Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lethargic XP system


  • This topic is locked This topic is locked
51 replies to this topic

#1 TheGear

TheGear

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 19 February 2013 - 01:00 AM

System is Windows XP with all updates. Symptoms are:

1. It's very lethargic, sometimes nearly frozen.

2. It's unable to run MBAM

3. For a while, Microsoft Security Essentials said it was running OK while McAfee Security Scan Plus said there was no virus protection. Now, McAfee seems to be disabled.

4. Unable to access network in 'Safe With Networking' mode.

5. Unable to run DDS. It gets about 90% finished and stops (hangs) there.

6. In MSCONFIG, Microsoft Antimalware Service is not labeled as being a Microsoft product (that column is empty)

7. In MSCONFIG, there is a startup item with no labels.

8. The system repeatedly displays an 0x8050800C error code. This seems to be a 2-year-old issue that should be long past. The registry items needed to fix it are present.

9. The system has been complaining for a while about c:\windows\setup1.exe

 

Because the system wouldn't run DDS, I've run OTL. Following is the result:

 

OTL logfile created on: 2/18/2013 8:54:46 PM - Run 1
OTL by OldTimer - Version 3.2.42.2     Folder = C:\Documents and Settings\Margi\My Documents\sysadmin
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1022.92 Mb Total Physical Memory | 353.73 Mb Available Physical Memory | 34.58% Memory free
2.41 Gb Paging File | 1.87 Gb Available in Paging File | 77.86% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 36.11 Gb Total Space | 4.13 Gb Free Space | 11.44% Space Free | Partition Type: NTFS
Drive E: | 7.45 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: FAT32
 
