I have been following the Malware cleaning guide step for step. Malwarebytes cleared up a lot of the problems, but I am still having a few problems related to Malware.
Overall, internet browsing is still going real slow, much slower than usual. Browsing is much much slower when i am using my Yahoo e-mail account. Even outside of the internet my computer seems to be running pretty slow.
Also, when I am using internet explorer, certain browsing tabs are crashing then being automatically reopened. Whenever this happens I get an error message saying that internet explorer has encountered a problem and needs to close; then the tab closes and then automatically reloads to the same page that was up when it crashed. This happens very often when I am using my Yahoo e-mail account. When the tab gets reloaded I get a message from IE saying that “an error on the webpage caused IE to close and reopen the tab”. After this has occurred about 5 times for the same tab, IE stops trying to open the tab again and just gives a message saying that IE has given up on trying to load the page. Note, this is not occurring for the entire IE application, just individual browsing tabs in IE. 90% of the time it happens when I am using my yahoo e-mail account; it happens to the tab that my yahoo e-mail account is open on.
It is not a problem with Yahoo because I can use my yahoo e-mail just fine at work with no crashes.
Even though I am still having problems, Windows live one care (paid version), Malwarebytes, SpyBot search and Destroy, and Adaware, are not finding any malware infections on my computer.
I did change my Yahoo password after supposedly getting rid of the infection.
The only thing that I can think of is that maybe the infection is still in the System restore/ registery backup that I made as part of following the removal guide.
Note: TheMain OTL log that I am posting here is not the full log provided by the OTL program. The full log was about 120 pages long and could not fit in a forum post (I guess the fact that a log that long was generated indicates a problem with my computer). The main OTL log looks normal at first but then gets to this
Menu\Programs\Startup\Microsoft Broadband Networking.lnk
[2009/09/20 09:30:49 | 00,085,336 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/09/20 09:30:29 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2009/09/20 09:29:25 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/20 09:28:54 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2009/09/20 00:00:08 | 00,000,386 | ---- | M] () -- C:\WINDOWS\tasks\{FF658E9B-A0E5-4AC6-A568-0A6192AD8D99}_VINCE_nick.job
After this the
[2009/09/20 00:00:08 | 00,000,386 | ---- | M] () -- C:\WINDOWS\tasks\{FF658E9B-A0E5-4AC6-A568-0A6192AD8D99}_VINCE_nick.job
Line keeps getting repeated over and over with slight variations for the next 110 pages.
Below is the result from a quick scan from Malwarebytes.
Malwarebytes' Anti-Malware 1.41
Database version: 2818
Windows 5.1.2600 Service Pack 3
9/17/2009 9:19:18 PM
mbam-log-2009-09-17 (21-19-18).txt
Scan type: Quick Scan
Objects scanned: 112682
Time elapsed: 15 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\SYSTEM32\dbbin.dll (Trojan.Goldun) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dbbin (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\dbbin (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dbbin (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\CrucialSoft Ltd (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dbbin (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\dbbin.sys (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\dbbin.sys (Trojan.Goldun) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RPCHE (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\MyWay (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\HelpAssistant\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\vince rowland\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dbbin.dll (Trojan.Goldun) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\dbbin.sys (Trojan.Goldun) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\z98a.bin (Malware.Trace) -> Quarantined and deleted successfully.
Below is the report from RootRepeal.
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/18 00:15
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF38F2000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B45000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB896A000 Size: 49152 File Visible: No Signed: -
Status: -
Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x83991020]
Process: System Address: 0x833df150 Size: 2246
Object: Hidden Code [ETHREAD: 0x82fccaa0]
Process: System Address: 0x833c9f4f Size: 178
Object: Hidden Code [ETHREAD: 0x8383f8e8]
Process: System Address: 0x833fd4c7 Size: 2873
Object: Hidden Code [ETHREAD: 0x83989228]
Process: System Address: 0x833ccbc1 Size: 1087
Object: Hidden Code [ETHREAD: 0x829abbe8]
Process: System Address: 0x833df150 Size: 2246
Object: Hidden Code [ETHREAD: 0x82a68b38]
Process: System Address: 0x833c9f4f Size: 178
Object: Hidden Code [ETHREAD: 0x82868638]
Process: System Address: 0x833fd4c7 Size: 2873
Object: Hidden Code [ETHREAD: 0x828954b0]
Process: System Address: 0x833ccbc1 Size: 1087
Object: Hidden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x833a91c0 Size: 3652
==EOF==
Below is the Extras OTL Report.
