Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

explorer.exe not working again after recent virus cleaning


  • This topic is locked This topic is locked
59 replies to this topic

#1 maryba

maryba

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 08 July 2012 - 10:39 PM

Within the last week, I was being helped at Bleeping with a virus event that disabled WIndows Explorer. After a thorough removal process, all problems seemed to be resolved and explorer.exe seemed to be functioning properly.

Bit now, it happens that whenever I attempt to access Control Panel, I get the alert that "Windows can't start this program and that I should go to Folders Options to do the correct file association" or words to that effect. Hope you get my drift. It happens that before last week's recovery case was closed, this sequence happened at least once. I mentioned it but we didn't follow up on it at the time.

When I click on either the OK button or the x to close the alert box, the TaskBar and any open Windows Explorer are inoperable. And in one instance (after several tries), Task Manager was unusable as well. Can't help but think that explorer.exe gets incapaciated in some way. After a more than 30 minutes wait, whatever loop the system may be in does not recover. After a cold start, all explorer.exe-related functions are ok but I won't dare to retry Control Panel any more. A possible related event: my Avira installation has just detected a TR/Patched.Gen-infected explorer.exe.backup. This had been an existing explorer.exe that I had found in the Windows parent folder. I had renamed it when I was loading a copy of explorer.exe from another working computer. And this was before I had involved Bleeping. During the subsequent cleanup, I thought I had seen one of the cleaning programs Bleeping had me using finding and removing explorer.exe.backup. On this recent detection, I went ahead and had Avira quarantine the file.

Any help possible?

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 13 July 2012 - 10:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/459844 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 16 July 2012 - 12:19 PM

About two weeks ago, I was being helped at Bleeping with a virus event (TR/Patched.Gen) that disabled Windows Explorer. After a thorough removal process, all problems seemed to be resolved and explorer.exe seemed to be functioning properly.

But now, it happens that whenever I attempt to access Control Panel via the Start menu, I get the alert that "This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel." It happens that before last week's recovery case was closed, this sequence happened at least once. I mentioned it then but we didn't follow up on it at the time.

When I click on either the OK button or the x to close the alert box:
1) the TaskBar and any open Windows Explorer are inoperable.
2) And in one instance (after several tries), Task Manager was unusable as well.
3) And at least twice, I got a popup saying:
"Data Execution Prevention – Microsoft Windows
To help protect your computer, Windows has closed this program.
Name: Explorer.exe
Publisher:
"
I am always able to start and use Control Panel from within a Windows Explorer session, so the problem seems to be only from the Start menu.

Can't help but think that explorer.exe gets incapaciated in some way. After a more than 30 minutes wait, whatever loop the system may be in does not recover. After a cold start, all explorer.exe-related functions (see the above-mentioned problems) are operable. A possible related event: my Avira installation has just detected a TR/Patched.Gen-infected explorer.exe.backup. This had been an existing explorer.exe that I had found in the Windows parent folder. I had renamed it when I was loading a copy of explorer.exe from another working computer. And this was before I had involved Bleeping. During the subsequent cleanup, I thought I had seen one of the cleaning programs Bleeping had me using finding and removing explorer.exe.backup. On this recent detection, I went ahead and had Avira quarantine the file.

I've included
DDS.txt
Attach.txt
ark.txt

Any help possible?








.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 10.5.1
Run by ADMIN at 16:11:39 on 2012-07-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.333 [GMT -6:00]
.
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Dexpot\dexpot.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\xampp\xampp-control.exe
C:\Program Files\Safari\Safari.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Dexpot] c:\program files\dexpot\dexpot.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\qj4idqyr.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
FF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_265.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-5-11 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-5-11 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-5-11 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-5-11 83392]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-26 50704]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-30 136176]
S3 A193_ADS;VideoXpress V2 Analog Capture;c:\windows\system32\drivers\A193_ADS.sys [2010-12-22 277888]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-16 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-30 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-07-04 03:54:39 3083 ----a-w- C:\resetdma.vbs
2012-07-02 04:11:19 -------- d-----w- c:\program files\ESET
2012-07-02 04:05:27 -------- d-----w- c:\program files\backups
2012-07-02 01:01:36 388608 ----a-w- c:\program files\HijackThis.exe
2012-07-02 00:03:22 -------- d-----w- c:\program files\CCleaner
2012-07-01 23:57:05 -------- d-----w- c:\program files\Oracle
2012-07-01 23:56:38 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-01 23:56:38 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-01 14:18:12 -------- d-----w- C:\virus fix 063012
2012-07-01 03:06:28 507904 -c--a-w- c:\windows\system32\dllcache\winlogon.exe
2012-07-01 03:06:28 14336 -c--a-w- c:\windows\system32\dllcache\svchost.exe
2012-07-01 03:06:28 1033728 -c--a-w- c:\windows\system32\dllcache\explorer.exe
2012-06-30 18:02:42 -------- d-sha-r- C:\cmdcons
2012-06-29 16:44:48 8 ----a-w- C:\IE.bat
2012-06-29 00:38:20 -------- d-----w- C:\nocomment062212
2012-06-28 20:07:14 -------- d-----w- c:\documents and settings\admin\temptest
2012-06-27 21:58:58 1033728 ----a-w- c:\windows\explorer.exe
2012-06-27 21:23:30 507904 ----a-w- c:\windows\system32\winlogon1.exe
2012-06-25 18:22:49 56 ----a-w- c:\documents and settings\admin\T.BAT
2012-06-24 22:13:49 8 ----a-w- c:\documents and settings\admin\IE.bat
2012-06-16 14:57:51 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-07-12 11:45:08 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-01 03:06:27 507904 ----a-w- c:\windows\system32\winlogon.exe
2012-07-01 03:06:26 14336 ----a-w- c:\windows\system32\svchost.exe
2012-05-05 01:29:16 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-25 06:32:27 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-04-17 03:18:01 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2010-01-27 05:11:08 444283 ----a-w- c:\program files\common files\WinPcapNmap.exe
.
============= FINISH: 16:11:55.64 ===============















.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/22/2010 5:36:56 PM
System Uptime: 7/10/2012 7:01:10 PM (117 hours ago)
.
Motherboard: Dell Inc. | | 0PJ478
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 30.181 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom NetXtreme 57xx Gigabit Controller
Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_01AD1028&REV_01\4&117729E2&0&00E0
Manufacturer: Broadcom
Name: Broadcom NetXtreme 57xx Gigabit Controller
PNP Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_01AD1028&REV_01\4&117729E2&0&00E0
Service: b57w2k
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
1&1 EasyLogin
32 Bit HP CIO Components Installer
7-Zip 9.20
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.1)
ADS Tech MediaTV 3
Alarm
Amaya
AnvSoft Photo Flash Maker Free 5.31
APlus Viewer
AppGini Free Trial Edition 4.61
AppGini Professional Edition 4.51
Apple Application Support
Apple Software Update
Arachnophilia version 4.0
Audacity 1.2.6
Avidemux 2.5
Avira Free Antivirus
Barcode Creator V3.1
Blender (remove only)
Broadcom Gigabit Integrated Controller
C-Media PCI Audio Device
Canon ScanGear Starter
CCleaner
CDBurnerXP
CoffeeCup Password Wizard
CoffeeCup StyleSheet Maker
Coupon Printer for Windows
CSS3 Menu
Dexpot
DHE Editor 1.8
DJ_AIO_03_F2200_Software_Min
DKHardDrive-Light
Dynamic HTML Editor 1.9
ESET Online Scanner v3
FastStone MaxView 2.2
FuturixImager 5.8.7
GIMP 2.6.11
GOM Player
Google Chrome
Google Earth
Google Talk (remove only)
Google Talk Plugin
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
HP Deskjet F2200 All-In-One Driver 10.0 Rel .3
HTML Slideshow Powertoy for Windows XP
Image Resizer for Windows
Intel® Graphics Media Accelerator Driver
IrfanView (remove only)
Java Auto Updater
Java™ 7 Update 5
JavaFX 2.1.1
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2000 Professional
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mozilla Firefox 6.0.2 (x86 en-US)
MPEG2 Codec(libmpeg2/mad)
NCS WinVisible
NetObjects Fusion Essentials
NoteTab Light 6 (Remove only)
OpenOffice.org 3.2
PageBreeze Free HTML Editor
PHP Generator for MySQL 11.12
Picasa 3
Python 2.7.1
Resource Hacker Version 3.6.0
Safari
Scan
SeaMonkey (2.0.14)
SiteMap Generator 0.97 (beta)
Skype™ 5.5
Toolbox
VDownloader 3.0.752
Visual CSS QuickMenu
Visual Site Designer (Trial Version)
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
WinPcap 4.1.1
WOW Slider
XAMPP 1.7.4
.
==== Event Viewer Messages From Past Week ========
.
7/9/2012 10:27:02 AM, error: Service Control Manager [7024] - The Avira Realtime Protection service terminated with service-specific error 303 (0x12F).
7/8/2012 8:25:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/8/2012 8:20:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb avkmgr Fips intelppm ssmdrv
7/8/2012 8:19:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
.
==== End Of File ===========================












GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-15 22:25:10
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e HDS728080PLA380 rev.PF2OA63A
Running: gmer.exe; Driver: C:\DOCUME~1\ADMIN\LOCALS~1\Temp\pwrcrfob.sys


---- System - GMER 1.0.15 ----

SSDT F7CC3CA4 ZwClose
SSDT F7CC3C5E ZwCreateKey
SSDT F7CC3CAE ZwCreateSection
SSDT F7CC3C54 ZwCreateThread
SSDT F7CC3C63 ZwDeleteKey
SSDT F7CC3C6D ZwDeleteValueKey
SSDT F7CC3C9F ZwDuplicateObject
SSDT F7CC3C72 ZwLoadKey
SSDT F7CC3C40 ZwOpenProcess
SSDT F7CC3C45 ZwOpenThread
SSDT F7CC3CC7 ZwQueryValueKey
SSDT F7CC3C7C ZwReplaceKey
SSDT F7CC3CB8 ZwRequestWaitReplyPort
SSDT F7CC3C77 ZwRestoreKey
SSDT F7CC3CB3 ZwSetContextThread
SSDT F7CC3CBD ZwSetSecurityObject
SSDT F7CC3C68 ZwSetValueKey
SSDT F7CC3CC2 ZwSystemDebugControl
SSDT F7CC3C4F ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF6F3BF80]
? C:\DOCUME~1\ADMIN\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Safari\Safari.exe[3504] USER32.dll!BeginPaint 7E428FE9 5 Bytes JMP 0287BBB0 C:\Program Files\Common Files\Apple\Apple Application Support\WebKit.dll (WebKit.dll/Apple Inc.)
.text C:\Program Files\Safari\Safari.exe[3504] USER32.dll!EndPaint 7E428FFD 5 Bytes JMP 0287BC20 C:\Program Files\Common Files\Apple\Apple Application Support\WebKit.dll (WebKit.dll/Apple Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----



File C:\Documents and Settings\ADMIN\My Documents\wt\042812\(1).jpg 0 bytes
File C:\Documents and Settings\ADMIN\My Documents\wt\042812\(10).jpg 0 bytes


---- EOF - GMER 1.0.15 ----

#4 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:12 PM

Posted 19 July 2012 - 08:42 AM

Hi,

Welcome to Bleeping Computer. My name is oneof4 and I will be helping you with your log.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic box to the right of your topic title and selecting Immediate Notification.


Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

If you would, please provide a link to the previous help thread that you mentioned. I would like to look over what's been done to your system previously.

Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:

Best Regards,
oneof4.


#5 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 19 July 2012 - 11:53 AM

Previous help thread: http://www.bleepingcomputer.com/forums/topic458748.html/page__pid__2754721__st__45#entry2754721

Hope that gets you to it. This was last exchange I had with my then guide, Gringo.

Sorry, oneof4, I don't see a "Watch Topic box" or "Immediate Notification" to the right of my topic title. I'm sure I'm just missing it - somewhere - but just can't find it. Could it be that my Safari doesn't display it? In my past experience, I've always received an email notification fairly timely so assumed I was automatically set for "Immediate Notification".

Look forward to hearing from you.


Mike

#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:12 PM

Posted 21 July 2012 - 10:35 PM

Hello maryba, :)

Let's get a closer look at explorer.exe...

We need to run an OTL Custom Scan

  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    /MD5Start
    explorer.exe
    winlogon.exe
    svchost.exe
    /MD5Stop
    
  • Push Posted Image
  • A report will open. Copy and Paste that report in your next reply.

Best Regards,
oneof4.


#7 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 22 July 2012 - 08:18 AM

Here ya go.

Two reports generated: OTL.txt and Extras.Txt.

OTL.txt:

OTL logfile created on: 7/21/2012 10:48:27 PM - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\ADMIN\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.07 Mb Total Physical Memory | 199.63 Mb Available Physical Memory | 19.69% Memory free
2.38 Gb Paging File | 1.45 Gb Available in Paging File | 60.97% Paging File free
Paging file location(s): C:\pagefile.sys 1521 2028 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 27.57 Gb Free Space | 37.01% Space Free | Partition Type: NTFS

Computer Name: DELL_GX520 | User Name: ADMIN | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/11 15:57:07 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ADMIN\Desktop\OTL.exe
PRC - [2012/06/30 21:06:26 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2012/05/04 19:29:46 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
PRC - [2012/05/02 01:42:31 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2012/05/02 00:34:37 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2012/05/02 00:31:38 | 000,348,624 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012/04/24 02:11:59 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011/08/23 05:19:22 | 001,112,576 | ---- | M] (1&1 Internet AG) -- C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
PRC - [2011/03/21 20:10:48 | 002,388,264 | ---- | M] (Apple Inc.) -- C:\Program Files\Safari\Safari.exe
PRC - [2010/12/17 13:41:26 | 000,126,976 | ---- | M] () -- C:\xampp\xampp-control.exe
PRC - [2010/12/03 12:18:12 | 008,133,120 | ---- | M] () -- C:\xampp\mysql\bin\mysqld.exe
PRC - [2010/10/17 18:32:10 | 000,020,549 | ---- | M] (Apache Software Foundation) -- C:\xampp\apache\bin\httpd.exe
PRC - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2009/06/04 08:44:04 | 001,286,144 | ---- | M] (Dexpot GbR) -- C:\Program Files\Dexpot\dexpot.exe
PRC - [2008/04/14 06:00:00 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe


========== Modules (No Company Name) ==========

MOD - [2012/07/12 05:45:08 | 009,465,032 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll
MOD - [2012/04/16 23:11:02 | 000,398,288 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2011/11/01 23:26:32 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/11/01 23:26:12 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/07/29 02:32:58 | 000,013,824 | ---- | M] () -- C:\Program Files\1&1\1&1 EasyLogin\MasterLoginLibrary.dll
MOD - [2011/03/28 23:50:06 | 011,791,360 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\50ea744ffc3cb7f09b027fd6c5c93b2b\System.Web.ni.dll
MOD - [2011/03/28 23:47:12 | 000,970,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\cb4cb21d14767292e079366a5d3d76cd\System.Configuration.ni.dll
MOD - [2011/03/28 23:28:22 | 005,449,728 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\36f3953f24d4f0b767bf172331ad6f3e\System.Xml.ni.dll
MOD - [2011/03/28 23:28:03 | 012,428,800 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\9a254c455892c02355ab0ab0f0727c5b\System.Windows.Forms.ni.dll
MOD - [2011/03/28 23:27:39 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\6978f2e90f13bc720d57fa6895c911e2\System.Drawing.ni.dll
MOD - [2011/03/28 23:22:11 | 007,867,392 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aa7926460a336408c8041330ad90929d\System.ni.dll
MOD - [2011/03/28 23:22:01 | 011,485,184 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\9adb89fa22fd5b4ce433b5aca7fb1b07\mscorlib.ni.dll
MOD - [2010/12/17 13:41:26 | 000,126,976 | ---- | M] () -- C:\xampp\xampp-control.exe
MOD - [2010/12/03 12:18:12 | 008,133,120 | ---- | M] () -- C:\xampp\mysql\bin\mysqld.exe
MOD - [2010/03/14 13:52:00 | 000,077,876 | ---- | M] () -- C:\xampp\apache\bin\zlib1.dll
MOD - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
MOD - [2008/04/14 06:00:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll


========== Win32 Services (SafeList) ==========

SRV - [2012/07/12 05:45:08 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/05/04 19:29:46 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/05/02 01:42:31 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/05/02 00:34:37 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/03/04 22:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Boot | Stopped] -- -- (cerc6)
DRV - [2012/04/27 10:20:04 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2012/04/25 00:32:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012/04/16 21:18:01 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2010/06/17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/01/26 20:09:02 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (npf)
DRV - [2009/11/12 13:48:56 | 000,007,168 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2008/12/03 00:32:06 | 001,519,424 | R--- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cmudax3.sys -- (cmuda3)
DRV - [2008/05/08 15:58:58 | 000,277,888 | R--- | M] (Trident Multimedia Technologies Co.,Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\A193_ADS.sys -- (A193_ADS)
DRV - [2008/04/14 00:16:24 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2008/04/14 00:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2006/07/14 12:45:20 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/09/17 11:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\ADMIN\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\ADMIN\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/22 11:12:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/07/01 17:56:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\SeaMonkey 2.0.14\extensions\\Components: C:\Program Files\SeaMonkey\components [2011/05/23 19:39:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\SeaMonkey 2.0.14\extensions\\Plugins: C:\Program Files\SeaMonkey\plugins [2011/12/09 17:03:32 | 000,000,000 | ---D | M]

