Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Check virus


  • This topic is locked This topic is locked
34 replies to this topic

#1 faedra

faedra

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 02 January 2012 - 09:05 PM

Seems my computer has picked up the System Check virus. I cannot update my virus check programs databases, so I gather I have the rootkit as well and therefore need one-on-one help to remove. I have followed the Preparation Guide before seeking help and get as far as running dds.scr. It runs but then hangs before creating any log files (about 54 "#" symbols appear at the bottom of the black box as this runs). There is the phrase "disable any script blockers ..." in the instructions for running this program, but after such detailed instructions up to this point it is surprising that there is no explanation of what these are, nor where I can find if I have any of these running, nor how to disable them if I do. Could this be why dds is not completing the log files? If so, how do I correct this issue?
Thanks for your help.

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 07 January 2012 - 08:34 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Any underlined text in my posts indicates a clickable link.
  • If you have any questions at all, please stop and ask before proceeding.
Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • DDS.txt and Attach.txt logs
  • GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 12 January 2012 - 09:02 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 15 January 2012 - 11:27 AM

This topic has been re-opened at the request of the person who originally posted.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 faedra

faedra
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 16 January 2012 - 02:33 PM

Thanks for re-opening.

Still no luck with dds. Runs for about 1min then hangs the computer (clock in systray stops updating). Have left for over 5 min before finally holding on/off button to restart (Ctl-Alt-Del and any other keyboard entry does nothing). Downloaded both .pif and .scr but neither work. I have eset nod32 and disabled read time file system protection (and HIPS?). Also disabled screensaver.

Before running the above, I had reformatted and reinstalled windows XP. Windows malware detection tool noted a Trojan partially removed.

GMER ran ok, log below.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-16 14:17:47
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9160310AS rev.0303
Running: su13onrz.exe; Driver: C:\DOCUME~1\Frank\LOCALS~1\Temp\pwryapod.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1712] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- EOF - GMER 1.0.15 ----

#6 faedra

faedra
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 16 January 2012 - 10:03 PM

Thought I should also mention that the Windows name for the Trojan it foun is Trojan:DOS/Alureon.E

#7 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 16 January 2012 - 10:37 PM

OK, run these instead:

Posted Image Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and paste them into your next post.
Posted Image Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A small window should open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.
Please include the following in your next post:
  • OTL.txt and Extras.txt logs
  • MBRCheck log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#8 faedra

faedra
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 16 January 2012 - 11:15 PM

Logs requested:

OTL:

OTL logfile created on: 1/16/2012 10:54:17 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Frank\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.20 Mb Total Physical Memory | 411.11 Mb Available Physical Memory | 40.54% Memory free
2.38 Gb Paging File | 1.93 Gb Available in Paging File | 81.03% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.66 Gb Total Space | 85.90 Gb Free Space | 87.96% Space Free | Partition Type: NTFS

Computer Name: FRANK-MOBILE | User Name: Frank | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/16 22:47:37 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Frank\Desktop\OTL.exe
PRC - [2012/01/10 10:48:28 | 008,498,600 | ---- | M] (Innovative Solutions) -- C:\Program Files\Innovative Solutions\DriverMax\drivermax.exe
PRC - [2011/09/22 12:03:30 | 000,974,944 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2011/09/22 12:03:02 | 003,080,264 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2009/04/30 22:13:34 | 000,092,696 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\PersistenceThread.exe
PRC - [2009/02/19 20:52:20 | 000,817,672 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
PRC - [2009/02/11 17:46:28 | 000,565,248 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer VCM\AcerVCM.exe
PRC - [2009/02/05 10:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer VCM\RS_Service.exe
PRC - [2008/10/17 10:44:58 | 000,091,432 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/10 10:48:42 | 000,008,624 | ---- | M] () -- C:\Program Files\Innovative Solutions\DriverMax\sync.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/09/22 12:03:30 | 000,974,944 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2009/02/05 10:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer VCM\RS_Service.exe -- (RS_Service)


========== Driver Services (SafeList) ==========

DRV - [2011/08/09 14:24:52 | 000,154,136 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2011/08/04 09:20:38 | 000,103,112 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2011/08/04 09:20:36 | 000,118,104 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009/04/15 22:10:06 | 000,132,480 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2009/03/24 06:35:00 | 005,056,000 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/12/30 06:02:32 | 001,346,464 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/08/05 07:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2006/01/04 02:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0112&m=ao751h
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0112&m=ao751h