OTL Extras logfile created on: 9/20/2009 10:26:25 AM - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\vince rowland\Desktop\recent downloads\malware removal
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
766.48 Mb Total Physical Memory | 200.89 Mb Available Physical Memory | 26.21% Memory free
1.83 Gb Paging File | 1.19 Gb Available in Paging File | 65.03% Paging File free
Paging file location(s): C:\pagefile.sys 2 1150 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 9.85 Gb Free Space | 17.64% Space Free | Partition Type: NTFS
Drive D: | 637.02 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: VINCE
Current User Name: vince rowland
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Broadband Networking\MSBNUpdate.exe" = C:\Program Files\Microsoft Broadband Networking\MSBNUpdate.exe:*:Enabled:Microsoft Broadband Networking Update Utility -- (Microsoft Corporation)
"C:\Program Files\Microsoft Broadband Networking\MSBNUtil.exe" = C:\Program Files\Microsoft Broadband Networking\MSBNUtil.exe:*:Enabled:Microsoft Broadband Network Utility -- (Microsoft Corporation)
"C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe" = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe:*:Enabled:Microsoft Broadband Networking Tray -- (Microsoft Corporation)
"C:\Program Files\Microsoft Broadband Networking\MSBNCfg.exe" = C:\Program Files\Microsoft Broadband Networking\MSBNCfg.exe:*:Enabled:Microsoft Broadband Networking Setup -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\Starcraft\starcraft.exe" = C:\Program Files\Starcraft\starcraft.exe:*:Enabled:Starcraft -- File not found
"C:\Program Files\K-litePro\k-litepro.exe" = C:\Program Files\K-litePro\k-litepro.exe:*:Enabled:K-litePro Ultimate File Sharing -- File not found
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Common Files\aol\Loader\aolload.exe" = C:\Program Files\Common Files\aol\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1D46A3A0-B37D-423A-91C2-101A49E2FF80}" = Ventrilo Server
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java 6 Update 15
"{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}" = PerfectDisk 2008 Professional
"{2B7E4354-0492-460A-BDB1-1F59EE141025}" = AirPlus G
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35A3A4F4-B792-11D6-A78A-00B0D0142040}" = Java 2 SDK, SE v1.4.2_04
"{3851147E-5A91-4469-BA4D-13FFFCC8A920}" = Microsoft Windows OneCare Live v2.5.2900.20 Idcrl Install
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = BACS
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{4C590030-7469-453E-8589-D15DA9D03F52}" = ANIWZCS2 Service
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{5660022E-F3F2-4126-8CC5-9726C47150EB}" = Microsoft Windows Live OneCare Resources v2.5.2900.28
"{64116298-93C5-401D-B06C-39D8E3338508}" = DAO
"{6513E869-647F-40FD-A55D-CFC92579B9BA}" = PX Engine
"{7148F0A8-6813-11D6-A77B-00B0D0142040}" = Java 2 Runtime Environment, SE v1.4.2_04
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}" = ANIO Service
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{85CFDC2D-710E-49D5-B799-F3743CA506BA}" = Microsoft Protection Service
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8B21B9EF-6DBF-4F63-8CC7-9F6A56D1EE8E}" = GTOneCare
"{8CC15633-2327-43F4-BA85-B83FDB4B59BE}" = Microsoft Broadband Networking
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91710409-8000-11D3-8CFE-0150048383C9}" = Microsoft Application Error Reporting
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98177940-C048-4831-A279-F3888B1E2C7F}" = InstallMgr
"{9D98F245-3010-43C6-B3B0-67A464DA298E}" = ELNKInst
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A8AC89BA-D8CB-4372-9743-1C54D23286B0}" = MSN Toolbar
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{AD88355B-A4E0-4DA1-BAC3-EA4FEA930691}" = Ipswitch WS_FTP Pro
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B26B00DA-2E5D-4CF2-83C5-911198C0F009}" = GoodSync
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{B6EF6DCE-078E-4952-A7FA-352A9C349EB0}" = MSN Toolbar
"{B7148D71-0A8F-4501-96B4-4E1CC67F874E}" = Microsoft Default Manager
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C917BA70-28A3-4C74-B163-41FD8C8E1A5A}" = Stronghold
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D07A8E7E-D324-4945-BA8C-E532AD008FF3}" = Microsoft Windows OneCare Live v2.5.2900.28
"{E26B83D1-C0BB-41BC-8F44-31D5354DD6AF}" = Microsoft Windows OneCare Live AntiSpyware and AntiVirus
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E6969419-A1E8-4DF0-B145-858F8C0F29A1}" = TextPad 4.6
"{EC8923CA-D7F5-46E4-98BB-E083E6E1C40D}" = Kazaa 3.2.7
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"AIM_6" = AIM 6
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"CleanUp!" = CleanUp!