[2011/05/23 19:39:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\ADMIN\Application Data\Mozilla\Extensions
[2011/05/23 19:39:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\ADMIN\Application Data\Mozilla\Extensions\{92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}
[2010/12/31 15:18:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\ADMIN\Application Data\Mozilla\Extensions\xulapp@opencube.com
[2011/11/20 22:29:22 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\qj4idqyr.default\extensions
[2011/11/20 22:29:22 | 000,000,000 | ---D | M] ("ImageHost Grabber") -- C:\Documents and Settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\qj4idqyr.default\extensions\{E4091D66-127C-11DB-903A-DE80D2EFDFE8}
[2011/05/23 19:39:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\ADMIN\Application Data\Mozilla\SeaMonkey\Profiles\vag2os20.default\extensions
[2011/09/22 11:12:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/09/03 00:01:45 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/03/18 11:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2011/03/18 11:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2011/09/02 17:25:59 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

========== Chrome ==========

CHR - homepage: http://yahoo.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://yahoo.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Chrome\Application\19.0.1084.52\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Java Deployment Toolkit 6.0.230.5 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U23 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Chrome\Application\19.0.1084.52\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Chrome\Application\19.0.1084.52\pdf.dll
CHR - plugin: Coupons Inc., Coupon Printer Manager (Enabled) = C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Chrome\Application\plugins\npMozCouponPrinter.dll
CHR - plugin: Coupons Inc., Coupon Printer Manager (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Picasa (Enabled) = C:\Program Files\Google\Picasa3\npPicasa3.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Entanglement = C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.7.9_0\
CHR - Extension: Poppit = C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