Computer Name: ZENO | User Name: Margi | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013/02/07 04:09:11 | 000,213,384 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.3.21.135\GoogleCrashHandler.exe
PRC - [2013/02/05 10:48:44 | 000,272,248 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
PRC - [2012/12/10 14:11:50 | 007,416,320 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe
PRC - [2012/12/05 23:08:54 | 004,407,808 | ---- | M] (Luis Cobian, CobianSoft) -- C:\Program Files\Cobian Backup 11\cbInterface.exe
PRC - [2012/12/05 23:08:44 | 000,720,896 | ---- | M] (Luis Cobian, CobianSoft) -- C:\Program Files\Cobian Backup 11\Cobian.exe
PRC - [2012/12/05 22:11:40 | 000,067,584 | ---- | M] (CobianSoft, Luis Cobian) -- C:\Program Files\Cobian Backup 11\cbVSCService11.exe
PRC - [2012/11/25 10:44:09 | 000,137,136 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2012/11/25 10:43:06 | 000,374,704 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2012/11/12 13:36:46 | 000,646,528 | ---- | M] () -- C:\Documents and Settings\Margi\Local Settings\Application Data\Amazon\Cloud Drive\AmazonCloudDrive.exe
PRC - [2012/10/23 09:25:28 | 000,149,488 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Margi\Local Settings\Application Data\Amazon\Cloud Drive\jre\bin\javaw.exe
PRC - [2012/09/12 16:25:22 | 000,280,088 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MpCmdRun.exe
PRC - [2012/09/12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/09/12 16:19:44 | 000,947,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/05/01 18:43:50 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Margi\My Documents\sysadmin\OTL.exe
PRC - [2012/04/11 15:51:04 | 002,177,056 | ---- | M] (Fitbit, Inc.) -- C:\Program Files\Fitbit\fitbit-tray.exe
PRC - [2012/03/22 11:09:12 | 001,014,112 | ---- | M] (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041) -- C:\Program Files\Evernote\Evernote\EvernoteClipper.exe
PRC - [2011/09/16 13:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2011/09/16 13:10:50 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2011/05/10 01:41:12 | 000,049,208 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Software Update\hpwuschd2.exe
PRC - [2011/01/17 17:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 17:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2010/03/08 02:27:49 | 000,041,800 | ---- | M] (AOL Inc.) -- C:\Program Files\Common Files\AOL\1291485897\ee\aolsoftware.exe
PRC - [2009/11/18 03:42:52 | 000,275,072 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqtra08.exe
PRC - [2009/11/18 03:02:34 | 000,563,840 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqbam08.exe
PRC - [2009/11/18 03:02:34 | 000,173,696 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqste08.exe
PRC - [2009/11/17 19:49:08 | 000,366,720 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqgpc01.exe
PRC - [2009/10/19 19:45:32 | 000,216,552 | ---- | M] () -- C:\Prey\cron.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/03 17:28:08 | 001,392,640 | R--- | M] (PalmSource, Inc) -- C:\Program Files\Palm\Hotsync.exe
PRC - [2003/08/07 18:57:52 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
PRC - [2003/07/31 18:25:34 | 000,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2003/06/23 10:34:18 | 000,077,824 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
PRC - [2003/03/27 05:06:02 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
PRC - [2003/01/07 17:52:16 | 000,495,616 | ---- | M] (IBM) -- C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
PRC - [2002/11/08 18:50:32 | 000,098,304 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
PRC - [2002/10/23 13:15:08 | 000,086,016 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
PRC - [2002/09/20 18:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [2002/01/10 18:01:34 | 000,065,536 | ---- | M] (IBM Corporation) -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
PRC - [1999/07/23 00:11:00 | 000,042,496 | ---- | M] () -- C:\apps\SJ6200C\PrecisionScanPro\HPLamp.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013/02/14 03:39:06 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\d7ee03714420b252415b952d40ef59e4\System.ServiceProcess.ni.dll
MOD - [2013/01/13 19:44:23 | 000,541,696 | ---- | M] () -- C:\Documents and Settings\Margi\Local Settings\Temp\sqlite-3.7.2-sqlitejdbc.dll
MOD - [2013/01/10 03:46:36 | 002,295,296 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Core\edbf4e4a55e63b9fbf0b0b40cba13063\System.Core.ni.dll
MOD - [2013/01/10 03:43:47 | 007,977,984 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll
MOD - [2013/01/10 03:43:14 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll
MOD - [2012/12/10 14:00:40 | 000,344,064 | ---- | M] () -- C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\libaudioenc.dll
MOD - [2012/12/10 14:00:28 | 000,231,936 | ---- | M] () -- C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\libmpgdec.dll
MOD - [2012/12/10 13:59:52 | 000,117,248 | ---- | M] () -- C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\libaacdec.dll
MOD - [2012/12/10 13:59:50 | 000,253,440 | ---- | M] () -- C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\libid3tag.dll
MOD - [2012/11/12 13:36:46 | 000,646,528 | ---- | M] () -- C:\Documents and Settings\Margi\Local Settings\Application Data\Amazon\Cloud Drive\AmazonCloudDrive.exe
MOD - [2012/09/25 10:53:12 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\imageformats\qgif4.dll
MOD - [2012/09/25 10:53:02 | 010,683,392 | ---- | M] () -- C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\QtWebKit4.dll
MOD - [2012/09/25 10:53:02 | 001,681,408 | ---- | M] () -- C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\QtNetwork4.dll
MOD - [2012/09/25 10:53:00 | 007,741,952 | ---- | M] () -- C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\QtGui4.dll
MOD - [2012/09/25 10:52:58 | 002,248,192 | ---- | M] () -- C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\QtCore4.dll
MOD - [2012/03/29 17:13:39 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2012/03/16 14:42:58 | 000,315,392 | ---- | M] () -- C:\Program Files\Evernote\Evernote\libtidy.dll
MOD - [2012/03/16 14:42:56 | 000,433,664 | ---- | M] () -- C:\Program Files\Evernote\Evernote\libxml2.dll
MOD - [2009/11/05 07:39:40 | 000,087,552 | ---- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll
MOD - [2009/10/19 19:45:32 | 000,216,552 | ---- | M] () -- C:\Prey\cron.exe
MOD - [2003/08/07 18:57:52 | 000,094,208 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
MOD - [2003/07/04 02:49:30 | 000,024,576 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY_2\tphk_2k.dll
MOD - [2003/06/23 10:34:18 | 000,077,824 | ---- | M] () -- C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
MOD - [2003/03/27 05:06:02 | 000,561,152 | ---- | M] () -- C:\Program Files\ThinkPad\ConnectUtilities\QCON.DLL
MOD - [2003/03/27 05:06:02 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
MOD - [2002/11/15 04:14:28 | 000,143,360 | ---- | M] () -- C:\WINDOWS\system32\AIBMRUNL.dll
MOD - [1999/07/23 00:11:00 | 000,042,496 | ---- | M] () -- C:\apps\SJ6200C\PrecisionScanPro\HPLamp.exe
 