"DivX Codec" = DivX Pro Codec
"DivX Player" = DivX Player 2.1
"ERUNT_is1" = ERUNT 1.1j
"FitDay_is1" = FitDay PC version 1.0
"Gtk+ Runtime Environment" = Gtk+ Runtime Environment 2.6.10-rc1
"HijackThis" = HijackThis 1.99.1
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Instafinder" = Instafinder
"InstallShield_{2B7E4354-0492-460A-BDB1-1F59EE141025}" = AirPlus G
"InstallShield_{468190DA-FB4C-45BA-8E40-4B165FF1A939}" = Broadcom Advanced Control Suite
"InstallShield_{9D98F245-3010-43C6-B3B0-67A464DA298E}" = Earthlink Installer - uninstall 'Earthlink 5.0' entry first if present
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"MultiRes (remove only)" = MultiRes (remove only)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Pharaoh" = Pharaoh
"Quicken 2002 New User Edition" = Quicken 2002 New User Edition
"QuickTime" = QuickTime
"SeeMePlayMe" = SeeMePlayMe Client
"Shockwave" = Shockwave
"TiLP_is1" = TiLP 6.81
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPatrol" = WinPatrol
"WinSS" = Windows Live OneCare
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1" = Xvid 1.1.3 final uninstall
"Yahoo! Messenger" = Yahoo! Messenger
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"727d1ea1876aa06e" = WowAceUpdater
"AI RoboForm" = AI RoboForm
"BitTorrent" = BitTorrent
"BitTorrent DNA" = DNA
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 7/16/2009 9:41:53 PM | Computer Name = VINCE | Source = Application Error | ID = 1000
Description = Faulting application maxpayne.exe, version 1.0.4.0, faulting module
e2mfc.dll, version 0.0.0.0, fault address 0x0001e844.
Error - 7/16/2009 9:42:15 PM | Computer Name = VINCE | Source = Application Error | ID = 1000
Description = Faulting application maxpayne.exe, version 1.0.4.0, faulting module
e2mfc.dll, version 0.0.0.0, fault address 0x0001e844.
Error - 8/8/2009 3:27:02 PM | Computer Name = VINCE | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash10a.ocx, version 10.0.12.36, fault address 0x001b75a0.
Error - 8/13/2009 10:41:13 PM | Computer Name = VINCE | Source = Application Hang | ID = 1002
Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 8/25/2009 9:12:10 AM | Computer Name = VINCE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 8/29/2009 7:19:45 AM | Computer Name = VINCE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 8/29/2009 7:23:03 AM | Computer Name = VINCE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 8/29/2009 9:50:04 PM | Computer Name = VINCE | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 10.0.6854.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 8/30/2009 7:39:48 AM | Computer Name = VINCE | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 9/3/2009 9:34:49 PM | Computer Name = VINCE | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module flash10a.ocx, version 10.0.12.36, fault address 0x001b3b57.
[ MSFWSVC Events ]
Error - 6/28/2009 8:28:43 PM | Computer Name = VINCE | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.
Error - 7/1/2009 8:26:30 PM | Computer Name = VINCE | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.