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0112&m=ao751h
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0112&m=ao751h
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2012/01/12 12:03:51 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PDVD8LanguageShortcut] C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe ()
O4 - HKLM..\Run: [PersistenceThread] C:\WINDOWS\system32\PersistenceThread.exe (Intel Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PLFSetI] C:\WINDOWS\PLFSetI.exe File not found
O4 - HKLM..\Run: [RemoteControl8] C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe (CyberLink Corp.)
O4 - HKCU..\Run: [DriverMax_RESTART] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer VCM.lnk = C:\Program Files\Acer\Acer VCM\AcerVCM.exe (Acer Incorporated)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T27L10NSP31-13320/support/ieatgpc.cab (GpcContainer Class)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Acer\Acer VCM\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) -C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igdlogin: DllName - (igdlogin.dll) - C:\WINDOWS\System32\igdlogin.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Acer.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Acer.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/15 07:46:19 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/16 22:47:37 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Frank\Desktop\OTL.exe
[2012/01/16 17:29:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\My Documents\My Downloads
[2012/01/16 15:51:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\My Documents\My Drivers
[2012/01/16 15:48:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Local Settings\Application Data\Innovative Solutions
[2012/01/16 15:48:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\DriverMax
[2012/01/16 15:48:07 | 000,000,000 | ---D | C] -- C:\Program Files\Innovative Solutions
[2012/01/16 15:47:10 | 009,096,520 | ---- | C] (Innovative Solutions ) -- C:\Documents and Settings\Frank\Desktop\drivermax.exe
[2012/01/16 15:45:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Start Menu\Programs\CyberLink PowerDVD 8
[2012/01/16 13:06:38 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Frank\Desktop\dds.scr
[2012/01/16 12:21:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Frank\My Documents\My Videos
[2012/01/16 12:21:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2012/01/16 12:21:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Frank\Start Menu\Programs\Administrative Tools
[2012/01/16 12:06:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Application Data\Template
[2012/01/16 11:45:35 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Frank\Desktop\dds.pif
[2012/01/13 17:13:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2012/01/13 17:12:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie7updates
[2012/01/13 14:01:50 | 000,348,704 | ---- | C] (ESET spol. s r.o.) -- C:\Documents and Settings\Frank\Desktop\EOlmarikRemover.exe
[2012/01/12 17:08:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
[2012/01/12 16:49:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Local Settings\Application Data\Temp
[2012/01/12 16:49:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2012/01/12 16:44:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2012/01/12 16:26:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Local Settings\Application Data\Identities
[2012/01/12 12:56:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Application Data\Google
[2012/01/12 12:55:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[2012/01/12 12:42:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2012/01/12 12:41:23 | 000,000,000 | ---D | C] -- C:\Program Files\ACER PATCH LTV2016
[2012/01/12 12:40:23 | 000,319,488 | ---- | C] (SuYin) -- C:\WINDOWS\Acer Crystal Eye webcam.exe
[2012/01/12 12:40:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Acer Crystal Eye webcam
[2012/01/12 12:37:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\CyberLink
[2012/01/12 12:36:13 | 000,000,000 | ---D | C] -- C:\Program Files\CyberLink
[2012/01/12 12:31:06 | 000,056,080 | ---- | C] (Dritek System Inc.) -- C:\WINDOWS\System32\QtBtLib.dll
[2012/01/12 12:31:06 | 000,005,120 | ---- | C] (Dritek System Inc.) -- C:\WINDOWS\System32\FILTRCOI.DLL
[2012/01/12 12:31:02 | 000,207,368 | ---- | C] (Dritek System Inc.) -- C:\WINDOWS\UNINST32.EXE
[2012/01/12 12:31:01 | 000,000,000 | ---D | C] -- C:\Program Files\Launch Manager
[2012/01/12 12:30:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\BTW
[2012/01/12 12:27:59 | 000,000,000 | ---D | C] -- C:\Program Files\Synaptics
[2012/01/12 12:22:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\Dev1
[2012/01/12 12:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Application Data\Macromedia
[2012/01/12 12:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Application Data\InstallShield