 
========== Win32 Services (SafeList) ==========
 
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2013/02/07 16:49:42 | 000,251,248 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/02/05 23:56:33 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/02/05 10:48:00 | 000,235,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe -- (McComponentHostService)
SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Disabled | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Disabled | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/12/05 22:11:40 | 000,067,584 | ---- | M] (CobianSoft, Luis Cobian) [Auto | Running] -- C:\Program Files\Cobian Backup 11\cbVSCService11.exe -- (cbVSCService11)
SRV - [2012/11/25 10:44:09 | 000,137,136 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2012/11/25 10:43:06 | 000,374,704 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2012/10/11 05:02:00 | 000,998,336 | ---- | M] (Support.com, Inc.) [Disabled | Stopped] -- C:\Program Files\Office Depot PC Support Agent – Home\esService.exe -- (Office Depot PC Support Agent – Home)
SRV - [2012/09/12 16:25:22 | 000,020,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/04/11 15:51:12 | 000,770,080 | ---- | M] (Fitbit, Inc.) [Disabled | Stopped] -- C:\Program Files\Fitbit\fitbit.exe -- (Fitbit)
SRV - [2011/09/16 13:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2011/04/22 07:21:10 | 000,092,592 | ---- | M] (TomTom) [Disabled | Stopped] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2010/06/25 12:07:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [Disabled | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2010/01/29 22:40:52 | 000,700,032 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\HPSLPSVC32.DLL -- (HPSLPSVC)
SRV - [2009/11/18 03:42:52 | 000,253,568 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Running] -- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqcxs08.dll -- (hpqcxs08)
SRV - [2009/11/18 03:16:42 | 000,137,344 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqddsvc.dll -- (hpqddsvc)
SRV - [2008/11/22 00:25:46 | 000,094,208 | ---- | M] (Sony Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\IcdSptSv.exe -- (ICDSPTSV)
SRV - [2008/10/16 18:22:20 | 000,464,264 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\AskBarDis\bar\bin\AskService.exe -- (ASKService)
SRV - [2008/04/27 23:17:56 | 000,599,344 | ---- | M] (Validity Sensors, Inc.) [Disabled | Stopped] -- C:\WINDOWS\system32\vfsFPService.exe -- (vfsFPService)
SRV - [2006/10/23 07:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Disabled | Stopped] -- C:\Program Files\Common Files\AOL\acs\AOLacsd.exe -- (AOL ACS)
SRV - [2005/01/31 08:45:20 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2003/07/11 21:19:22 | 000,032,768 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
SRV - [2003/03/27 05:06:02 | 000,049,152 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\QCONSVC.EXE -- (QCONSVC)
SRV - [2002/09/27 14:56:20 | 000,139,264 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)
SRV - [2002/09/20 18:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Auto | Stopped] -- C:\C:\WINDOWS\system32\drivers\pmemnt.sys -- (PMEM)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys -- (PCDRDRV)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - File not found [Kernel | Auto | Stopped] --  -- (MCSTRM)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | Auto | Stopped] --  -- (Aspi32)
DRV - [2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/11/25 10:43:10 | 000,083,912 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2012/04/02 13:47:26 | 000,021,992 | ---- | M] (Silicon Laboratories) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SiUSBXp.sys -- (SIUSBXP)
DRV - [2012/03/29 17:33:08 | 000,231,760 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\truecrypt.sys -- (truecrypt)
DRV - [2011/09/16 13:10:50 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2011/09/16 13:10:50 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2010/12/15 00:20:30 | 000,012,928 | ---- | M] (silex technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FPSENS2U.SYS -- (FPSENS2U)
DRV - [2010/06/25 12:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2009/12/18 09:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2009/11/11 07:26:02 | 002,216,064 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2009/06/30 19:46:58 | 000,149,123 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2009/06/30 19:46:58 | 000,067,960 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2009/06/30 19:46:58 | 000,055,352 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2009/06/30 19:46:57 | 000,876,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2009/06/30 19:46:57 | 000,037,424 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2009/06/30 19:46:55 | 000,539,072 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2009/06/28 07:25:08 | 000,003,026 | ---- | M] (Logix4u) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\hwinterface.sys -- (hwinterface)
DRV - [2009/03/16 11:37:04 | 000,031,232 | ---- | M] (SIEMENS AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s7opcsrtx.sys -- (S7opcsrtx) PROFINET IO RT-Protocol (LLDP)
DRV - [2009/02/24 16:39:58 | 000,073,088 | ---- | M] (SIEMENS AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s7snsrtx.sys -- (s7snsrtx)
DRV - [2008/10/27 16:03:22 | 000,311,040 | ---- | M] (SIEMENS AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\SNTIE.SYS -- (SNTIE) SIMATIC Industrial Ethernet (ISO)
DRV - [2008/02/27 12:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BANTExt.sys -- (BANTExt)
DRV - [2007/05/02 12:54:08 | 000,472,224 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2006/12/12 14:34:48 | 000,025,088 | ---- | M] (Samson) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SWAudWDM.sys -- (SWWDM_multi) Samson Audio (WDM)
DRV - [2006/12/12 14:34:44 | 000,056,832 | ---- | M] (Samson) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SamsonLLDriver.sys -- (SamsonLLDriver)
DRV - [2006/08/29 02:12:00 | 000,990,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/08/29 02:11:00 | 000,247,808 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2006/08/29 02:10:00 | 000,728,576 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/03/22 20:00:58 | 001,034,752 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2003/10/01 16:44:00 | 000,031,744 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ICDSX.sys -- (ICDSX) Sony IC Recorder (SX)
DRV - [2003/03/27 05:06:02 | 000,002,295 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\IBMBLDID.SYS -- (IBMTPCHK)
DRV - [2003/01/17 04:32:00 | 000,015,360 | ---- | M] (IBM Corp.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWR.SYS -- (TPPWR)
DRV - [2003/01/10 16:13:04 | 000,033,588 | R--- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/12/26 04:32:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2002/12/26 04:32:00 | 000,008,830 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2002/10/18 14:07:34 | 001,156,672 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2002/10/16 03:11:22 | 000,019,968 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2000/03/23 00:42:24 | 000,044,192 | ---- | M] (PC-Doctor Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PcdrNt.sys -- (PcdrNt)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADSA_enUS392
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.useDBForOrder: true
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_149.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.10.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin: C:\Program Files\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/DownloadManager,version=1.1: C:\WINDOWS\ [2013/02/18 15:52:00 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=4.0: C:\Program Files\Virtual Earth 3D\ [2009/06/07 15:59:41 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=13: C:\Program Files\Google\Google Updater\2.4.1591.6512\npCIDetect13.dll (Google)
FF - HKLM\Software\MozillaPlugins\@palmsource.com/installer,version=1.0: C:\PROGRA~1\Palm\PACKAG~1\NPInstal.dll ()
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.4: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Margi\Local Settings\Application Data\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Margi\Local Settings\Application Data\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10171.dll (Amazon.com, Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\smartwebprinting@hp.com: C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/08/02 18:41:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/02/05 23:56:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/02/05 23:54:24 | 000,000,000 | ---D | M]
 
