Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unsure of What Modified the Computer


  • This topic is locked This topic is locked
20 replies to this topic

#1 thaiguy

thaiguy

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 12 March 2012 - 03:00 AM

Computer did its own restart when I was away for an hour or so... not sure why, but got the “The system has recovered from a serious error” message.

Two things are really weird suddenly:

1) All of my files are underlined in their titles wherever they are, ie on the Desktop, in subfolders, and so on. Something went in and changed how the computer works. My Word files all used to be double-click to open, now just one is doing it. Something unknown has modified the computer !

2) But what is really bothering me is this other warning- caught by Scotty program - which appeared on the screen:

"A new autostart program has been detected. This program will run each time you login or restart your machine.

Do you approve the addition of this program startup setting ? Press YES if this program is expected and acceptable.
%systemroot%\system32\dumprep 0 –k
No description found
company name not included in this program.
"

-> I’m gonna add this. You can see that I just an issue a week ago that Gringo was so kind and adept at helping me clear up. This machine is owned by my father who doesn’t understand how these things work and didn’t want me to install another program on it, meaning NO to AVG. As soon as this is cleared up I”m going to explain in no uncertain terms that I’m installing AVG and that he has to accept and understand this. I’m embarassed to have a second problem in one week’s time ! So.... apologies.

I’m currently performing a Malwarebytes full scan as I’m sending this off. I imagine you know of a better program to scan and get a look at the system.

BC AdBot (Login to Remove)

 


#2 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 12 March 2012 - 12:31 PM

Both Malwarebytes and Microsoft Security Essentials come up with no threats detected. It's strange though, as there are modifications to the system, and Windows Updates are set to notify, and then approve before they would download and change anything. So the question is what happened, and what's been modified by whom ?

#3 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 13 March 2012 - 02:28 PM

AVG found and put into the virus vault something called Trojan Horse Agent.6.BC. There were 2 instances of it - one as the .dll and one as the .exe file. Am I good now that they're in the virus vault, or should I still worry my machine is compromised ?

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 13 March 2012 - 06:15 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 13 March 2012 - 08:28 PM

Hi M0le !

Yep. I'm here and real. That's why I've been posting what I've done to check out as much as I could about the recent invasion. I'm hoping it gives you a good idea where to go next.

I'm awaiting orders.....

Thanks.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 13 March 2012 - 08:33 PM

Okay, let's run some scans and see what we can find

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Then please run OTL

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#7 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 14 March 2012 - 05:26 AM

Here's the first thing from MBR:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-13 21:43:15
-----------------------------
21:43:15.109 OS Version: Windows 5.1.2600 Service Pack 3
21:43:15.109 Number of processors: 1 586 0x207
21:43:15.109 ComputerName: NESTOR_ESPANA UserName: MLW
21:43:19.671 Initialize success
21:48:16.890 AVAST engine defs: 12031301
21:50:56.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0
21:50:56.875 Disk 0 Vendor: WDC_WD12 17.0 Size: 114473MB BusType: 3
21:50:56.890 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0
21:50:56.890 Disk 1 Vendor: IC35L080 VA4O Size: 76293MB BusType: 3
21:50:56.921 Disk 0 MBR read successfully
21:50:56.921 Disk 0 MBR scan
21:50:57.109 Disk 0 Windows XP default MBR code
21:50:57.109 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114463 MB offset 63
21:50:57.343 Disk 0 scanning sectors +234420480
21:50:57.531 Disk 0 scanning C:\WINDOWS\system32\drivers
21:53:16.625 Service scanning
21:55:34.484 Modules scanning
21:56:29.718 Disk 0 trace - called modules:
21:56:30.234 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll IdeChnDr.sys
21:56:30.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85f1f198]
21:56:30.265 3 CLASSPNP.SYS[f78cefd7] -> nt!IofCallDriver -> \Device\00000065[0x86f4d688]
21:56:30.281 5 ACPI.sys[f7825620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0[0x86f4c030]
21:56:39.750 AVAST engine scan C:\WINDOWS
21:57:38.109 AVAST engine scan C:\WINDOWS\system32
22:26:04.921 AVAST engine scan C:\WINDOWS\system32\drivers
22:28:17.953 AVAST engine scan C:\Documents and Settings\MLW
23:22:31.140 AVAST engine scan C:\Documents and Settings\All Users
23:30:01.203 Scan finished successfully
23:30:45.187 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\MLW\Desktop\MBR.dat"
23:30:45.203 The log file has been saved successfully to "C:\Documents and Settings\MLW\Desktop\aswMBR.txt"