[2012/01/12 12:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Application Data\Identities
[2012/01/12 12:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Application Data\Adobe
[2012/01/12 12:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Application Data\Acer GameZone Console
[2012/01/12 12:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Application Data\Acer
[2012/01/12 12:21:48 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Frank\Application Data\Microsoft
[2012/01/12 12:21:48 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Frank\Application Data
[2012/01/12 12:21:48 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Frank\Favorites
[2012/01/12 12:21:48 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Frank\Cookies
[2012/01/12 12:21:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft Help
[2012/01/12 12:21:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft
[2012/01/12 12:21:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Local Settings\Application Data\Google
[2012/01/12 12:21:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Desktop
[2012/01/12 12:21:47 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Frank\SendTo
[2012/01/12 12:21:47 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Frank\Recent
[2012/01/12 12:21:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Frank\My Documents\My Pictures
[2012/01/12 12:21:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Frank\My Documents\My Music
[2012/01/12 12:21:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Frank\My Documents
[2012/01/12 12:21:47 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Frank\Start Menu\Programs\Accessories
[2012/01/12 12:21:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Frank\PrintHood
[2012/01/12 12:21:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Frank\NetHood
[2012/01/12 12:21:47 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Frank\Local Settings
[2012/01/12 12:21:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\My Documents\My Google Gadgets
[2012/01/12 12:21:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Frank\Start Menu\Programs\Acer GameZone
[2012/01/12 12:21:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Frank\Start Menu\Programs\Startup
[2012/01/12 12:21:46 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Frank\Start Menu
[2012/01/12 12:21:46 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Frank\Templates
[2012/01/12 12:16:45 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2012/01/12 12:03:48 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/01/12 12:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ESET
[2012/01/12 12:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2009/04/15 08:23:42 | 000,049,152 | ---- | C] ( ) -- C:\WINDOWS\Interop.IWshRuntimeLibrary.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/16 22:54:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/16 22:47:52 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\MBRCheck.exe
[2012/01/16 22:47:37 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Frank\Desktop\OTL.exe
[2012/01/16 16:54:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/16 15:49:57 | 000,394,206 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/16 15:49:57 | 000,059,670 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/16 15:45:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/16 15:45:32 | 1063,538,688 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/16 13:06:38 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Frank\Desktop\dds.scr
[2012/01/16 12:09:18 | 000,000,048 | ---- | M] () -- C:\Documents and Settings\Frank\Application Data\wklnhst.dat
[2012/01/16 12:04:29 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\su13onrz.exe
[2012/01/16 11:45:42 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Frank\Desktop\dds.pif
[2012/01/16 10:39:20 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/16 10:39:10 | 000,243,128 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/01/15 23:46:54 | 009,096,520 | ---- | M] (Innovative Solutions ) -- C:\Documents and Settings\Frank\Desktop\drivermax.exe
[2012/01/13 17:14:43 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/01/13 14:02:02 | 000,348,704 | ---- | M] (ESET spol. s r.o.) -- C:\Documents and Settings\Frank\Desktop\EOlmarikRemover.exe
[2012/01/12 16:22:48 | 000,181,939 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\SysInspector-FRANK-MOBILE-120112-1619.zip
[2012/01/12 12:37:47 | 000,001,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CyberLink PowerDVD 8.lnk
[2012/01/12 12:31:07 | 000,000,083 | ---- | M] () -- C:\WINDOWS\LManager.UNI
[2012/01/12 12:30:45 | 000,000,627 | ---- | M] () -- C:\WINDOWS\CLEANUP.CMD
[2012/01/12 12:28:43 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_SynTP_01007.Wdf
[2012/01/12 12:28:36 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