[2010/08/09 21:33:06 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Margi\Application Data\Mozilla\Extensions
[2013/02/14 01:41:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\extensions
[2012/10/10 08:35:47 | 000,000,000 | ---D | M] (Forecastfox) -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
[2013/01/11 23:18:52 | 000,000,000 | ---D | M] (Evernote Web Clipper) -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}
[2012/12/20 22:10:32 | 000,000,000 | ---D | M] ("SimilarSites") -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\extensions\{E71B541F-5E72-5555-A47C-E47863195841}
[2013/01/10 22:13:50 | 000,000,000 | ---D | M] (Ghostery) -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\extensions\firefox@ghostery.com
[2012/07/06 09:08:38 | 000,000,000 | ---D | M] (SearchGBY) -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\extensions\plugin@searchgby.com
[2012/07/07 14:02:18 | 000,002,438 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\album-cover-artorg.xml
[2012/07/07 14:08:24 | 000,002,479 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\askcom.xml
[2012/07/07 14:20:23 | 000,001,146 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\bbc-news.xml
[2012/07/07 14:13:35 | 000,002,638 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\craigslist-search.xml
[2012/07/07 14:22:20 | 000,001,703 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\eccellio-movies.xml
[2012/07/07 14:14:36 | 000,001,754 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\etsy.xml
[2012/07/07 14:13:18 | 000,001,245 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\google-play.xml
[2012/07/07 14:07:50 | 000,001,504 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\imdb.xml
[2012/07/07 14:04:24 | 000,003,899 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\lyric-pickercom.xml
[2012/07/07 14:17:14 | 000,000,990 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\netflixcom.xml
[2012/07/07 14:21:46 | 000,002,123 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\qrobeit.xml
[2012/07/07 14:09:05 | 000,001,618 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\scroogle-ssl.xml
[2012/07/07 14:16:50 | 000,002,160 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\startpage-https.xml
[2012/07/14 15:16:37 | 000,002,057 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\youtube-video-search.xml
[2012/07/07 14:16:21 | 000,004,140 | ---- | M] () -- C:\Documents and Settings\Margi\Application Data\Mozilla\Firefox\Profiles\g74sw7cr.default\searchplugins\youtube.xml
[2013/02/05 23:53:52 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MARGI\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\G74SW7CR.DEFAULT\EXTENSIONS\{5C46D283-ABDE-4DCE-B83C-08881401921C}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MARGI\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\G74SW7CR.DEFAULT\EXTENSIONS\{AE93811A-5C9A-4D34-8462-F7B864FC4696}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MARGI\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\G74SW7CR.DEFAULT\EXTENSIONS\{B0E1B4A6-2C6F-4E99-94F2-8E625D7AE255}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MARGI\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\G74SW7CR.DEFAULT\EXTENSIONS\{CE6E6E3B-84DD-4CAC-9F63-8D2AE4F30A4B}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MARGI\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\G74SW7CR.DEFAULT\EXTENSIONS\GMAILTHIS@LAZYRUSSIAN.COM.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MARGI\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\G74SW7CR.DEFAULT\EXTENSIONS\ISREADITLATER@IDEASHOWER.COM.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MARGI\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\G74SW7CR.DEFAULT\EXTENSIONS\SHOPPINGASSIST@OOKONG.COM.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MARGI\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\G74SW7CR.DEFAULT\EXTENSIONS\YOUTUBE2MP3@MONDAYX.DE.XPI
[2009/09/02 08:34:51 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2013/02/05 23:56:37 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2008/08/29 16:50:04 | 000,027,976 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
[2008/08/29 16:50:10 | 000,125,848 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
[2008/08/29 16:52:32 | 000,046,408 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\atmccli.dll
[2009/04/01 09:42:07 | 000,098,712 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
[2008/08/29 16:50:28 | 000,060,824 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll
[2009/11/06 10:37:19 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2009/11/06 10:37:20 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2010/03/31 10:09:22 | 010,437,264 | ---- | M] (PDFTron Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\PDFNetC.dll
[2010/04/08 12:36:02 | 000,107,760 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\ScorchPDFWrapper.dll
[2012/08/28 18:08:05 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/10/11 22:07:26 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
 