Here's the OTL.Txt


OTL logfile created on: 3/14/2012 1:29:31 AM - Run 1
OTL by OldTimer - Version 3.2.36.3 Folder = C:\Documents and Settings\MLW\Desktop\Aaron's Stuff 0112\8 Aaron's Prog's\22 Computer Fixes\Fix II
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.49 Mb Total Physical Memory | 753.48 Mb Available Physical Memory | 73.62% Memory free
1.65 Gb Paging File | 1.24 Gb Available in Paging File | 74.84% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 59.55 Gb Free Space | 53.27% Space Free | Partition Type: NTFS
Drive E: | 74.49 Gb Total Space | 70.20 Gb Free Space | 94.25% Space Free | Partition Type: NTFS

Computer Name: NESTOR_ESPANA | User Name: MLW | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\MLW\Desktop\Aaron's Stuff 0112\8 Aaron's Prog's\22 Computer Fixes\Fix II\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe (BillP Studios)
PRC - C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
PRC - C:\WINDOWS\ltmsg.exe (Agere Systems)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\BillP Studios\WinPatrol\sqlite3.dll ()


========== Win32 Services (SafeList) ==========

SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (aswMBR) -- File not found
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgrkx86) -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV - (NAL) -- C:\WINDOWS\system32\drivers\iqvw32.sys (Intel Corporation )
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (FETNDISB) -- C:\WINDOWS\system32\drivers\dlkfet5b.sys (D-Link )
DRV - (ltmodem5) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys (Agere Systems)
DRV - (IdeChnDr) Intel® -- C:\WINDOWS\system32\DRIVERS\IdeChnDr.sys (Intel Corporation)
DRV - (IdeBusDr) -- C:\WINDOWS\system32\DRIVERS\IdeBusDr.sys (Intel Corporation)
DRV - (ha10kx2k) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (ctaud2k) Creative EMU10K1/EMU10K2 Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (ms_mpu401) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)
DRV - (BCMModem) -- C:\WINDOWS\system32\drivers\BCMDM.sys (BCM)
DRV - (WBHWDOCT) -- C:\WINDOWS\System32\drivers\WBHWDOCT.SYS (Winbond Electronics Corp.)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ww2.cox.com/myconnection/orangecounty/home.cox
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "about:home"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2010/12/21 20:10:46 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012/03/02 16:16:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/03/12 19:16:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/17 15:52:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/01/25 01:23:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\MLW\Application Data\Mozilla\Extensions
[2012/03/02 16:16:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/02/17 15:52:21 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2012/03/02 16:16:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012/02/17 15:52:20 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/02/13 02:51:37 | 000,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2012/02/13 02:51:37 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/13 02:51:37 | 000,001,131 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2012/02/13 02:51:37 | 000,002,364 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2012/02/13 02:51:37 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
[2012/02/13 02:51:37 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2012/02/13 02:51:37 | 000,001,096 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2012/02/28 01:38:51 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll (TechSmith Corporation)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll (TechSmith Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [LTMSG] C:\WINDOWS\ltmsg.exe (Agere Systems)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255984811046 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256004963406 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{13E50CE5-435C-4C6D-85B9-C46B2E975B75}: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AC34C92C-EDA1-431D-9344-03A877F1AA11}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - (crypt32.dll) - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - (cryptnet.dll) - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - (cscdll.dll) - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - (%SystemRoot%\System32\dimsntfy.dll) - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - (sclgntfy.dll) - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - (WlNotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - (WgaLogon.dll) - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - (wlnotify.dll) - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/08 15:37:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/13 21:29:48 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\MLW\Recent
[2012/03/12 20:48:45 | 000,000,000 | -H-D | C] -- C:\$AVG
[2012/03/12 19:18:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MLW\Application Data\AVG2012
[2012/03/12 19:17:10 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/03/12 19:16:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG 2012
[2012/03/12 19:15:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2012/03/12 19:15:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\AVG
[2012/03/12 19:14:48 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2012/03/12 19:11:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/03/08 20:21:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MLW\Local Settings\Application Data\Temp
[2012/03/03 02:55:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/03/03 02:54:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
[2012/03/03 02:54:23 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2012/03/03 02:47:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MLW\Application Data\WinPatrol
[2012/03/03 02:46:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinPatrol
[2012/03/03 02:46:34 | 000,000,000 | ---D | C] -- C:\Program Files\BillP Studios
[2012/03/03 02:46:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2012/03/02 21:49:36 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/03/02 17:00:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MLW\Start Menu\Programs\HiJackThis
[2012/03/02 17:00:10 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2012/03/02 16:39:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/02 16:39:17 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/03/02 16:39:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/03/02 16:17:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2012/03/02 16:17:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/03/02 16:16:48 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2012/03/02 16:16:47 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/03/02 16:16:47 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/03/02 16:16:47 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2012/03/02 14:51:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MLW\Start Menu\Programs\Revo Uninstaller
[2012/03/02 14:51:53 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2012/02/28 02:43:13 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/02/28 00:25:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/02/28 00:25:07 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/27 21:37:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/02/27 17:19:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MLW\Application Data\Malwarebytes
[2012/02/27 17:18:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/02/27 01:39:31 | 000,000,000 | R--D | C] -- C:\Documents and Settings\MLW\Start Menu\Programs\Administrative Tools
[2012/02/26 16:05:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/02/26 16:05:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/02/25 21:32:44 | 000,041,680 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\dmuzhdia.sys
[2012/02/25 21:30:23 | 000,050,704 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys

========== Files - Modified Within 30 Days ==========

[2012/03/13 21:28:25 | 000,012,598 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/13 21:28:00 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/03/13 21:22:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/13 21:22:41 | 1073,274,880 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/13 18:32:27 | 091,711,551 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/03/13 18:31:29 | 000,023,287 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/03/08 20:59:07 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\MLW\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/03 01:47:18 | 000,321,928 | -H-- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/02 16:16:25 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2012/03/02 16:16:24 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2012/03/02 16:16:24 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2012/03/02 16:16:24 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2012/03/02 16:16:23 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2012/03/01 14:39:19 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/29 12:24:58 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/02/28 19:48:38 | 000,045,764 | ---- | M] () -- E:\Drugs that Incr Falls List.pdf
[2012/02/28 01:38:51 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/02/25 21:32:45 | 000,041,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\dmuzhdia.sys
[2012/02/25 21:30:23 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2012/02/23 10:18:36 | 000,237,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2012/02/13 23:05:44 | 000,000,283 | ---- | M] () -- C:\Documents and Settings\MLW\Desktop\Shortcut to Elements (G).lnk

========== Files Created - No Company Name ==========

[2012/03/13 18:32:27 | 091,711,551 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/03/13 18:31:29 | 000,023,287 | ---- | C] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/03/02 16:10:24 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2012/02/28 19:48:38 | 000,045,764 | ---- | C] () -- E:\Drugs that Incr Falls List.pdf
[2012/02/26 16:09:48 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/13 23:05:44 | 000,000,283 | ---- | C] () -- C:\Documents and Settings\MLW\Desktop\Shortcut to Elements (G).lnk
[2012/02/07 17:22:37 | 000,033,540 | ---- | C] () -- C:\WINDOWS\System32\CoreFLACDecoder-uninstall.exe
[2012/02/07 16:50:04 | 000,000,040 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2012/01/26 00:29:47 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2012/01/26 00:29:37 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\MLW\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/01/09 13:00:48 | 004,346,880 | ---- | C] () -- C:\WINDOWS\System32\ffmpeg.dll
[2012/01/07 15:22:00 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\libbluray.dll
[2012/01/07 15:21:50 | 006,366,094 | ---- | C] () -- C:\WINDOWS\System32\avcodec-lav-53.dll
[2012/01/07 15:21:50 | 001,007,151 | ---- | C] () -- C:\WINDOWS\System32\avformat-lav-53.dll
[2012/01/07 15:21:50 | 000,354,979 | ---- | C] () -- C:\WINDOWS\System32\swscale-lav-2.dll
[2012/01/07 15:21:50 | 000,203,306 | ---- | C] () -- C:\WINDOWS\System32\avutil-lav-51.dll
[2012/01/07 15:21:50 | 000,138,727 | ---- | C] () -- C:\WINDOWS\System32\avfilter-lav-2.dll
[2011/12/20 11:50:04 | 000,079,360 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/12/20 11:49:56 | 000,099,328 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2011/12/20 11:49:54 | 000,158,720 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
[2011/12/20 11:49:54 | 000,146,944 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
[2011/12/20 11:49:52 | 001,525,248 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
[2011/12/20 11:49:52 | 000,212,480 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
[2011/12/20 11:49:52 | 000,115,200 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