[2012/01/12 12:22:33 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/12 12:22:24 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\Frank\Desktop\Windows Media Player.lnk
[2012/01/12 12:20:56 | 000,037,761 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2012/01/12 12:20:50 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2012/01/12 12:19:01 | 000,005,208 | ---- | M] () -- C:\WINDOWS\System32\pid.PNF
[2012/01/12 12:17:24 | 000,008,192 | ---- | M] () -- C:\WINDOWS\REGLOCS.OLD
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/16 22:47:52 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\MBRCheck.exe
[2012/01/16 15:45:32 | 1063,538,688 | -HS- | C] () -- C:\hiberfil.sys
[2012/01/16 12:06:30 | 000,000,048 | ---- | C] () -- C:\Documents and Settings\Frank\Application Data\wklnhst.dat
[2012/01/16 12:04:29 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\su13onrz.exe
[2012/01/12 16:44:07 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/12 16:44:06 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/12 16:41:15 | 000,181,939 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\SysInspector-FRANK-MOBILE-120112-1619.zip
[2012/01/12 12:40:24 | 000,004,838 | ---- | C] () -- C:\WINDOWS\Suyin.reg
[2012/01/12 12:40:23 | 000,626,688 | ---- | C] () -- C:\WINDOWS\Image.dll
[2012/01/12 12:37:47 | 000,001,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CyberLink PowerDVD 8.lnk
[2012/01/12 12:31:07 | 000,000,083 | ---- | C] () -- C:\WINDOWS\LManager.UNI
[2012/01/12 12:28:43 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_SynTP_01007.Wdf
[2012/01/12 12:28:36 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
[2012/01/12 12:22:33 | 000,000,807 | ---- | C] () -- C:\Documents and Settings\Frank\Start Menu\Programs\Internet Explorer.lnk
[2012/01/12 12:22:24 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\Frank\Desktop\Windows Media Player.lnk
[2012/01/12 12:21:53 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/12 12:21:53 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Frank\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/01/12 12:21:49 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Frank\Start Menu\Programs\Remote Assistance.lnk
[2012/01/12 12:21:49 | 000,000,796 | ---- | C] () -- C:\Documents and Settings\Frank\Start Menu\Programs\Windows Media Player.lnk
[2012/01/12 12:21:49 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Frank\Start Menu\Programs\Outlook Express.lnk
[2012/01/12 12:17:24 | 000,008,192 | ---- | C] () -- C:\WINDOWS\REGLOCS.OLD
[2009/04/15 10:27:37 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/04/15 08:52:14 | 000,090,772 | ---- | C] () -- C:\WINDOWS\System32\drivers\RtConvEQ.DAT
[2009/04/15 08:52:14 | 000,000,672 | ---- | C] () -- C:\WINDOWS\System32\drivers\SamSfPa.dat
[2009/04/15 08:52:14 | 000,000,536 | ---- | C] () -- C:\WINDOWS\System32\drivers\RtHdatEx.dat
[2009/04/15 08:52:14 | 000,000,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTEQEX2.dat
[2009/04/15 08:52:14 | 000,000,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTEQEX1.dat
[2009/04/15 08:52:14 | 000,000,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTEQEX0.dat
[2009/04/15 08:52:14 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\rtkhdaud.dat
[2009/04/15 08:50:25 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2009/04/15 08:48:51 | 000,004,343 | ---- | C] () -- C:\WINDOWS\System32\lpgun.ini
[2009/04/15 08:48:41 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\igdlogin.dll
[2009/04/15 08:23:18 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/04/15 08:23:16 | 000,394,206 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/15 08:23:16 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2009/04/15 08:23:16 | 000,059,670 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/15 08:23:16 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2009/04/15 08:23:15 | 000,004,524 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2009/04/15 08:23:14 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2009/04/15 08:23:13 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2009/04/15 08:23:10 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2009/04/15 08:23:10 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2009/04/15 08:23:03 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2009/04/15 08:23:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2009/04/15 07:50:09 | 000,006,782 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009/04/15 07:50:08 | 000,032,768 | ---- | C] () -- C:\WINDOWS\AMove.exe
[2009/04/15 07:49:04 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/04/15 07:43:41 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/04/15 07:42:14 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/04/15 00:37:47 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/04/15 00:36:47 | 000,243,128 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/02/24 21:20:23 | 000,020,480 | ---- | C] () -- C:\WINDOWS\LauncheRyDiscCalc.exe