O1 HOSTS File: ([2004/08/12 03:19:40 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (MSS+ Identifier) - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Spy Blocker Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Spy Blocker Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE ()
O4 - HKLM..\Run: [Cobian Backup 11] C:\Program Files\Cobian Backup 11\Cobian.exe (Luis Cobian, CobianSoft)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1291485897\ee\aolsoftware.exe (AOL Inc.)
O4 - HKLM..\Run: [HP Lamp] C:\apps\SJ6200C\PrecisionScanPro\HPLamp.exe ()
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\hpwuschd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (IBM)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Prey Laptop Tracker] c:\Prey\cron.exe ()
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe (Intel® Corporation)
O4 - HKLM..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE ()
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe ()
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (IBM Corp.)
O4 - HKCU..\Run: [Amazon Cloud Drive] C:\Documents and Settings\Margi\Local Settings\Application Data\Amazon\Cloud Drive\AmazonCloudDrive.exe ()
O4 - HKCU..\Run: [Fitbit Service Monitor] C:\Program Files\Fitbit\fitbit-tray.exe (Fitbit, Inc.)
O4 - HKCU..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe (IBM)
O4 - HKCU..\Run: [MusicManager] C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe (PalmSource, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\Margi\Start Menu\Programs\Startup\EvernoteClipper.lnk = C:\Program Files\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O4 - Startup: C:\Documents and Settings\Margi\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range -  5)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} http://download.microsoft.com/download/C/9/C/C9C3D86D-84AC-4AF0-8584-842756A66467/MicrosoftDownloadManager.cab (Microsoft Download Manager ActiveX control)
O16 - DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab (SysInfo Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0248F1D7-5333-4CEC-B7C1-42BC0518253D}: DhcpNameServer = 10.10.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BB6384D6-844A-4C16-842D-82492865B0FA}: DhcpNameServer = 172.16.2.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Margi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Margi\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/26 19:29:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/02/18 19:11:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Margi\My Documents\sysadmin
[2013/02/18 19:10:41 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Margi\My Documents\My Videos
[2013/02/18 19:10:40 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Margi\Start Menu\Programs\Administrative Tools
[2013/02/13 02:10:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Security Scan Plus
[2013/02/05 23:53:49 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[2 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/02/18 21:11:00 | 000,000,440 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{844BF187-F3CF-412F-8BC3-9C92430C9099}.job
[2013/02/18 20:56:32 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/02/18 20:48:27 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/02/18 20:47:56 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/02/18 20:47:55 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/02/18 20:46:53 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2013/02/18 20:46:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/02/18 19:34:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1118267221-1324920912-1533145803-1008UA.job
[2013/02/18 18:23:56 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2013/02/18 18:15:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/02/18 17:34:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1118267221-1324920912-1533145803-1008Core.job
[2013/02/18 05:01:00 | 000,000,374 | ---- | M] () -- C:\WINDOWS\tasks\MyDefrag v4.3.1 Daily.job
[2013/02/14 21:37:55 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\Margi\Desktop\HiJackThis.lnk
[2013/02/14 04:44:05 | 000,182,632 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/02/14 03:50:31 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/02/14 03:20:56 | 000,502,826 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/02/14 03:20:56 | 000,087,126 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/02/13 02:10:39 | 000,001,771 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2013/02/13 02:10:39 | 000,001,765 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2013/02/12 15:13:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2013/02/07 16:49:42 | 000,697,712 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/02/07 16:49:41 | 000,074,096 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/02/01 18:20:13 | 000,000,378 | ---- | M] () -- C:\WINDOWS\tasks\MyDefrag v4.3.1 Monthly.job
[2013/01/30 05:53:21 | 000,232,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2013/01/25 22:55:44 | 000,552,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\oleaut32.dll
[9 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[2 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/02/13 23:49:53 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Margi\Desktop\qdmjvrj2.exe
[2013/02/13 02:10:39 | 000,001,771 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Scan Plus.lnk
[2013/02/13 02:10:21 | 000,001,765 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2012/11/09 20:36:43 | 000,171,658 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1118267221-1324920912-1533145803-1008-0.dat
[2012/11/09 20:36:31 | 000,171,658 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/08/19 20:29:54 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2012/07/15 11:56:51 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Margi\Application Data\$_hpcst$.hpc
[2012/05/03 17:04:39 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/30 16:36:38 | 000,036,700 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2012/03/26 09:13:40 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/08/02 18:11:24 | 000,205,982 | ---- | C] () -- C:\WINDOWS\hpoins46.dat
[2011/08/02 18:11:24 | 000,000,532 | ---- | C] () -- C:\WINDOWS\hpomdl46.dat
[2011/07/28 22:09:57 | 000,207,540 | ---- | C] () -- C:\WINDOWS\hpwins28.dat
[2011/07/28 22:09:56 | 000,000,418 | ---- | C] () -- C:\WINDOWS\hpwmdl28.dat

< End of report >

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:19 AM

Posted 19 February 2013 - 10:52 PM

Greetings TheGear and welcome.gif to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. thumbup2.gif

===================================================

Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. smile.png
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the StartNewTopic.gif button but use the AddReply.gif button instead.
  • In the upper right hand corner of the topic you will see the WatchTopic.gif button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started thumbup2.gif

 

===================================================



Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided and I will reply as soon as possible.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 20 February 2013 - 02:56 AM

Great, thanks. My name is Bill.