O1 HOSTS File: ([2012/06/30 22:43:09 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKCU..\Run: [Dexpot] C:\Program Files\Dexpot\dexpot.exe (Dexpot GbR)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{74344527-37CC-4E06-AE03-95A902FE9028}: DhcpNameServer = 192.168.15.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\ADMIN\Application Data\IrfanView\IrfanView_Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\ADMIN\Application Data\IrfanView\IrfanView_Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/29 12:46:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/21 22:47:00 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ADMIN\Desktop\OTL.exe
[2012/07/15 22:41:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ADMIN\Desktop\safari docs
[2012/07/15 22:38:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ADMIN\My Documents\safari docs
[2012/07/14 12:10:35 | 000,607,260 | ---- | C] (Swearware) -- C:\Documents and Settings\ADMIN\My Documents\dds-2.scr
[2012/07/01 22:11:19 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/07/01 22:05:27 | 000,000,000 | ---D | C] -- C:\Program Files\backups
[2012/07/01 19:01:36 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Program Files\HijackThis.exe
[2012/07/01 18:10:41 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/07/01 18:10:40 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\ADMIN\Recent
[2012/07/01 18:03:22 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/07/01 17:57:45 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/07/01 17:57:05 | 000,000,000 | ---D | C] -- C:\Program Files\Oracle
[2012/07/01 17:56:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ADMIN\Application Data\Oracle
[2012/07/01 17:56:38 | 000,772,504 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2012/07/01 17:56:38 | 000,143,872 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/07/01 17:56:37 | 000,227,720 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/07/01 17:56:19 | 000,174,064 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/07/01 17:56:19 | 000,174,064 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/07/01 17:55:23 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012/07/01 08:18:12 | 000,000,000 | ---D | C] -- C:\virus fix 063012
[2012/06/30 22:45:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/06/30 21:06:28 | 001,033,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\explorer.exe
[2012/06/30 21:06:28 | 000,507,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winlogon.exe
[2012/06/30 21:06:28 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\svchost.exe
[2012/06/30 12:02:42 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/06/30 11:58:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2012/06/28 18:38:20 | 000,000,000 | ---D | C] -- C:\nocomment062212
[2012/06/28 14:07:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ADMIN\temptest
[2012/06/27 15:58:58 | 001,033,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
[2012/06/27 15:23:30 | 000,507,904 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winlogon1.exe
[2012/06/26 11:50:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\ADMIN\Start Menu\Programs\Administrative Tools
[2012/06/26 11:48:47 | 000,607,260 | ---- | C] (Swearware) -- C:\Documents and Settings\ADMIN\My Documents\dds-1.scr
[2012/06/26 11:44:16 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\ADMIN\My Documents\dds.scr
[2012/06/23 12:33:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/06/23 11:12:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ADMIN\My Documents\pics
[2012/06/22 08:08:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ADMIN\My Documents\daddy ebay pics
[2008/07/25 11:17:10 | 001,172,472 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\ADMIN\Application Data\hlololol.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/21 22:45:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/07/21 22:42:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-382435906-1983232911-3557363581-1003UA.job
[2012/07/21 22:37:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/21 20:54:39 | 000,090,195 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\ellison-yacht.jpg
[2012/07/21 17:07:08 | 000,176,128 | ---- | M] () -- C:\Documents and Settings\ADMIN\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/07/21 09:37:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/21 03:42:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-382435906-1983232911-3557363581-1003Core.job
[2012/07/21 00:44:35 | 000,003,416 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\dhruv-mysql-2012-07-16.zip
[2012/07/20 18:32:51 | 000,090,708 | ---- | M] () -- C:\user.dmp
[2012/07/20 10:26:54 | 000,279,660 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\westafrica_amo_2007282.jpg
[2012/07/20 10:26:34 | 000,263,315 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\minn_amo_2011255.jpg
[2012/07/20 10:26:20 | 000,284,352 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\centralasia_amo_2010314.jpg
[2012/07/20 10:26:03 | 000,299,641 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\glory_amo_2008141.jpg
[2012/07/20 10:25:39 | 000,275,212 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\china_amo_2007081.jpg
[2012/07/20 10:25:12 | 000,238,848 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\iceland_2010132.jpg
[2012/07/20 10:24:50 | 000,253,067 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\patagonia_amo_2010355.jpg
[2012/07/20 10:24:38 | 000,264,475 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\parmamelor_2009279.jpg
[2012/07/20 10:24:14 | 000,252,111 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\fiji_amo_2011202.jpg
[2012/07/20 10:23:56 | 000,312,476 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\janmayen_amo_2009055.jpg
[2012/07/20 10:23:34 | 000,250,491 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\gulf_amo_2010115.jpg
[2012/07/20 10:23:26 | 000,357,243 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\newzealand_amo_2011119.jpg
[2012/07/20 10:23:13 | 000,296,982 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\antarctica_amo_2009027.jpg
[2012/07/20 10:22:54 | 000,241,138 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\sicily_amo_2002301.jpg
[2012/07/20 09:53:20 | 000,777,772 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\skycrane-mars-landing-msl-curiosity-111117e-02.jpg
[2012/07/20 09:51:57 | 000,041,286 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\curiosity-rover-mars-landing-landed.jpg
[2012/07/20 09:51:49 | 000,043,270 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\curiosity-rover-mars-landing-touchdown.jpg
[2012/07/20 09:50:44 | 000,017,013 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\curiosity-rover-mars-landing-sky-crane.jpg
[2012/07/20 09:50:36 | 000,027,952 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\curiosity-rover-mars-landing-descent-stage.jpg
[2012/07/20 09:50:05 | 000,013,081 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\curiosity-rover-mars-landing-backshell.jpg
[2012/07/20 09:41:51 | 000,046,585 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\090909-htv-fairing-02.jpg
[2012/07/20 09:41:29 | 000,043,348 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\090902-htv-art-02.jpg
[2012/07/20 09:41:05 | 000,054,212 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\090910-htv-rollout-02.jpg
[2012/07/20 09:40:05 | 000,202,278 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\htv-1-astronaut-stott.jpg
[2012/07/20 09:38:49 | 000,539,880 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\kounotori2-canadarm2-iss.jpg
[2012/07/20 09:38:06 | 000,504,894 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\astronauts-kounotori-2-1.jpg
[2012/07/20 09:37:43 | 000,184,591 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\astronauts-kounotori-2.jpg
[2012/07/20 09:37:21 | 000,046,415 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\091029-htv-iss-arrive-02.jpg
[2012/07/20 09:37:06 | 000,289,923 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\h-ii-b-third-unit-jaxa.jpg
[2012/07/20 09:37:01 | 000,294,444 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\htv-1-iss-closeup.jpg
[2012/07/20 09:36:27 | 000,266,063 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\h-ii-b-third-unit-jaxa-2.jpg
[2012/07/20 09:36:14 | 000,227,246 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\h-ii-automated-transfer-vehicle.jpg
[2012/07/20 09:35:56 | 000,205,664 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\Kounotori2-EDIT.jpg
[2012/07/19 22:51:03 | 000,000,442 | ---- | M] () -- C:\test-yui.html
[2012/07/19 18:12:19 | 007,900,025 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\hy vee sale ads - v86_1.pdf
[2012/07/19 12:36:08 | 000,075,327 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\rain shaft over queens 7-18-2012.jpg1342714815.jpg
[2012/07/19 12:25:32 | 000,005,889 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\b32e33c350fd9c5d08392a757753117d_48.png
[2012/07/19 11:56:02 | 000,038,347 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\267049452873760854_wVO9cKgy_c.jpg
[2012/07/19 11:55:04 | 000,130,753 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\262405115759038211_sDwWGHvg_f.jpg
[2012/07/19 11:54:38 | 000,098,118 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\89509111314790558_EGkuGgNZ_f.jpg
[2012/07/19 11:53:59 | 000,103,719 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\89509111314805117_XZ2ZbP40_f.jpg
[2012/07/19 11:53:53 | 000,083,768 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\89509111314805121_n5jI1zIH_f.jpg
[2012/07/19 11:53:47 | 000,109,239 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\89509111314805135_0nv5oG1m_f.jpg
[2012/07/19 11:53:39 | 000,095,926 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\89509111314805142_tcyLtflI_f.jpg
[2012/07/19 11:53:30 | 000,087,389 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\89509111314805145_Z7KwJb0S_f.jpg
[2012/07/18 23:20:16 | 000,062,766 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\photo-689.gif
[2012/07/18 19:39:21 | 000,000,040 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\costco flyer vertical tabs.htm
[2012/07/18 19:37:54 | 000,107,020 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\Save On The Q-See 16-Channel Camera System - Protect And Remotely Monitor Your Property.eml
[2012/07/18 19:27:02 | 000,602,543 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\2202.jpg
[2012/07/18 15:00:01 | 000,056,978 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\manners1_uni_1342633026.jpg
[2012/07/18 09:56:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/07/17 20:32:48 | 000,051,824 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\134593849-jpg_215416.jpg
[2012/07/17 20:32:41 | 000,051,536 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\133627951-jpg_215416.jpg
[2012/07/17 20:32:31 | 000,045,284 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\114517727-jpg_215415.jpg
[2012/07/17 20:32:23 | 000,057,396 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\109687603-jpg_215413.jpg
[2012/07/17 20:32:10 | 000,032,513 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\101937342-jpg_215412.jpg
[2012/07/17 20:32:03 | 000,040,742 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\72427134-jpg_215413.jpg
[2012/07/17 20:31:55 | 000,038,371 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\75533874-jpg_215412.jpg
[2012/07/17 20:18:09 | 000,007,911 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\images-1.jpg
[2012/07/17 20:18:02 | 000,008,583 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\images.jpg
[2012/07/17 13:23:03 | 000,069,077 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\72198400246786587_ZeRVZcwx_f.jpg
[2012/07/17 13:22:45 | 000,105,606 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\206602701626095504_blVTRuyK_f.jpg
[2012/07/17 13:21:58 | 000,149,508 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\191543790372183764_GqEZLsrs_f.jpg
[2012/07/17 13:21:46 | 000,087,837 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\1 part tea tree oil to 2 parts water in a spray bottle.jpg
[2012/07/17 13:20:40 | 000,253,547 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\103160647684492815_39u6hRBw_f.jpg
[2012/07/16 16:49:29 | 000,002,308 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\A new reply has been posted to TR_Patched.Gen virus and loss of Windows Explor....eml
[2012/07/16 15:12:33 | 000,056,683 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\authclass-2012-07-16.zip
[2012/07/16 13:35:11 | 000,050,023 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\20101112mimosa-large.jpg
[2012/07/16 13:33:08 | 000,023,436 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\9426_view.jpg
[2012/07/16 13:32:17 | 000,028,452 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\kelly-stables-04.jpg
[2012/07/16 13:09:31 | 000,070,312 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\rappahan.jpg
[2012/07/16 13:08:42 | 001,099,758 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\USNS_Rappahannock_T-AO-204.jpg
[2012/07/16 10:05:46 | 000,024,122 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\221207311-1.jpg
[2012/07/16 10:05:37 | 000,028,950 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\221207311.jpg
[2012/07/16 10:03:38 | 000,031,218 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\221204329-2.jpg
[2012/07/16 10:03:32 | 000,030,943 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\221204329-1.jpg