========== LOP Check ==========

[2009/04/15 09:05:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acer GameZone Console
[2012/01/12 12:03:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2009/04/15 09:58:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eSobi
[2009/04/15 09:42:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2009/04/15 09:06:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Temp
[2009/04/15 09:59:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Acer
[2009/04/15 09:05:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Acer GameZone Console
[2012/01/16 12:06:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Frank\Application Data\Template

========== Purity Check ==========



< End of report >

Extras:

OTL Extras logfile created on: 1/16/2012 10:54:17 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Frank\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.20 Mb Total Physical Memory | 411.11 Mb Available Physical Memory | 40.54% Memory free
2.38 Gb Paging File | 1.93 Gb Available in Paging File | 81.03% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.66 Gb Total Space | 85.90 Gb Free Space | 87.96% Space Free | Partition Type: NTFS

Computer Name: FRANK-MOBILE | User Name: Frank | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call
"{047F790A-7A2A-4B6A-AD02-38092BA63DAC}" = Acer VCM
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Driver Installation Program
"{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = CyberLink PowerDVD 8
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{505DF7A3-88D5-4DD6-9AD5-C98C2ED0CEC4}" = Windows Live Sign-in Assistant
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{67E03279-F703-408F-B4BF-46B5FC8D70CD}" = Microsoft Works
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{71C2828F-2678-4675-BDEC-895424861262}_is1" = C:\Program Files\Acer GameZone\GameConsole
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110111700}" = Zuma Deluxe
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110186437}" = Air Strike 2
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110265407}" = Bejeweled 2 Deluxe
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11037623}" = Tradewinds 2
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111125700}" = Rainbow Web
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111205743}" = Tri-Peaks Solitaire To Go
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111252743}" = Mahjong Escape Ancient China
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111307457}" = Galapago
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111771833}" = Jewel Quest Solitaire
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112270203}" = Dream Day Wedding
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11231247}" = Peggle
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113297350}" = Cake Mania 2
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113784233}" = Home Sweet Home
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113832110}" = Dream Day First Home
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11386547}" = Farm Frenzy
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-114803710}" = Star Defender 4
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-115443300}" = Cooking Dash
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11551977}" = Parking Dash
"{8537ABE9-DCE4-4149-A0B4-9926E449AD01}" = ESET NOD32 Antivirus
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = USB2.0 Card Reader Software
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}" = Acer Crystal Eye webcam 2.2.0.2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"Acer Screensaver" = Acer ScreenSaver
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DMX5_is1" = DriverMax 6
"ESET Online Scanner" = ESET Online Scanner v3
"Google Desktop" = Google Desktop
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = CyberLink PowerDVD 8
"LManager" = Launch Manager
"LPCO" = Intel® Graphics Media Accelerator 500
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WinLiveSuite_Wave3" = Windows Live Essentials

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/12/2012 1:46:02 PM | Computer Name = FRANK-MOBILE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 1/12/2012 1:46:04 PM | Computer Name = FRANK-MOBILE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 1/12/2012 3:01:25 PM | Computer Name = FRANK-MOBILE | Source = MsiInstaller | ID = 1008
Description = The installation of E:\eav_nt32_enu.msi is not permitted due to an
error in software restriction policy processing. The object cannot be trusted.

Error - 1/12/2012 5:17:20 PM | Computer Name = FRANK-MOBILE | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

[ System Events ]
Error - 1/16/2012 1:09:22 PM | Computer Name = FRANK-MOBILE | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 1/16/2012 1:09:36 PM | Computer Name = FRANK-MOBILE | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 1/16/2012 2:20:44 PM | Computer Name = FRANK-MOBILE | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 1/16/2012 2:21:30 PM | Computer Name = FRANK-MOBILE | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 1/16/2012 2:25:05 PM | Computer Name = FRANK-MOBILE | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 1/16/2012 4:36:39 PM | Computer Name = FRANK-MOBILE | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 1/16/2012 4:37:36 PM | Computer Name = FRANK-MOBILE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
ehdrv Fips intelppm

Error - 1/16/2012 4:46:26 PM | Computer Name = FRANK-MOBILE | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 1/16/2012 4:46:27 PM | Computer Name = FRANK-MOBILE | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 1/16/2012 4:46:28 PM | Computer Name = FRANK-MOBILE | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.