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:19 AM

Posted 20 February 2013 - 11:31 AM

Hi Bill,

Thank you for your continued patience.

One of the constraints on your computer is the lack of available hard drive space. (Drive C: | 36.11 Gb Total Space | 4.13 Gb Free Space | 11.44% Space Free | Partition Type: NTFS) This limitation can cause system issues because there is not enough elbow room for your operating system to move around as it tries to accomplish what you ask it to do. We need to follow up on the symptoms but there may be some things we will be unable to overcome.

Here is what I would like to start with. Please do this for me.


===================================================


ComboFix Windows XP

--------------------

For a more detailed explanation on running Combofix and the prompts you will be following please see here.

  • Please download ComboFix from one of these locations and save it to your desktop:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista/Windows 7, ComboFix will skip the below Recovery Console pop ups and continue its malware removal procedure.

 

Query_RC.gif



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



RC_successful.gif



Click on Yes, to continue scanning for malware.

Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.

  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running

Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

If Combofix fails to run properly using the above instructions please attempt the following:

  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it

 

===================================================

 

AdwCleaner by Xplode - Delete Adware

-------------------

  • Close all open programs and internet browser
  • Double click on adwcleaner.exe
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt

 

===================================================

 

Junkware Removal Tool by thisisu

-------------------

  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply

 

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. icon_thumb.gif

  • Combofix log
  • AdwCleaner log
  • Junkware log
  • How is your computer running?

Edited by Oh My, 20 February 2013 - 03:53 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 20 February 2013 - 03:48 PM

I attempted to run ComboFix. It started correctly and prompted me to install the recovery console. That went well. Then, when it started to do its work, it (or something else) pegged the CPU, as viewed in the task manager icon; and the mouse cursor disappeared. After a couple of hours, still no mouse available, and ComboFix had not changed in appearance, so I crowbarred the system down with the power button. Should I restart ComboFix under an alias, or do another OTL for you to find out where we are?<br />Thanks.

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:19 AM

Posted 20 February 2013 - 03:52 PM

Please try the instructions under Note #2.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 21 February 2013 - 09:56 AM

Quick update: I've followed Note 2, and ComboFix seemed to hang. I let it continue for something like 5 hours with no completion. But it occurred to me that in the past there was a warning not to mouseclick while ComboFix was running. (I didn't see such a warning in the current docs.) So I'm re-running it, making sure not to mouseclick. If it doesn't run to completion in 2 or 3 hours, I plan to crowbar it again; I'll keep you posted.

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:19 AM

Posted 21 February 2013 - 10:02 AM

Sounds good.  If it doesn't run successfully please run this.


===================================================


RogueKiller by Tigzy

--------------------

  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • For Vista/7 users right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • When prompted, Click Scan
  • A report should open and a copy of the report will be placed on your desktop
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 21 February 2013 - 11:58 AM

I couldn't get ComboFix to run, with or without an alias. RogueKiller ran OK, however. I am pasting the first rkill output, followed by the RogueKiller output.

======================================================================================================================

Rkill 2.4.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/20/2013 04:23:41 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* AFD (AFD) is not Running.
Startup Type set to: System

* DHCP Client (Dhcp) is not Running.
Startup Type set to: Automatic

* DNS Client (Dnscache) is not Running.
Startup Type set to: Automatic

* COM+ Event System (EventSystem) is not Running.
Startup Type set to: Manual

* Network Connections (Netman) is not Running.
Startup Type set to: Manual

* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic

* Automatic Updates (wuauserv) is not Running.
Startup Type set to: Automatic

* AFD (AFD) is not Running.
Startup Type set to: System

* IPSEC driver (IPSec) is not Running.
Startup Type set to: System

* NetBios over Tcpip (NetBT) is not Running.
Startup Type set to: System

* TCP/IP Protocol Driver (Tcpip) is not Running.
Startup Type set to: System

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 02/20/2013 04:24:50 PM
Execution time: 0 hours(s), 1 minute(s), and 8 seconds(s)

=======================================================================================================

RogueKiller V8.5.1 [Feb 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Margi [Admin rights]
Mode : Scan -- Date : 02/21/2013 11:51:41
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] MusicManager.exe -- C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : MusicManager ("C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe") [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1118267221-1324920912-1533145803-1008[...]\Run : MusicManager ("C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe") [-] -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[SERVICES][HIDDEN KEY] HKLM\[...]\ControlSet001\Services\O () -> FOUND
[SERVICES][HIDDEN KEY] HKLM\[...]\ControlSet002\Services\O () -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHT2040AH +++++
--- User ---
[MBR] c6dc6d702616fa75173be1bbb2abf6fd
[BSP] dcb1c83ffc07de0e4173b5b151660d7f : Legit3 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 36980 Mo
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 75736080 | Size: 1173 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Lexar USB Flash Drive USB Device +++++
--- User ---
[MBR] 8d7b8913b82283ed667db0ead78f1a45
[BSP] ec038f3ca5091360f60d743d6f1c7fdb : Standard MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 10968 | Size: 7500 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_02212013_02d1151.txt >>
RKreport[1]_S_02212013_02d1151.txt

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:19 AM

Posted 21 February 2013 - 01:07 PM

Hi Bill,

We are going to delete those entries and run a program to identify the file your computer was complaining about.