[2012/07/16 10:03:28 | 000,032,120 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\221204329.jpg
[2012/07/16 10:02:42 | 000,029,499 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\223057209.jpg
[2012/07/16 10:01:27 | 000,014,824 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\217963643.jpg
[2012/07/16 09:43:30 | 000,046,988 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\1623.jpg
[2012/07/16 09:43:17 | 000,030,304 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\don_t_like_people_uni.jpg
[2012/07/16 07:43:17 | 000,096,574 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\Yame, Fukuoka Prefecture, Japan, Sunday, July 15, 2012.jpg
[2012/07/15 22:56:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/15 16:08:23 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\ADMIN\defogger_reenable
[2012/07/15 06:28:01 | 000,010,992 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\implementos-2012-07-14.zip
[2012/07/12 05:45:08 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/07/12 05:45:08 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/07/12 04:40:39 | 000,002,262 | ---- | M] () -- C:\Documents and Settings\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/07/12 04:40:38 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\ADMIN\Desktop\Google Chrome.lnk
[2012/07/11 15:57:07 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ADMIN\Desktop\OTL.exe
[2012/07/10 21:08:54 | 001,100,143 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\You receive a Data Execution Prevention error message in Windows XP Service Pack 2 or in Windows XP Tablet PC Edition 2005.webarchive
[2012/07/10 01:23:55 | 000,249,565 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\cssone1-2012-07-01.zip
[2012/07/08 22:57:20 | 000,289,511 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\TR-Alureon.DX.9.trojan - How to remove TR-Alureon.DX.9.trojan.webarchive
[2012/07/08 20:01:25 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/07/08 18:11:30 | 004,281,721 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Internet browser redirecting [Solved] Kioskea.net.webarchive
[2012/07/03 20:20:30 | 000,143,624 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/07/03 16:04:05 | 021,930,969 | ---- | M] () -- C:\tempdir
[2012/07/03 12:20:09 | 000,608,051 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\phpmydatagrid-2012-07-03.zip
[2012/07/01 17:55:39 | 000,174,064 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/07/01 17:55:38 | 000,174,064 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/06/30 23:07:28 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/06/30 22:43:09 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/06/30 21:39:53 | 000,608,037 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\phpmydatagrid-2012-06-30.zip
[2012/06/30 21:07:25 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/30 21:06:28 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\explorer.exe
[2012/06/30 21:06:28 | 000,507,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\winlogon.exe
[2012/06/30 21:06:28 | 000,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\svchost.exe
[2012/06/30 21:06:26 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
[2012/06/29 10:44:50 | 000,000,008 | ---- | M] () -- C:\IE.bat
[2012/06/28 21:02:26 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/06/28 07:09:21 | 000,004,534 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\db-array-class-2012-06-28.zip
[2012/06/26 17:10:48 | 004,324,161 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\temp
[2012/06/25 13:43:05 | 000,000,056 | ---- | M] () -- C:\Documents and Settings\ADMIN\T.BAT
[2012/06/25 12:34:38 | 000,000,070 | ---- | M] () -- C:\Documents and Settings\ADMIN\T.BAK
[2012/06/24 16:06:57 | 000,000,008 | ---- | M] () -- C:\Documents and Settings\ADMIN\IE.bat
[2012/06/24 15:48:27 | 000,000,174 | ---- | M] () -- C:\Documents and Settings\ADMIN\Desktop\Yahoo!.url
[2012/06/24 11:15:52 | 001,315,702 | ---- | M] () -- C:\Documents and Settings\ADMIN\Desktop\Windows XP Control Panel, Shortcuts and Control.exe
[2012/06/24 01:27:00 | 000,003,127 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\database-class-2012-06-23.zip
[2012/06/22 09:06:20 | 000,074,013 | ---- | M] () -- C:\Documents and Settings\ADMIN\My Documents\easy-db-work-2012-06-22.zip
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/21 20:54:39 | 000,090,195 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\ellison-yacht.jpg
[2012/07/21 08:02:11 | 000,003,416 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\dhruv-mysql-2012-07-16.zip
[2012/07/20 20:11:24 | 000,708,608 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\whereismydozer.pps
[2012/07/20 10:26:54 | 000,279,660 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\westafrica_amo_2007282.jpg
[2012/07/20 10:26:34 | 000,263,315 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\minn_amo_2011255.jpg
[2012/07/20 10:26:20 | 000,284,352 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\centralasia_amo_2010314.jpg
[2012/07/20 10:26:03 | 000,299,641 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\glory_amo_2008141.jpg
[2012/07/20 10:25:39 | 000,275,212 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\china_amo_2007081.jpg
[2012/07/20 10:25:12 | 000,238,848 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\iceland_2010132.jpg
[2012/07/20 10:24:50 | 000,253,067 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\patagonia_amo_2010355.jpg
[2012/07/20 10:24:38 | 000,264,475 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\parmamelor_2009279.jpg
[2012/07/20 10:24:14 | 000,252,111 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\fiji_amo_2011202.jpg
[2012/07/20 10:23:56 | 000,312,476 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\janmayen_amo_2009055.jpg
[2012/07/20 10:23:34 | 000,250,491 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\gulf_amo_2010115.jpg
[2012/07/20 10:23:26 | 000,357,243 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\newzealand_amo_2011119.jpg
[2012/07/20 10:23:13 | 000,296,982 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\antarctica_amo_2009027.jpg
[2012/07/20 10:22:54 | 000,241,138 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\sicily_amo_2002301.jpg
[2012/07/20 09:53:20 | 000,777,772 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\skycrane-mars-landing-msl-curiosity-111117e-02.jpg
[2012/07/20 09:51:57 | 000,041,286 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\curiosity-rover-mars-landing-landed.jpg
[2012/07/20 09:51:49 | 000,043,270 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\curiosity-rover-mars-landing-touchdown.jpg
[2012/07/20 09:50:44 | 000,017,013 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\curiosity-rover-mars-landing-sky-crane.jpg
[2012/07/20 09:50:36 | 000,027,952 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\curiosity-rover-mars-landing-descent-stage.jpg
[2012/07/20 09:50:05 | 000,013,081 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\curiosity-rover-mars-landing-backshell.jpg
[2012/07/20 09:41:51 | 000,046,585 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\090909-htv-fairing-02.jpg
[2012/07/20 09:41:29 | 000,043,348 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\090902-htv-art-02.jpg
[2012/07/20 09:41:05 | 000,054,212 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\090910-htv-rollout-02.jpg
[2012/07/20 09:40:05 | 000,202,278 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\htv-1-astronaut-stott.jpg
[2012/07/20 09:38:49 | 000,539,880 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\kounotori2-canadarm2-iss.jpg
[2012/07/20 09:38:06 | 000,504,894 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\astronauts-kounotori-2-1.jpg
[2012/07/20 09:37:43 | 000,184,591 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\astronauts-kounotori-2.jpg
[2012/07/20 09:37:21 | 000,046,415 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\091029-htv-iss-arrive-02.jpg
[2012/07/20 09:37:06 | 000,289,923 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\h-ii-b-third-unit-jaxa.jpg
[2012/07/20 09:37:01 | 000,294,444 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\htv-1-iss-closeup.jpg
[2012/07/20 09:36:27 | 000,266,063 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\h-ii-b-third-unit-jaxa-2.jpg
[2012/07/20 09:36:14 | 000,227,246 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\h-ii-automated-transfer-vehicle.jpg
[2012/07/20 09:35:56 | 000,205,664 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\Kounotori2-EDIT.jpg
[2012/07/19 22:51:03 | 000,000,442 | ---- | C] () -- C:\test-yui.html
[2012/07/19 18:12:19 | 007,900,025 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\hy vee sale ads - v86_1.pdf
[2012/07/19 15:13:03 | 000,035,126 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\300px-TrishaNoble.jpg
[2012/07/19 15:12:05 | 000,067,568 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\a2e1604b34ed038ad39fca9550deb74a6aa47ed0.jpg
[2012/07/19 15:11:50 | 000,009,986 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\1721.jpg
[2012/07/19 15:11:28 | 000,014,394 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\7xt9r7ez5lhahle.jpg
[2012/07/19 13:27:00 | 000,013,544 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\9lrpc5balhcs9srl.jpg
[2012/07/19 13:26:45 | 000,027,168 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\smith.jpg
[2012/07/19 13:26:16 | 000,041,835 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\9lr5icqg0s3cs0cc.jpg
[2012/07/19 13:25:21 | 000,005,927 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\images-2.jpg
[2012/07/19 13:24:32 | 000,008,731 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\50414_51093992847_628836_n.jpg
[2012/07/19 12:36:08 | 000,075,327 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\rain shaft over queens 7-18-2012.jpg1342714815.jpg
[2012/07/19 12:25:32 | 000,005,889 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\b32e33c350fd9c5d08392a757753117d_48.png
[2012/07/19 11:56:02 | 000,038,347 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\267049452873760854_wVO9cKgy_c.jpg
[2012/07/19 11:55:04 | 000,130,753 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\262405115759038211_sDwWGHvg_f.jpg
[2012/07/19 11:54:38 | 000,098,118 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\89509111314790558_EGkuGgNZ_f.jpg
[2012/07/19 11:53:59 | 000,103,719 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\89509111314805117_XZ2ZbP40_f.jpg
[2012/07/19 11:53:53 | 000,083,768 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\89509111314805121_n5jI1zIH_f.jpg
[2012/07/19 11:53:47 | 000,109,239 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\89509111314805135_0nv5oG1m_f.jpg
[2012/07/19 11:53:39 | 000,095,926 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\89509111314805142_tcyLtflI_f.jpg
[2012/07/19 11:53:30 | 000,087,389 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\89509111314805145_Z7KwJb0S_f.jpg
[2012/07/18 23:20:16 | 000,062,766 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\photo-689.gif
[2012/07/18 20:20:15 | 000,015,106 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\tails2.jpg
[2012/07/18 20:19:22 | 000,032,866 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\MommyDrinks 1.jpg
[2012/07/18 19:39:21 | 000,000,040 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\costco flyer vertical tabs.htm
[2012/07/18 19:37:54 | 000,107,020 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\Save On The Q-See 16-Channel Camera System - Protect And Remotely Monitor Your Property.eml
[2012/07/18 19:27:02 | 000,602,543 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\2202.jpg
[2012/07/18 15:00:01 | 000,056,978 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\manners1_uni_1342633026.jpg
[2012/07/17 20:32:48 | 000,051,824 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\134593849-jpg_215416.jpg
[2012/07/17 20:32:41 | 000,051,536 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\133627951-jpg_215416.jpg
[2012/07/17 20:32:31 | 000,045,284 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\114517727-jpg_215415.jpg
[2012/07/17 20:32:23 | 000,057,396 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\109687603-jpg_215413.jpg
[2012/07/17 20:32:10 | 000,032,513 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\101937342-jpg_215412.jpg
[2012/07/17 20:32:03 | 000,040,742 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\72427134-jpg_215413.jpg
[2012/07/17 20:31:55 | 000,038,371 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\75533874-jpg_215412.jpg
[2012/07/17 20:18:09 | 000,007,911 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\images-1.jpg
[2012/07/17 20:18:02 | 000,008,583 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\images.jpg
[2012/07/17 13:23:03 | 000,069,077 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\72198400246786587_ZeRVZcwx_f.jpg
[2012/07/17 13:22:45 | 000,105,606 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\206602701626095504_blVTRuyK_f.jpg
[2012/07/17 13:21:58 | 000,149,508 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\191543790372183764_GqEZLsrs_f.jpg
[2012/07/17 13:21:46 | 000,087,837 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\1 part tea tree oil to 2 parts water in a spray bottle.jpg
[2012/07/17 13:20:40 | 000,253,547 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\103160647684492815_39u6hRBw_f.jpg