< End of report >

MBR:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 153):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7ABD000 \WINDOWS\system32\KDCOM.DLL
0xF79CD000 \WINDOWS\system32\BOOTVID.dll
0xF748E000 ACPI.sys
0xF7ABF000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF747D000 pci.sys
0xF75BD000 isapnp.sys
0xF79D1000 compbatt.sys
0xF79D5000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B85000 pciide.sys
0xF783D000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7AC1000 aliide.sys
0xF7AC3000 cmdide.sys
0xF7AC5000 toside.sys
0xF7AC7000 viaide.sys
0xF7AC9000 intelide.sys
0xF75CD000 MountMgr.sys
0xF745E000 ftdisk.sys
0xF79D9000 ACPIEC.sys
0xF7B86000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7845000 PartMgr.sys
0xF75DD000 VolSnap.sys
0xF79DD000 cpqarray.sys
0xF7446000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF742E000 atapi.sys
0xF79E1000 aha154x.sys
0xF784D000 sparrow.sys
0xF79E5000 symc810.sys
0xF75ED000 aic78xx.sys
0xF79E9000 dac960nt.sys
0xF75FD000 ql10wnt.sys
0xF79ED000 amsint.sys
0xF7855000 asc.sys
0xF79F1000 asc3550.sys
0xF785D000 mraid35x.sys
0xF7865000 i2omp.sys
0xF79F5000 ini910u.sys
0xF760D000 ql1240.sys
0xF761D000 aic78u2.sys
0xF786D000 symc8xx.sys
0xF7875000 sym_hi.sys
0xF787D000 sym_u3.sys
0xF7885000 ABP480N5.SYS
0xF788D000 asc3350p.sys
0xF7ACB000 cd20xrnt.sys
0xF762D000 ultra.sys
0xF7415000 adpu160m.sys
0xF7895000 dpti2o.sys
0xF763D000 ql1080.sys
0xF764D000 ql1280.sys
0xF765D000 ql12160.sys
0xF789D000 perc2.sys
0xF7ACD000 perc2hib.sys
0xF78A5000 hpn.sys
0xF79F9000 cbidf2k.sys
0xF73E9000 dac2w2k.sys
0xF766D000 disk.sys
0xF767D000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73C9000 fltMgr.sys
0xF73B7000 sr.sys
0xF73A0000 KSecDD.sys
0xF7313000 Ntfs.sys
0xF72E6000 NDIS.sys
0xF768D000 sisagp.sys
0xF769D000 viaagp.sys
0xF72CC000 Mup.sys
0xF76AD000 alim1541.sys
0xF76BD000 amdagp.sys
0xF76CD000 agp440.sys
0xF76DD000 agpCPQ.sys
0xF7AAD000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7AB1000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF77ED000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6CCE000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF6CBA000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6C92000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6C71000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xF6B28000 \SystemRoot\system32\DRIVERS\athw.sys
0xF7955000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6B04000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF795D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF77FD000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7965000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0xF796D000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6AD3000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7AF1000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF780D000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF6A57000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF7975000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7C09000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF781D000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7AB5000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6A40000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF782D000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF723B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF797D000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6A2F000 \SystemRoot\system32\DRIVERS\psched.sys
0xF722B000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7985000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF798D000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF721B000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7AF3000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6A0C000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6816000 \SystemRoot\system32\DRIVERS\update.sys
0xF729C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF720B000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF6258000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF6234000 \SystemRoot\system32\drivers\portcls.sys
0xF71FB000 \SystemRoot\system32\drivers\drmk.sys
0xF71DB000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A9D000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7AF7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7CD2000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AF9000 \SystemRoot\System32\Drivers\Beep.SYS
0xF6124000 \SystemRoot\system32\DRIVERS\ehdrv.sys
0xF79AD000 \SystemRoot\System32\drivers\vga.sys
0xF7AFD000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7AFF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF79B5000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF79BD000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7AA9000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF60F1000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF6098000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF6048000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF6022000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF6008000 \SystemRoot\system32\DRIVERS\epfwtdir.sys
0xF5FE6000 \SystemRoot\System32\drivers\afd.sys
0xF71BB000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF5FBB000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF5F4B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF770D000 \SystemRoot\System32\Drivers\Fips.SYS
0xF772D000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF5F15000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B01000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6220000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78B5000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7BCF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF01E000 \SystemRoot\System32\igxpdd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xEC8A9000 \SystemRoot\system32\DRIVERS\eamon.sys
0xEC89D000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEC64C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xEC547000 \SystemRoot\system32\drivers\wdmaud.sys
0xEC749000 \SystemRoot\system32\drivers\sysaudio.sys
0xEC2E1000 \SystemRoot\system32\DRIVERS\srv.sys
0xEBC55000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xEBBC4000 \SystemRoot\System32\Drivers\HTTP.sys
0xF794D000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xEB043000 \SystemRoot\System32\Drivers\usbvideo.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 40):
0 System Idle Process
4 System
664 C:\WINDOWS\system32\smss.exe
712 csrss.exe
744 C:\WINDOWS\system32\winlogon.exe
788 C:\WINDOWS\system32\services.exe
800 C:\WINDOWS\system32\lsass.exe
964 C:\WINDOWS\system32\svchost.exe
1012 svchost.exe
1092 C:\WINDOWS\system32\svchost.exe
1180 svchost.exe
1252 svchost.exe
1440 C:\WINDOWS\system32\spoolsv.exe
1520 svchost.exe
1560 C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
1780 C:\WINDOWS\explorer.exe
1900 C:\Program Files\Acer\Acer VCM\RS_Service.exe
1976 C:\WINDOWS\system32\svchost.exe
580 C:\WINDOWS\RTHDCPL.EXE
600 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
660 C:\WINDOWS\system32\igfxtray.exe
1328 C:\WINDOWS\system32\hkcmd.exe
1344 C:\WINDOWS\system32\PersistenceThread.exe
1384 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1556 C:\Program Files\Launch Manager\LManager.exe
132 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
1276 C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
1648 C:\WINDOWS\system32\igfxsrvc.exe
1716 C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
924 C:\WINDOWS\system32\ctfmon.exe
1908 C:\Program Files\Messenger\msmsgs.exe
2056 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2164 C:\Program Files\Acer\Acer VCM\AcerVCM.exe
2304 C:\WINDOWS\system32\igfxext.exe
2820 alg.exe
3640 C:\WINDOWS\system32\wuauclt.exe
208 C:\Program Files\Innovative Solutions\DriverMax\drivermax.exe
2876 C:\WINDOWS\system32\wscntfy.exe
3616 C:\WINDOWS\NOTEPAD.EXE
3664 C:\Documents and Settings\Frank\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`00100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001a`6a394200