Please do this for me.


===================================================


RogueKiller Deletions

--------------------

  • Launch RogueKiller
  • Close any open programs
  • Please disconnect any USB or external drives from the computer before you run the scan
  • For Vista/7 users right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • Allow the Prescan to finish
  • Click Scan
  • When the Status box shows Scan Finished click Delete
  • Click Report
  • Copy and paste the contents of the report in your reply

 

===================================================


SystemLook by jpshortstuff

--------------------

  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:filefind
setup1.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. icon_thumb.gif

  • RogueKiller log
  • SystemLook log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 21 February 2013 - 06:32 PM

I should point out two things: First, at this time there is no anti-virus software on this system. I removed it when ComboFix complained. Second, the "complaint" about setup1.exe was coming from Microsoft Security Essentials, not the system itself. I hope my poor explanation of that fact did not waste your time.

The system performance seems good again. I can browse easily and bring up multiple windows. About the time I was struggling with ComboFix, I couldn't even bring up the Task Manager.

I need to ask you straight out: did this system have malware, or was the problem simply bad system administration? (I'm the sysadmin.) I hold Bleeping Computer in high regard and don't want to present you or your colleagues with problems that an eight-grader could fix.

==============================================================================================

RogueKiller V8.5.1 [Feb 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Margi [Admin rights]
Mode : Remove -- Date : 02/21/2013 18:03:09
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : MusicManager ("C:\Documents and Settings\Margi\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe") [-] -> DELETED
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[SERVICES][HIDDEN KEY] HKLM\[...]\ControlSet001\Services\O\Start ((unknown)) -> ERROR [0x1]
[SERVICES][HIDDEN KEY] HKLM\[...]\ControlSet002\Services\O\Start ((unknown)) -> ERROR [0x1]

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHT2040AH +++++
--- User ---
[MBR] c6dc6d702616fa75173be1bbb2abf6fd
[BSP] dcb1c83ffc07de0e4173b5b151660d7f : Legit3 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 36980 Mo
3 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 75736080 | Size: 1173 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Lexar USB Flash Drive USB Device +++++
--- User ---
[MBR] 8d7b8913b82283ed667db0ead78f1a45
[BSP] ec038f3ca5091360f60d743d6f1c7fdb : Standard MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 10968 | Size: 7500 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[3]_D_02212013_02d1803.txt >>
RKreport[1]_S_02212013_02d1151.txt ; RKreport[2]_S_02212013_02d1800.txt ; RKreport[3]_D_02212013_02d1803.txt

===============================================================================

(Note: I had to type this SystemLook message by hand because Paste doesn't work with it. The file looked OK in the program but in wordpad there are spaces between all letters.)

SystemLook 30.07.11 by jpshortstuff

Log created at 18:06 on 21/02/2013 by Margi

Administrator - Elevation successful

========== filefind ==========

Searching for "setup1.exe"

C:\WINDOWS\Setup1.exe -------
197120 bytes [02:45 05/10/2009]
[02:49 05/10/2009]
75EABD98ED83BCE1267241ACCDBA50C0


-= EOF =-

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:19 AM

Posted 21 February 2013 - 07:23 PM

Hi Bill,

Thank you for the precision with which you provide detailed information. It didn't really matter "who" was complaining about setup1.exe, it needed to be investigated, and rightly so. It appears to be an infected file and needs to go.

It was not you and you would never waste our time, although I do appreciate the consideration. In addition to the above your computer was infected. However, I am unable to tell you exactly what the infection was:

 

[SERVICES][HIDDEN KEY] HKLM\[...]\ControlSet001\Services\O\Start ((unknown)) -> ERROR [0x1]
[SERVICES][HIDDEN KEY] HKLM\[...]\ControlSet002\Services\O\Start ((unknown)) -> ERROR [0x1]

 

Please do the following for me.


===================================================

 

Blitzblank

--------------------

Blitzblank is a powerfull tool and care must be taken to follow the steps carefully. Please note the warning you will receive when the program is launched.