[2011/12/20 11:49:50 | 000,328,704 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
[2011/12/20 11:49:50 | 000,260,608 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2011/12/20 11:49:50 | 000,137,728 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2011/12/07 12:32:24 | 000,216,064 | ---- | C] ( ) -- C:\WINDOWS\System32\Lagarith.dll
[2011/09/08 07:00:52 | 000,150,528 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
[2011/09/08 07:00:48 | 000,142,336 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
[2011/09/08 07:00:42 | 000,123,392 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
[2011/09/08 07:00:38 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
[2011/09/08 07:00:34 | 000,113,152 | ---- | C] () -- C:\WINDOWS\System32\dsmux.exe
[2011/09/08 07:00:24 | 000,154,624 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
[2011/09/08 07:00:10 | 000,137,728 | ---- | C] () -- C:\WINDOWS\System32\mkv2vfr.exe
[2011/09/08 07:00:06 | 000,358,400 | ---- | C] () -- C:\WINDOWS\System32\gdsmux.exe
[2011/09/08 06:59:54 | 000,080,384 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2011/09/08 06:59:52 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2011/05/30 06:42:50 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/05/23 00:46:30 | 000,645,632 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/03/03 04:39:56 | 000,109,568 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
[2011/03/03 04:38:10 | 000,097,792 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
[2011/03/03 04:37:50 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
[2010/12/21 21:05:12 | 000,000,047 | ---- | C] () -- C:\WINDOWS\winhlp32.ini
[2010/12/21 21:05:12 | 000,000,047 | ---- | C] () -- C:\WINDOWS\winhelp.ini
[2010/12/21 21:02:35 | 000,150,016 | ---- | C] () -- C:\WINDOWS\CRLASP95.DLL
[2010/12/21 21:01:40 | 000,017,552 | ---- | C] () -- C:\WINDOWS\System32\TTYTWIN.DRV
[2010/12/21 21:01:07 | 000,117,760 | ---- | C] () -- C:\WINDOWS\System32\NCSPI8EN.DLL
[2010/12/21 21:00:40 | 000,022,480 | ---- | C] () -- C:\WINDOWS\System32\PFMAPI16.DLL
[2010/12/21 21:00:40 | 000,020,992 | ---- | C] () -- C:\WINDOWS\System32\PFMAPI32.DLL
[2010/12/21 20:41:02 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2010/12/16 22:34:49 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2010/08/18 12:56:38 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini

========== LOP Check ==========

[2012/01/26 16:32:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ACD Systems
[2012/03/12 19:24:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2012/03/12 19:17:10 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/03/03 02:46:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2012/02/03 00:39:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2012/03/13 18:33:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2012/01/26 16:20:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2012/03/03 02:55:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/01/26 16:34:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MLW\Application Data\ACD Systems
[2010/12/08 01:03:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MLW\Application Data\Auslogics
[2012/03/12 19:18:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MLW\Application Data\AVG2012
[2012/02/03 00:41:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MLW\Application Data\GetRightToGo
[2009/10/19 12:55:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MLW\Application Data\MSNInstaller
[2010/12/13 22:52:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MLW\Application Data\Windows Desktop Search
[2012/02/09 00:11:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MLW\Application Data\Windows Search
[2012/03/03 02:47:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MLW\Application Data\WinPatrol
[2012/03/13 21:28:00 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 514 bytes -> C:\WINDOWS\System32\drivers\dmuzhdia.sys:changelist