[2012/07/16 16:49:09 | 000,002,308 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\A new reply has been posted to TR_Patched.Gen virus and loss of Windows Explor....eml
[2012/07/16 15:35:04 | 000,056,683 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\authclass-2012-07-16.zip
[2012/07/16 13:35:11 | 000,050,023 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\20101112mimosa-large.jpg
[2012/07/16 13:33:08 | 000,023,436 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\9426_view.jpg
[2012/07/16 13:32:17 | 000,028,452 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\kelly-stables-04.jpg
[2012/07/16 13:09:31 | 000,070,312 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\rappahan.jpg
[2012/07/16 13:08:42 | 001,099,758 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\USNS_Rappahannock_T-AO-204.jpg
[2012/07/16 10:05:46 | 000,024,122 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\221207311-1.jpg
[2012/07/16 10:05:37 | 000,028,950 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\221207311.jpg
[2012/07/16 10:03:38 | 000,031,218 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\221204329-2.jpg
[2012/07/16 10:03:32 | 000,030,943 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\221204329-1.jpg
[2012/07/16 10:03:28 | 000,032,120 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\221204329.jpg
[2012/07/16 10:02:42 | 000,029,499 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\223057209.jpg
[2012/07/16 10:01:27 | 000,014,824 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\217963643.jpg
[2012/07/16 09:43:30 | 000,046,988 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\1623.jpg
[2012/07/16 09:43:17 | 000,030,304 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\don_t_like_people_uni.jpg
[2012/07/16 07:47:13 | 001,100,143 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\You receive a Data Execution Prevention error message in Windows XP Service Pack 2 or in Windows XP Tablet PC Edition 2005.webarchive
[2012/07/16 07:43:17 | 000,096,574 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\Yame, Fukuoka Prefecture, Japan, Sunday, July 15, 2012.jpg
[2012/07/15 16:08:23 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\ADMIN\defogger_reenable
[2012/07/15 08:33:37 | 000,010,992 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\implementos-2012-07-14.zip
[2012/07/12 08:30:26 | 000,004,534 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\db-array-class-2012-06-28.zip
[2012/07/11 08:02:12 | 000,289,511 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\TR-Alureon.DX.9.trojan - How to remove TR-Alureon.DX.9.trojan.webarchive
[2012/07/10 08:20:42 | 000,249,565 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\cssone1-2012-07-01.zip
[2012/07/08 18:11:28 | 004,281,721 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Internet browser redirecting [Solved] Kioskea.net.webarchive
[2012/07/03 21:54:39 | 000,003,083 | ---- | C] () -- C:\resetdma.vbs
[2012/07/03 15:59:10 | 021,930,969 | ---- | C] () -- C:\tempdir
[2012/07/03 13:23:51 | 000,608,051 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\phpmydatagrid-2012-07-03.zip
[2012/07/01 17:22:28 | 000,014,808 | ---- | C] () -- C:\revo uninstaller - start_freeware_download.html
[2012/07/01 09:08:50 | 000,608,037 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\phpmydatagrid-2012-06-30.zip
[2012/06/30 23:07:27 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/06/30 12:23:31 | 000,002,465 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft PowerPoint.lnk
[2012/06/30 12:23:31 | 000,002,022 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
[2012/06/30 12:23:31 | 000,001,986 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN.lnk
[2012/06/30 12:23:31 | 000,001,854 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Safari.lnk
[2012/06/30 12:23:31 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2012/06/30 12:23:31 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/06/30 12:23:31 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2012/06/30 12:23:30 | 000,002,503 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Outlook.lnk
[2012/06/30 12:23:30 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2012/06/30 12:23:30 | 000,002,030 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Excel.lnk
[2012/06/30 12:23:30 | 000,001,990 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Access.lnk
[2012/06/30 12:23:30 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2012/06/30 12:23:30 | 000,001,556 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\CDBurnerXP.lnk
[2012/06/30 12:23:30 | 000,000,636 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Audacity.lnk
[2012/06/30 12:23:28 | 000,001,730 | ---- | C] () -- C:\Documents and Settings\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\ReCycle Rules.lnk
[2012/06/30 12:23:28 | 000,001,528 | ---- | C] () -- C:\Documents and Settings\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Volume Control.lnk
[2012/06/30 12:23:28 | 000,001,282 | ---- | C] () -- C:\Documents and Settings\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to Psp.exe.lnk
[2012/06/30 12:23:28 | 000,000,808 | ---- | C] () -- C:\Documents and Settings\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to ws_ftp95.exe.lnk
[2012/06/30 12:23:28 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/06/30 12:23:28 | 000,000,640 | ---- | C] () -- C:\Documents and Settings\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to NoteTab.exe.lnk
[2012/06/30 12:23:28 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to moviemk.exe.lnk
[2012/06/30 12:23:28 | 000,000,608 | ---- | C] () -- C:\Documents and Settings\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to AppGini.exe.lnk
[2012/06/30 12:23:27 | 000,002,262 | ---- | C] () -- C:\Documents and Settings\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/06/30 12:23:27 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2012/06/30 12:23:27 | 000,001,860 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Visual CSS QuickMenu.lnk
[2012/06/30 12:23:27 | 000,001,854 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2012/06/30 12:23:27 | 000,001,854 | ---- | C] () -- C:\Documents and Settings\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2012/06/30 12:23:27 | 000,001,564 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SeaMonkey.lnk
[2012/06/30 12:23:27 | 000,001,538 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VDownloader.lnk
[2012/06/30 12:23:27 | 000,000,885 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\OpenOffice.org 3.2.lnk
[2012/06/30 12:23:27 | 000,000,844 | ---- | C] () -- C:\Documents and Settings\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\GOM Player.lnk
[2012/06/30 12:23:27 | 000,000,759 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Picasa 3.lnk
[2012/06/30 12:23:27 | 000,000,685 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SiteMap Generator.lnk
[2012/06/30 12:23:27 | 000,000,650 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PageBreeze HTML Editor.lnk
[2012/06/30 12:23:27 | 000,000,645 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WOW Slider.lnk
[2012/06/30 12:23:27 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\ADMIN\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
[2012/06/30 12:23:26 | 000,002,473 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\NCS WinVisible.lnk
[2012/06/30 12:23:26 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CoffeeCup Visual Site Designer.lnk
[2012/06/30 12:23:26 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2012/06/30 12:23:26 | 000,001,857 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\NetObjects Fusion Essentials.lnk
[2012/06/30 12:23:26 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2012/06/30 12:23:26 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CDBurnerXP.lnk
[2012/06/30 12:23:26 | 000,001,603 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MediaTV 3.lnk
[2012/06/30 12:23:26 | 000,001,565 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\IrfanView Thumbnails.lnk
[2012/06/30 12:23:26 | 000,000,826 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GOM Player.lnk
[2012/06/30 12:23:26 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GIMP 2.lnk
[2012/06/30 12:23:26 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2012/06/30 12:23:26 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FastStone MaxView.lnk
[2012/06/30 12:23:26 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/06/30 12:23:26 | 000,000,717 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avidemux 2.5.lnk
[2012/06/30 12:23:26 | 000,000,685 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\IrfanView.lnk
[2012/06/30 12:23:26 | 000,000,635 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CSS3 Menu.lnk
[2012/06/30 12:23:25 | 000,001,738 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\1&1 Control Panel.lnk
[2012/06/30 12:23:25 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/06/30 12:23:25 | 000,001,722 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\1&1 WebMail.lnk
[2012/06/30 12:23:25 | 000,000,806 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Amaya.lnk
[2012/06/30 12:23:25 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\1&1 EasyLogin.lnk
[2012/06/30 12:02:54 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/06/30 12:02:49 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/06/29 10:44:48 | 000,000,008 | ---- | C] () -- C:\IE.bat
[2012/06/26 17:09:25 | 004,324,161 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\temp
[2012/06/25 13:16:22 | 000,045,767 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\batchman.zip
[2012/06/25 12:22:49 | 000,000,070 | ---- | C] () -- C:\Documents and Settings\ADMIN\T.BAK
[2012/06/25 12:22:49 | 000,000,056 | ---- | C] () -- C:\Documents and Settings\ADMIN\T.BAT
[2012/06/24 16:13:49 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\ADMIN\IE.bat
[2012/06/24 16:03:08 | 000,000,667 | ---- | C] () -- C:\Documents and Settings\ADMIN\IE.lnk
[2012/06/24 16:00:15 | 000,000,667 | ---- | C] () -- C:\IE.lnk
[2012/06/24 15:48:26 | 000,000,174 | ---- | C] () -- C:\Documents and Settings\ADMIN\Desktop\Yahoo!.url
[2012/06/24 11:15:52 | 001,315,702 | ---- | C] () -- C:\Documents and Settings\ADMIN\Desktop\Windows XP Control Panel, Shortcuts and Control.exe
[2012/06/24 10:46:28 | 000,003,127 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\database-class-2012-06-23.zip
[2012/06/22 11:56:47 | 000,074,013 | ---- | C] () -- C:\Documents and Settings\ADMIN\My Documents\easy-db-work-2012-06-22.zip
[2012/04/16 16:18:47 | 000,163,194 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-382435906-1983232911-3557363581-1003-0.dat
[2012/04/16 16:18:43 | 000,163,194 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/02/22 17:24:57 | 000,002,827 | ---- | C] () -- C:\Documents and Settings\ADMIN\x
[2012/02/22 14:25:44 | 000,000,192 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~KxQlihHr4BSvxer
[2012/02/22 14:25:43 | 000,000,312 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~KxQlihHr4BSvxe
[2012/02/22 14:25:39 | 000,000,440 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\KxQlihHr4BSvxe.xxx
[2011/12/09 18:22:25 | 000,000,913 | ---- | C] () -- C:\Documents and Settings\ADMIN\.recently-used.xbel
[2011/11/20 11:15:41 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\rWinHook.dll
[2011/11/14 16:01:36 | 000,000,002 | ---- | C] () -- C:\Documents and Settings\ADMIN\ffpw.dat
[2011/11/14 16:01:36 | 000,000,002 | ---- | C] () -- C:\Documents and Settings\ADMIN\chro.dat
[2011/11/07 17:26:07 | 002,316,371 | ---- | C] () -- C:\Documents and Settings\ADMIN\Application Data\Fr1ghten
[2011/09/22 16:15:26 | 000,000,044 | ---- | C] () -- C:\Documents and Settings\ADMIN\.gtk-bookmarks
[2011/09/02 07:42:33 | 000,000,342 | ---- | C] () -- C:\WINDOWS\pagebreeze.ini
[2011/09/02 07:42:33 | 000,000,044 | ---- | C] () -- C:\WINDOWS\formbreeze.ini
[2011/08/16 10:06:18 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2011/06/09 11:20:47 | 000,700,416 | ---- | C] () -- C:\WINDOWS\System32\FreeImage.dll
[2011/05/28 00:34:27 | 000,000,108 | -HS- | C] () -- C:\WINDOWS\WSYS049.SYS
[2011/03/28 23:20:19 | 000,314,104 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/03/28 23:09:01 | 000,444,283 | ---- | C] () -- C:\Program Files\Common Files\WinPcapNmap.exe
[2011/03/18 19:38:11 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/02/08 10:50:00 | 000,000,066 | ---- | C] () -- C:\WINDOWS\Cmicnfg3.ini.cfl
[2011/02/08 10:49:36 | 000,001,480 | R--- | C] () -- C:\WINDOWS\Cmicnfg3.ini.cfg
[2011/02/08 10:49:28 | 000,002,378 | R--- | C] () -- C:\WINDOWS\cmudax3.ini
[2011/02/03 16:12:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/01/15 09:45:10 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2011/01/08 09:29:08 | 000,141,025 | ---- | C] () -- C:\WINDOWS\hpoins27.dat
[2011/01/08 09:29:08 | 000,000,932 | ---- | C] () -- C:\WINDOWS\hpomdl27.dat
[2010/12/30 11:18:20 | 000,000,022 | ---- | C] () -- C:\WINDOWS\WS_FTP.INI
[2010/12/23 02:26:25 | 000,176,128 | ---- | C] () -- C:\Documents and Settings\ADMIN\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/22 22:49:06 | 000,025,892 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/12/22 22:20:33 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/12/22 22:08:50 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\VendorCmdRW.dll
[2010/12/22 22:08:45 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2010/12/22 17:33:12 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