  • Download Blitzblank and save it to your Desktop <<< Important
  • Double click the icon
  • Click OK on the warning screen
  • Click the Script tab
  • Copy and paste the following inside the script window
DeleteFile:
C:\WINDOWS\Setup1.exe
  • Click Execute Now
  • Click OK on the warning window
  • Click OK on the System reboot window
  • You will see a black screen with writing on it indicating the actions being taken
  • Locate C:\blitzblank.txt and copy and paste the contents of that document in your reply

 

===================================================

 

screen317's Security Check

--------------------

  • Please download screen317's Security Check to your desktop
  • Double-click the icon to run the program
  • Click OK
  • Select Run
  • Press any key to start the program
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply

 

===================================================


Please attempt to run Combofix in Normal Mode again.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. icon_thumb.gif

  • Blitzblank log
  • Security Check log
  • Combofix log
  • How is your computer running? What symptoms remain?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 22 February 2013 - 11:06 AM

After performing the blitzblank and security check steps, I ran a fresh copy of combofix. It "paused" the same way as before. This time I let it run all night, being careful not to mouseclick. This morning, still no results. The CPU was pegged (per Task Manager icon), and I couldn't get explorer to respond to any actions. So I had to force the system down.<br /><br />After rebooting, though, it seems to be acting almost normally. I installed MBAM and Microsoft Security Essentials and let them each do a scan -- no problems found. (Then uninstalled MBAM.) I reran blitzblank to see if setup1.exe was there again, and it wasn't. It's still not configuring the network interface in safe mode with networking, but I'll take that as a to-do.<br /><br />Just for fun, I tried to run DDS again. It hung the system hard enough that Explorer was not responding, so I had to power down.<br /><br />In MSCONFIG, Microsoft Antimalware Service now has a label of "Unknown" instead of a blank. The startup item with no labels is still there. (It's a SOFTWARE\Microsoft\Windows\CurrentVersion\Run, but it's unchecked for startup.)<br /><br /><br />====================================================================================<br /><br /><br />BlitzBlank 1.0.0.32<br /><br />File/Registry Modification Engine native application<br />MoveFileOnReboot: sourceFile = "\??\c:\windows\setup1.exe", destinationFile = "(null)", replaceWithDummy = 0<br /><br />=====================================================================================<br /><br />Results of screen317's Security Check version 0.99.59<br />Windows XP Service Pack 3 x86<br />Internet Explorer 8<br /><strong><u>``````````````Antivirus/Firewall Check:``````````````</u></strong><br />Windows Firewall Enabled!<br /><span style="font-size: 8px;">WMI entry may not exist for antivirus; attempting automatic update.</span><br /><strong><u>`````````Anti-malware/Other Utilities Check:`````````</u></strong><br />ZoneAlarm Spy Blocker Toolbar<br />Malwarebytes Anti-Malware version 1.70.0.1100<br />CCleaner<br />Adobe Flash Player 11.5.502.149<br />Adobe Reader XI<br />Mozilla Firefox (Firefox,. <span style="color: red;"><strong>Firefox out of Date!</strong></span><br /><strong><u>````````Process Check: objlist.exe by Laurent````````</u></strong><br /><strong><u>`````````````````System Health check`````````````````</u></strong><br />Total Fragmentation on Drive C:: 10%<br /><strong><u>````````````````````End of Log``````````````````````</u></strong><br /><br />=======================================================================================

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:19 AM

Posted 22 February 2013 - 12:46 PM

Hi Bill,

Can you try to repost the Security Check results.

Please do this.

===================================================


Exporting a Registry Key From the Run Box


--------------------

  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Copy and paste the following into the Run box and press Enter

regedit /e "%userprofile%\desktop\look.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

  • A look.txt document will be placed on your desktop
  • Copy and past the contents in your reply

 

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. icon_thumb.gif

  • Repost of Security Check
  • Registry key information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 TheGear

TheGear
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:07:19 AM

Posted 22 February 2013 - 04:47 PM

Results of screen317's Security Check version 0.99.59
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
ZoneAlarm Spy Blocker Toolbar
CCleaner
Adobe Flash Player 11.5.502.149
Adobe Reader XI
Mozilla Firefox (Firefox,. Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

===============================================================================

BINGO!!!! A hex entry.

==================================================================================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMTray.exe"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,\
6c,00,65,00,73,00,25,00,5c,00,53,00,79,00,6e,00,61,00,70,00,74,00,69,00,63,\
00,73,00,5c,00,53,00,79,00,6e,00,54,00,50,00,5c,00,53,00,79,00,6e,00,54,00,\
50,00,45,00,6e,00,68,00,2e,00,65,00,78,00,65,00,00,00
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"LogMeIn GUI"="\"C:\\Program Files\\LogMeIn\\x86\\LogMeInSystray.exe\""
"Prey Laptop Tracker"="c:\\Prey\\cron.exe --log"
"HP Lamp"="C:\\APPS\\SJ6200C\\PrecisionScanPro\\HPLamp.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1291485897\\ee\\AOLSoftware.exe"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
"APSDaemon"="\"C:\\Program Files\\Common Files\\Apple\\Apple Application Support\\APSDaemon.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Cobian Backup 11"="\"C:\\Program Files\\Cobian Backup 11\\Cobian.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Adobe ARM"="\"C:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe\""
"MSC"="\"c:\\Program Files\\Microsoft Security Client\\msseces.exe\" -hide -runkey"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users