< End of report >


Here's the record from Extras.Txt


OTL Extras logfile created on: 3/14/2012 1:29:31 AM - Run 1
OTL by OldTimer - Version 3.2.36.3 Folder = C:\Documents and Settings\MLW\Desktop\Aaron's Stuff 0112\8 Aaron's Prog's\22 Computer Fixes\Fix II
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.49 Mb Total Physical Memory | 753.48 Mb Available Physical Memory | 73.62% Memory free
1.65 Gb Paging File | 1.24 Gb Available in Paging File | 74.84% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 59.55 Gb Free Space | 53.27% Space Free | Partition Type: NTFS
Drive E: | 74.49 Gb Total Space | 70.20 Gb Free Space | 94.25% Space Free | Partition Type: NTFS

Computer Name: NESTOR_ESPANA | User Name: MLW | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ACDSee Photo Manager 12.Manage] -- "C:\Program Files\ACD Systems\ACDSee\12.0\ACDSeeQV12.exe" "%1" (ACD Systems International Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)
"C:\Program Files\AVG\AVG2012\avgnsx.exe" = C:\Program Files\AVG\AVG2012\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgemcx.exe" = C:\Program Files\AVG\AVG2012\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.0+ (r484)
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31
"{302A1E2E-DD58-4673-BC99-9CC10EC2637A}" = WinPatrol
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{38E0C491-5230-4373-B62E-F1A6E94B1033}" = Nero 7 Ultra Edition
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EFC72DA-2314-4E5D-AC8E-1C954CDB8BBF}" = AVG 2012
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{888019C0-54D4-40C2-9274-27B9DAB17017}" = Intel® Network Connections 14.0.40.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{92D194E7-AEF9-4A9E-8620-8F3AE712E3F7}" = Snagit 10.0.2
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9984DF60-1C5B-11D3-ACA1-908A4FC10801}" = Intel Application Accelerator
"{9A3EABC0-CA06-11D4-BF77-00104B130C19}" = EPSON TWAIN 5
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5CBD7C5-CF16-443F-A4F2-3503C9DE311B}" = ACDSee Photo Manager 12
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCF6F57B-F6B4-4508-BF45-63AAC9DE416A}" = Quicken 2010
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E7E84E23-C5C0-4B15-B13A-C63149E59C98}" = AVG 2012
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.8
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"AVG" = AVG 2012
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CoreFLAC Audio Decoder+Source Filter" = CoreFLAC Audio Decoder+Source Filter (remove only)
"Corel WordPerfect Suite 8" = Corel WordPerfect Suite 8
"ENTERPRISE" = Microsoft Office Enterprise 2007
"EPSON Photo Print" = EPSON Photo Print
"ESET Online Scanner" = ESET Online Scanner v3
"FLAC" = FLAC 1.2.1b (remove only)
"GOM Player" = GOM Player
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Media Player - Codec Pack" = Media Player Codec Pack 4.1.4
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 10.0.2 (x86 en-US)" = Mozilla Firefox 10.0.2 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Revo Uninstaller" = Revo Uninstaller 1.93
"SpywareBlaster_is1" = SpywareBlaster 4.6
"VN_VUIns_Rhine_D-Link" = D-Link PCI Fast Ethernet Adapter
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast-Ethernet Adapter
"Winbond HWDoctor" = Winbond HWDoctor
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\395313_227373047345837_214401528642989_516513_754143411_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\396570_10150619408406565_591706564_11107311_2139147714_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\397312_224685994281209_214401528642989_510930_681911811_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\397367_331997933499820_291294.JPG> in the hash map cannot be
updated. Context: Application, SystemIndex Catalog Details: A device attached to
the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\398140_228957867187355_214401528642989_520259_92272849_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\398426_228948633854945_214401528642989_520240_1084751353_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\398494_230440110372464_214401528642989_522884_368872272_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\398657_233024566780685_214401528642989_528427_49868204_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\399559_229889247094217_1753873379_N.JPG> in the hash map cannot
be updated. Context: Application, SystemIndex Catalog Details: A device attached
to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\400956_229760440440431_214401528642989_521637_1949799742_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