PhysicalDrive0 Model Number: ST9160310AS, Rev: 0303

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#9 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 17 January 2012 - 05:29 PM

Please do this next:

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#10 faedra

faedra
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 17 January 2012 - 09:51 PM

Arghh...

Downloaded combofix. Disconnected Internet and disabled ESTE NOD32 by right clicking icon and selecting temporary disable and setting disable time to 4 hours.

Ran combofix and it detected need for Recovery Console. Reconnected to Internet and clicked Yes. Download successful. Disabled internet connection again. At next message screen clicked Yes to continue scanning. After about 1 minute of disk activity computer froze (system tray time no longer updating) left it for 20-30 minutes, no activity. Had to hold on/off button to get computer to restart. Showed black screen on startup with option to select operating system. Tried to rerun combofix. Same computer freeze problem again.

How should I proceed?

Thanks

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 17 January 2012 - 10:19 PM

Hello,

Try it again, this time from the Safe Mode

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 faedra

faedra
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 17 January 2012 - 11:47 PM

Thought you might ask that so I did already. First time I could not find a way to disable ESET NOD32 so ran combofix anyway and it still froze computer after about 1 min. Went back in to normal mode and changed parameters in ESTE so that it would not operate automatically. Went back into safe mode, did not get message from combofix that ESET was running, but it still froze the comuter after about 1 min.
Any other suggestions?

#13 faedra

faedra
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 17 January 2012 - 11:57 PM

Don't know if it is relevant, but on one of the shut down/restart Windows installed a 1 of 1 update that took several minutes to install before the computer shut down. Don't know what this update was.

#14 faedra

faedra
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 18 January 2012 - 05:25 PM

Hi RPMcMurphy

I am away in England for he next 10 days. I have taken my laptop with me, Trojan and all. However, I may not have internet access while I am away (except for email on my Android phone).

Can I contact you upon my return and continue with this Trojan removal? If this is possibe, should I contact you by private message, or by bumping this topic by submitting another post?

Thanks for your help.

#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:32 AM

Posted 18 January 2012 - 05:36 PM

Thanks for letting me know. I will leave the thread open. When you are able to continue working on it just post in the topic and I'll get an email notification. Have a safe trip!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users