========== Custom Scans ==========

< MD5 for: EXPLORER.EXE >
[2012/06/30 21:06:26 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\erdnt\cache\explorer.exe
[2012/06/30 21:06:26 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2012/06/30 21:06:28 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: SVCHOST.EXE >
[2012/04/04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2012/06/30 21:06:26 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\erdnt\cache\svchost.exe
[2012/06/30 21:06:28 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2012/06/30 21:06:26 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: WINLOGON.EXE >
[2012/04/04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2012/06/30 21:06:27 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\erdnt\cache\winlogon.exe
[2012/06/30 21:06:28 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2012/06/30 21:06:27 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< End of report >





Extras.Txt:

OTL Extras logfile created on: 7/21/2012 10:48:27 PM - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\ADMIN\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.07 Mb Total Physical Memory | 199.63 Mb Available Physical Memory | 19.69% Memory free
2.38 Gb Paging File | 1.45 Gb Available in Paging File | 60.97% Paging File free
Paging file location(s): C:\pagefile.sys 1521 2028 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 27.57 Gb Free Space | 37.01% Space Free | Partition Type: NTFS

Computer Name: DELL_GX520 | User Name: ADMIN | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = SafariHTML] -- C:\Program Files\Safari\Safari.exe (Apple Inc.)
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l
.jse [@ = JSEFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = SafariHTML] -- C:\Program Files\Safari\Safari.exe (Apple Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Safari\Safari.exe" -url "%1" (Apple Inc.)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
jsefile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
wsffile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- Reg Error: Value error.
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\programs - no installation needed\ws_ftp\ws_ftp95.exe" = C:\programs - no installation needed\ws_ftp\ws_ftp95.exe:*:Enabled:WS_FTP 95 -- (Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA 02173)
"C:\xampp\xampp\apache\bin\httpd.exe" = C:\xampp\xampp\apache\bin\httpd.exe:*:Enabled:Apache HTTP Server -- (Apache Software Foundation)
"C:\xampp\xampp\mysql\bin\mysqld.exe" = C:\xampp\xampp\mysql\bin\mysqld.exe:*:Enabled:The MySQL Server -- (MySQL AB)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\xampp\mysql\bin\mysqld.exe" = C:\xampp\mysql\bin\mysqld.exe:*:Enabled:mysqld -- ()
"C:\xampp\apache\bin\httpd.exe" = C:\xampp\apache\bin\httpd.exe:*:Enabled:Apache HTTP Server -- (Apache Software Foundation)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Documents and Settings\ADMIN\Application Data\hlololol.exe" = C:\Documents and Settings\ADMIN\Application Data\hlololol.exe:*:Enabled:Windows Messanger -- (Microsoft Corporation)
"C:\Program Files\ADS Tech\MediaTV 3\MediaTV.exe" = C:\Program Files\ADS Tech\MediaTV 3\MediaTV.exe:LocalSubNet:Enabled:ADS Tech MediaTV 3 -- (ADS Corp.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Documents and Settings\ADMIN\Desktop\MedArc\openmrs-standalone-1.8.3\openmrs-standalone-1.8.3\database\bin\mysqld.exe" = C:\Documents and Settings\ADMIN\Desktop\MedArc\openmrs-standalone-1.8.3\openmrs-standalone-1.8.3\database\bin\mysqld.exe:*:Enabled:mysqld -- ()
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\ADMIN\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{0272A63A-84D1-4EBD-A5BC-39963D188ED3}_is1" = APlus Viewer
"{0f571b70-6401-48cd-945d-45e2e8b559f8}" = Image Resizer for Windows
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{163AAB30-30A0-469E-B4CF-906D26857D7D}" = Image Resizer for Windows
"{18A5DFF2-8A95-49F3-873F-743CB5549F3D}" = Canon ScanGear Starter
"{1A5C70D5-9C3E-4BD6-9511-9185B028636E}" = Visual CSS QuickMenu
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java™ 7 Update 5
"{32939827-d8e5-470a-b126-870db3c69fdf}" = Python 2.7.1
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F15E203-BC3E-3597-84CD-EDF99546C917}" = Google Talk Plugin
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E475FD4-4513-4B1D-8DDA-43912B068C99}" = HTML Slideshow Powertoy for Windows XP
"{4E8444C5-766E-4f4d-82F8-BB83E2FBB42A}" = HP Deskjet F2200 All-In-One Driver 10.0 Rel .3
"{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{5FA08EAD-6532-4609-9E78-DBBEBE9AE6D2}" = Visual Site Designer (Trial Version)
"{6C1E7AA1-44E9-446D-AAB2-0DE6D9EFEAB1}" = Safari
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7E19604-93AF-4611-8C9F-CE509C2B286E}_is1" = VDownloader 3.0.752
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{c6922d7f-c698-4d9e-9671-8b3de04d1511}" = DJ_AIO_03_F2200_Software_Min
"{CACE3FCE-4906-47CC-9873-BFC4E5943C12}" = ADS Tech MediaTV 3
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1FD6957-27F6-41FF-90F3-2C9AF5912719}" = NCS WinVisible
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F8E0CD5F-A8C8-44B1-B4B5-10D012E1B9D0}" = DKHardDrive-Light
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"1&1 EasyLogin" = 1&1 EasyLogin
"7-Zip" = 7-Zip 9.20
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Alarm_is1" = Alarm
"Amaya" = Amaya
"AnvSoft Photo Flash Maker Free" = AnvSoft Photo Flash Maker Free 5.31
"AppGini Free Trial_is1" = AppGini Free Trial Edition 4.61
"AppGini Professional Edition_is1" = AppGini Professional Edition 4.51
"Arachnophilia version 4.0_is1" = Arachnophilia version 4.0
"Audacity_is1" = Audacity 1.2.6
"Avidemux 2.5" = Avidemux 2.5
"Avira AntiVir Desktop" = Avira Free Antivirus
"Barcode Creator_is1" = Barcode Creator V3.1
"Blender" = Blender (remove only)
"CCleaner" = CCleaner
"C-Media PCI Sound" = C-Media PCI Audio Device
"CoffeeCup Password Wizard" = CoffeeCup Password Wizard
"CoffeeCup StyleSheet Maker" = CoffeeCup StyleSheet Maker
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"CSS3 Menu" = CSS3 Menu
"Dexpot" = Dexpot
"DHE The Fast WEB Editor_is1" = DHE Editor 1.8
"Dynamic HTML Editor_is1" = Dynamic HTML Editor 1.9
"ESET Online Scanner" = ESET Online Scanner v3
"FastStone MaxView" = FastStone MaxView 2.2
"FuturixImager" = FuturixImager 5.8.7
"GOM Player" = GOM Player
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 6.0.2 (x86 en-US)" = Mozilla Firefox 6.0.2 (x86 en-US)
"MPEG2 Codec(libmpeg2/mad)" = MPEG2 Codec(libmpeg2/mad)
"NetObjects Fusion Essentials" = NetObjects Fusion Essentials
"NoteTab Light 6_is1" = NoteTab Light 6 (Remove only)
"PageBreeze Free HTML Editor" = PageBreeze Free HTML Editor
"PHP Generator for MySQL_is1" = PHP Generator for MySQL 11.12
"Picasa 3" = Picasa 3
"ResourceHacker_is1" = Resource Hacker Version 3.6.0
"SeaMonkey (2.0.14)" = SeaMonkey (2.0.14)
"SiteMap Generator_is1" = SiteMap Generator 0.97 (beta)
"WinGimp-2.0_is1" = GIMP 2.6.11
"WinPcapInst" = WinPcap 4.1.1
"WOW Slider" = WOW Slider
"xampp" = XAMPP 1.7.4

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/10/2012 8:43:19 PM | Computer Name = DELL_GX520 | Source = Application Error | ID = 1000
Description = Faulting application Safari.exe, version 5.33.21.1, faulting module
unknown, version 0.0.0.0, fault address 0x7fd7c574.