[ Application Events ]
Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\395313_227373047345837_214401528642989_516513_754143411_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\396570_10150619408406565_591706564_11107311_2139147714_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\397312_224685994281209_214401528642989_510930_681911811_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\397367_331997933499820_291294.JPG> in the hash map cannot be
updated. Context: Application, SystemIndex Catalog Details: A device attached to
the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\398140_228957867187355_214401528642989_520259_92272849_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\398426_228948633854945_214401528642989_520240_1084751353_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\398494_230440110372464_214401528642989_522884_368872272_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\398657_233024566780685_214401528642989_528427_49868204_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\399559_229889247094217_1753873379_N.JPG> in the hash map cannot
be updated. Context: Application, SystemIndex Catalog Details: A device attached
to the system is not functioning. (0x8007001f)

Error - 1/31/2012 5:59:44 AM | Computer Name = NESTOR_ESPANA | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MLW\DESKTOP\AARON'S STUFF 0112\ZZ
BLAH BLAHZ\HOLDIT\400956_229760440440431_214401528642989_521637_1949799742_N.JPG>
in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details:
A
device attached to the system is not functioning. (0x8007001f)

[ System Events ]
Error - 3/14/2012 12:23:10 AM | Computer Name = NESTOR_ESPANA | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 3/14/2012 12:34:59 AM | Computer Name = NESTOR_ESPANA | Source = Microsoft Antimalware | ID = 1014
Description = %%860 has encountered an error trying to remove history of malware
and other potentially unwanted software. Time: 2/12/2012 9:34:28 PM User: NT AUTHORITY\SYSTEM

Error
Code: 0x80070005 Error description: Access is denied.

Error - 3/14/2012 12:35:22 AM | Computer Name = NESTOR_ESPANA | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.121.1131.0 Update Source: %%859 Update Stage:
%%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8101.0 Error
code: 0x80070005 Error description: Access is denied.

Error - 3/14/2012 12:43:40 AM | Computer Name = NESTOR_ESPANA | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 3/14/2012 2:09:32 AM | Computer Name = NESTOR_ESPANA | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 3/14/2012 3:11:47 AM | Computer Name = NESTOR_ESPANA | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 3/14/2012 4:00:03 AM | Computer Name = NESTOR_ESPANA | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 3/14/2012 4:00:03 AM | Computer Name = NESTOR_ESPANA | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 3/14/2012 4:29:31 AM | Computer Name = NESTOR_ESPANA | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 3/14/2012 4:31:03 AM | Computer Name = NESTOR_ESPANA | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.


< End of report >

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 14 March 2012 - 06:13 PM

Open OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
@Alternate Data Stream - 514 bytes -> C:\WINDOWS\System32\drivers\dmuzhdia.sys:changelist
:files
C:\WINDOWS\System32\drivers\dmuzhdia.sys
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"


Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Now please run MBAM


Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#9 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 14 March 2012 - 10:02 PM

Here's the latest......

OTL Log

========== OTL ==========
ADS C:\WINDOWS\System32\drivers\dmuzhdia.sys:changelist deleted successfully.
========== FILES ==========
C:\WINDOWS\System32\drivers\dmuzhdia.sys moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTL by OldTimer - Version 3.2.36.3 log created on 03142012_172200



Malwarebytes Anti-Malware Log

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.14.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
MLW :: NESTOR_ESPANA [administrator]

3/14/2012 5:47:18 PM
mbam-log-2012-03-14 (17-47-18).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 272401
Time elapsed: 1 hour(s), 20 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\MLW\Local Settings\temp\FM+qKoXP.exe.part (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.

(end)

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 15 March 2012 - 07:13 PM

Can you now run an ESET online scan

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
Posted Image
m0le is a proud member of UNITE

#11 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 16 March 2012 - 06:35 PM

I know eset found one thing already, but while scan was in progress, Dad came to computer while I was away doing other things, closed windows n programs he didn't recognize without asking, and I'm not sure if the program finished and didn't make a log, or wasn't able to complete and was closed, and so I found no log. I do believe it said there was a Win 32 trojan tooolbar something, but I can only be vague as I didn't think I'd have to remember it. I'm going to run the complete scan again as instructed before, and then go into C/program files and find any and all log.txts and send them for you to look at. So... a slight delay.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 16 March 2012 - 08:31 PM

Check for it here: C:\Program Files\ESET\ESET Online Scanner\log.txt :thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 16 March 2012 - 08:52 PM

So... at the end, there was no log file made. Again, I didn't see one from before, but pretty sure dad exited the online scan, and lost info about detected virus somewhere. I see from the finished screen, that when I press "Manage Quarantine" I get shown some things. I can't copy n paste them, though apparently. So hopefull it's all here in the following log for you. I believe I see it in the text already....

