708 Disk 0 scanning sectors +312576705
17:27:25.802 Disk 0 malicious Win32:MBRoot code @ sector 312576708 !
17:27:25.817 Disk 0 PE file @ sector 312576730 !
17:27:25.973 Disk 0 scanning C:\WINDOWS\system32\drivers
17:28:10.302 Service scanning
17:28:11.567 Modules scanning
17:29:28.255 Disk 0 trace - called modules:
17:29:28.317 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
17:29:28.317 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a2b7ab8]
17:29:28.333 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000007b[0x8a3ccca8]
17:29:28.333 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-7[0x8a3b6940]
17:29:28.348 Scan finished successfully
17:29:37.989 Disk 0 MBR read successfully
17:29:38.036 Disk 0 scanning sectors +312576705
17:29:38.145 Disk 0 malicious Win32:MBRoot code @ sector 312576708 !
17:29:38.192 Disk 0 PE file @ sector 312576730 !
17:29:38.255 Disk 0 sector 312576708 cleaned
17:29:38.270 Disk 0 sector 312576730 cleaned
17:29:38.270 Verifying disinfection
17:29:50.411 Infection fixed successfully - please reboot ASAP
17:29:57.411 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Keri\Desktop\MBR.dat"
17:29:57.427 The log file has been saved successfully to "C:\Documents and Settings\Keri\Desktop\aswMBR2.txt"

#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:16 AM

Posted 05 August 2011 - 08:11 PM

Hi-

Looks good!


Download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Shannon

#12 KeriT

KeriT
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 05 August 2011 - 10:00 PM

Shannon,
Since I am unable to disable my antivirus program (it is administered by my employer and I don't have permissions), do I run combofix in safe mode?
Thanks!

#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:16 AM

Posted 06 August 2011 - 05:03 AM

Hi-

I thought this as your daughter's computer. I didn't know that this a company computer. I don't normally work on company computers.

For now, ignore the warning to disable and run ComboFix in normal mode.
Shannon

#14 KeriT

KeriT
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 06 August 2011 - 09:33 AM

Hi Shannon,

Well, it is my daughter's computer. It is not and was never owned by my company, but it used to be the one I used for work. Since we have no other anti-virus program, I left McAfee on the system when I gave it to my daughter for whatever protection it offers (which I think probably isn't much), but regardless that it isn't really a company computer per se, I still don't have access to disable the program. I could remove it completely, I suppose. Do you think it would make more sense to remove the program, then run combofix, or to just run combofix as it is now? I know you said it was OK to run it as is, but if you think it would be better to run it after removing McAfee, just let me know and I'm happy to do that. I can always download the program again afterward from my work website.

#15 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:16 AM

Posted 06 August 2011 - 09:14 PM

It would be better if you would delete it. Rather than reinstall McAfee, you might want to look at one of the free ones which are just as good - AVG or Avast. I can give you their links.
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users