Error - 7/10/2012 8:46:05 PM | Computer Name = DELL_GX520 | Source = Application Hang | ID = 1002
Description = Hanging application Safari.exe, version 5.33.21.1, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/10/2012 8:46:14 PM | Computer Name = DELL_GX520 | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/10/2012 8:46:20 PM | Computer Name = DELL_GX520 | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/11/2012 2:17:51 PM | Computer Name = DELL_GX520 | Source = Application Error | ID = 1000
Description = Faulting application mediatv.exe, version 3.0.18.122, faulting module
asvid.ax, version 1.7.3.5, fault address 0x0000a7fe.

Error - 7/12/2012 9:11:09 PM | Computer Name = DELL_GX520 | Source = Application Error | ID = 1000
Description = Faulting application safari.exe, version 5.33.21.1, faulting module
webkit.dll, version 7534.52.7.3, fault address 0x000ccac3.

Error - 7/14/2012 11:38:21 AM | Computer Name = DELL_GX520 | Source = Application Error | ID = 1000
Description = Faulting application msimn.exe, version 6.0.2900.5512, faulting module
ntdll.dll, version 5.1.2600.5512, fault address 0x0000100b.

Error - 7/16/2012 12:51:09 AM | Computer Name = DELL_GX520 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 7/16/2012 12:52:09 AM | Computer Name = DELL_GX520 | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 7/20/2012 8:32:37 PM | Computer Name = DELL_GX520 | Source = Application Error | ID = 1000
Description = Faulting application safari.exe, version 5.33.21.1, faulting module
webkit.dll, version 7534.52.7.3, fault address 0x000ccac3.

[ System Events ]
Error - 7/15/2012 6:20:12 PM | Computer Name = DELL_GX520 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 7/15/2012 9:46:11 PM | Computer Name = DELL_GX520 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 7/15/2012 9:46:43 PM | Computer Name = DELL_GX520 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 7/15/2012 9:52:57 PM | Computer Name = DELL_GX520 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 7/15/2012 10:09:29 PM | Computer Name = DELL_GX520 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 7/15/2012 10:11:57 PM | Computer Name = DELL_GX520 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 7/15/2012 10:41:13 PM | Computer Name = DELL_GX520 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 7/15/2012 10:43:34 PM | Computer Name = DELL_GX520 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 7/15/2012 10:45:38 PM | Computer Name = DELL_GX520 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 7/16/2012 12:56:59 AM | Computer Name = DELL_GX520 | Source = Service Control Manager | ID = 7024
Description = The Avira Realtime Protection service terminated with service-specific
error 303 (0x12F).


< End of report >

#8 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:12 PM

Posted 23 July 2012 - 10:27 AM

Hello maryba, :)

We need to run the SFC /SCANNOW Command

The sfc /scannow command (System File Checker) scans the integrity of all protected Windows system files and replaces incorrect corrupted, changed/modified, or damaged versions with the correct versions if possible.

Note: Be aware that if you have modified your system files as in theming explorer/system files, running sfc /scannow will revert the system files such as explorer.exe back to it's default state.

Note: Make the appropriate backups of your system files that you have modified for theming if you wish to save them before running sfc /scannow.


  • Click the Start button.
  • Click Run.
  • Type cmd.

Next:

  • Copy the following line of text and paste it into the black box.
    (right-click in the black box and choose paste)

    sfc /scannow
  • Press Enter to run the command.
    Note: This may take a while to finish.
  • If SFC could not fix something, then run the command again to see if it may be able to the next time. Sometimes it may take running the sfc /scannow command 3 or more times to completely fix everything that it's able to.


Retrieving SFC /scannow log

  • Click the Start button
  • Click Run
  • Type cmd
  • Press enter

Next:

  • Copy the following line of text and paste it into the black box.
    (right-click in the black box and choose paste)

    findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >> "%userprofile%\desktop\sfcdetails.txt"
  • Press Enter to run the command.
  • A text file sfcdetails.txt should appear on your desktop. Post the content of the file in your next reply.

Best Regards,
oneof4.


#9 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 23 July 2012 - 11:33 AM

re the sfc /scannow process: how does it replace system files (if/when needed)? Where does it get a replacement file? I'm wondering if I'll need an install CD. I've got a new install CD (SP3) and a reinstallation CD (SP2).

Also, in a past occasion, seems like I ran a scannow with no results. I appreciate that has nothing to do with my current condition but thought I'd mention it just in case.

Waiting to hear from you before I proceed with scannow.


Mike

#10 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 23 July 2012 - 12:41 PM

Now that I think about it, when running sfc /scannow in the past, it prompted for a SP3 CD. And a XP (SP3) install CD didn't do the trick. Is that what I might encounter this time around?


Mike

#11 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:12 PM

Posted 24 July 2012 - 10:29 AM

Hello maryba, :)

Yeah, that's a common issue when using sfc.exe, so let's try this:


Extracting File from WinXPSP3

Please follow these instructions:

(If you already have 7-zip installed on your computer, skip to step 3)

  • Download the 7zip file extractor/compressor from here. Save it to your Desktop.
  • Install 7zip on your computer.
  • Download Windows XP Service Pack 3 Network Installation Package for IT Professionals and Developers from here. Save it to your Desktop.
  • Right-Click on the downloaded SP3 install package
  • In the secondary menu that opens, move the mouse pointer down to 7zip, then choose Extract to (The folder name will be the same name as the SP3 install package)
  • Once the extraction completes, you should have the new folder on your Desktop. Inside that folder should be another folder titled i386.
  • Right-Click on the i386 folder, and click Copy
  • Now Paste the i386 folder into your root directory C:\ (This may take a few minutes)

NOTE: Carrying out this operation may entail altering the registry, so you should "Back it up" first.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Open Erunt.exe (use the shortcut on your desktop if you used the installer). Follow the prompts leaving the values at default.


Editing Registry to point SFC to C:\i386

  • From the Start Menu select "Run..." type "regedit" (without the " " quotes)
  • Now you will need to tell your computer you now have the files on your PC.
    We do this in the registry by navigating to:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Setup

    You will now see various entries here on the right hand side.
    The one we want is called: "SourcePath"

    It probably has an entry pointing to your CD-ROM drive, and that is why it's asking for the XP CD.
    All we need to do is change it to: C:\
  • Simply double click the SourcePath setting and a new box will pop up allowing you to make the change.
  • Now restart your computer and try "sfc /scannow" again!

A more comprehensive and detailed explanation can be found here:
http://www.updatexp.com/scannow-sfc.html

Best Regards,
oneof4.


#12 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 24 July 2012 - 01:04 PM

No joy with sfc /scannow. Am now getting following Windows File Protection message:
The CD you provided is the wrong CD.
Please insert the Windows XP Professional CD-ROM into your CD-ROM.
OK (button)

As you can see in attached screencap, registry changed and i386 folder placed per your instructions. Note that I had first changed "SourcePath" to c:\. After a sfc failure and a DUH! moment, I additionally changed "ServicePackSourcePath" to c:\ also.

The subsequent sfc rerun and failure is where I'm at now.


Mike

Attached Files



#13 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:12 PM

Posted 26 July 2012 - 03:59 PM

Hey Mike,

Just a quick note to let you know I am working on your issue. It's a stubborn little cuss, but hopefully we'll get there before too much longer. :wink:

Best Regards,
oneof4.


#14 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 26 July 2012 - 09:03 PM

Appreciate your effort(s), but it's low priority so don't sacrifice anything - or anyone else. Go at your most convenient pace.


Mike

#15 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:12 PM

Posted 26 July 2012 - 09:23 PM

:thumbup2:

Best Regards,
oneof4.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users