Here's what the log says:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=e80ee13bc3f14e4ba29812741e1a0d71
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-03 06:40:48
# local_time=2012-03-02 10:40:48 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776869 42 87 0 27502944 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=66283
# found=1
# cleaned=0
# scan_time=5974
C:\Documents and Settings\MLW\Desktop\Aaron's Stuff 0112\8 Aaron's Prog's\media.player.codec.pack.v4.1.4.setup.exe probably a variant of Win32/Toolbar.Widgi application (unable to clean) 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=e80ee13bc3f14e4ba29812741e1a0d71
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-03 12:35:16
# local_time=2012-03-03 04:35:16 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776869 42 87 0 27522692 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=248929
# found=6
# cleaned=0
# scan_time=7492
G:\Works To Assimilate 0112\Media Holder\media.player.codec.pack.v4.1.1.setup.exe probably a variant of Win32/Toolbar.Widgi application (unable to clean) 00000000000000000000000000000000 I
G:\Works To Assimilate 0112\Media Holder\Advanced.SystemCare.5.0.0.158.Final{Incl Serial}\setup.exe a variant of Win32/Toolbar.Widgi application (unable to clean) 00000000000000000000000000000000 I
G:\Works To Assimilate 0112\Media Holder\Progs Exec\Divx Pro Codec v6.8.3.9zxc.rar a variant of Win32/Keygen.AJ application (unable to clean) 00000000000000000000000000000000 I
G:\Works To Assimilate 0112\Media Holder\Progs Exec\media.player.codec.pack.v3.9.7.setup.exe multiple threats (unable to clean) 00000000000000000000000000000000 I
G:\Works To Assimilate 0112\Media Holder\Progs Exec\winamp561_full_emusic-7plus_en-us.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
G:\Works To Assimilate 0112\Media Holder\WinRAR 3.93 Final 86\keygen\Keygen.exe a variant of Win32/Keygen.AI application (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=e80ee13bc3f14e4ba29812741e1a0d71
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-16 07:36:23
# local_time=2012-03-16 12:36:23 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1104842 1104842 0 0
# compatibility_mode=1024 16777175 100 0 0 0 0 0
# compatibility_mode=5891 16776869 42 87 0 28672522 0 0
# compatibility_mode=8192 67108863 100 0 252276 252276 0 0
# scanned=70077
# found=2
# cleaned=2
# scan_time=6131
C:\Documents and Settings\MLW\Desktop\Aaron's Stuff 0112\8 Aaron's Prog's\media.player.codec.pack.v4.1.4.setup.exe probably a variant of Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{771D1F76-86D5-4E7A-AA2F-52A491CAC9E9}\RP171\A0062644.exe probably a variant of Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=e80ee13bc3f14e4ba29812741e1a0d71
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-17 01:20:22
# local_time=2012-03-16 06:20:22 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1125105 1125105 0 0
# compatibility_mode=1024 16777175 100 0 0 0 0 0
# compatibility_mode=5891 16776869 42 87 0 28692785 0 0
# compatibility_mode=8192 67108863 100 0 272539 272539 0 0
# scanned=71340
# found=0
# cleaned=0
# scan_time=6505

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:58 PM

Posted 16 March 2012 - 09:32 PM

Just a couple of toolbar files.

There doesn't look to be anything else sinister in the logs but how is the machine running now?
Posted Image
m0le is a proud member of UNITE

#15 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 16 March 2012 - 10:04 PM

Everything's running pretty good. THanks for your help getting that cleaned up ! But now I have a question which isn't that big a deal, but I'd like to take care of.

IN the scans I saw that besides system, there keeps being a user name MLW. And MLW was a name that first showed up when the computer got infected a couple weeks ago. THere's another one where it says the computer's owner is Nestor something. I want to change things so that Task Manager only shows me words/names like 'system' and 'user,' not MLW or Nestor. Where do I go to do that ? This is only a small thing, and if you prefer I Google it myself, I'll go do it.

Otherwise you can feel good that my machine n I are good n protected. THanks again !




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users