Error - 7/7/2009 8:29:32 PM | Computer Name = VINCE | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.
Error - 8/18/2009 10:31:04 PM | Computer Name = VINCE | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.
Error - 8/27/2009 8:38:45 PM | Computer Name = VINCE | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.
Error - 8/28/2009 8:29:51 PM | Computer Name = VINCE | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.
Error - 9/5/2009 8:30:06 PM | Computer Name = VINCE | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.
Error - 9/7/2009 8:40:15 PM | Computer Name = VINCE | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.
Error - 9/10/2009 8:28:24 PM | Computer Name = VINCE | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.
Error - 9/14/2009 7:30:58 PM | Computer Name = VINCE | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.
[ System Events ]
Error - 9/17/2009 10:57:42 PM | Computer Name = VINCE | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service PD91Engine
with arguments "-Service" in order to run the server: {00772927-3E20-4854-9D99-77DEA78FE9E5}
Error - 9/17/2009 10:57:43 PM | Computer Name = VINCE | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PD91Engine service to
connect.
Error - 9/17/2009 10:57:43 PM | Computer Name = VINCE | Source = Service Control Manager | ID = 7000
Description = The PD91Engine service failed to start due to the following error:
%%1053
Error - 9/18/2009 8:28:56 AM | Computer Name = VINCE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
ATWPKT2 idrmkl SDDMI2 sptd
Error - 9/18/2009 8:07:17 PM | Computer Name = VINCE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
ATWPKT2 idrmkl SDDMI2 sptd
Error - 9/18/2009 8:07:50 PM | Computer Name = VINCE | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.
Error - 9/18/2009 8:07:50 PM | Computer Name = VINCE | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053
Error - 9/18/2009 8:37:13 PM | Computer Name = VINCE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
ATWPKT2 idrmkl SDDMI2 sptd
Error - 9/19/2009 6:57:53 AM | Computer Name = VINCE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
ATWPKT2 idrmkl SDDMI2 sptd
Error - 9/20/2009 9:29:24 AM | Computer Name = VINCE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
ATWPKT2 idrmkl SDDMI2 sptd
[ Windows OneCare Events ]
Error - 9/10/2009 8:34:05 AM | Computer Name = VINCE | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.
Error - 9/11/2009 8:35:29 AM | Computer Name = VINCE | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x8a190107.
Error - 9/12/2009 8:30:49 AM | Computer Name = VINCE | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.
Error - 9/13/2009 10:57:09 AM | Computer Name = VINCE | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.
Error - 9/14/2009 7:31:08 PM | Computer Name = VINCE | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.
Error - 9/14/2009 8:07:02 PM | Computer Name = VINCE | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.
Error - 9/17/2009 8:03:21 AM | Computer Name = VINCE | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x8a190107.
Error - 9/17/2009 11:09:32 AM | Computer Name = VINCE | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x8a190107.
Error - 9/18/2009 8:30:52 AM | Computer Name = VINCE | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.
Error - 9/19/2009 7:00:32 AM | Computer Name = VINCE | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0x80020005.
< End of report >
Below is the Main report from OTL
OTL logfile created on: 9/20/2009 10:26:25 AM - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\vince rowland\Desktop\recent downloads\malware removal
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
766.48 Mb Total Physical Memory | 200.89 Mb Available Physical Memory | 26.21% Memory free
1.83 Gb Paging File | 1.19 Gb Available in Paging File | 65.03% Paging File free
Paging file location(s): C:\pagefile.sys 2 1150 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 9.85 Gb Free Space | 17.64% Space Free | Partition Type: NTFS
Drive D: | 637.02 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: VINCE
Current User Name: vince rowland
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan
========== Processes (SafeList) ==========
PRC - [2008/07/09 18:05:22 | 00,018,704 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
PRC - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/05/16 14:01:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2009/07/09 12:15:32 | 00,026,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
PRC - [2008/04/16 13:00:10 | 00,689,416 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
PRC - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/08/13 18:32:40 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2000/08/08 12:32:12 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MsPMSPSv.exe
PRC - [2007/11/27 23:56:32 | 00,755,264 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
PRC - [2009/07/09 12:15:38 | 01,139,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\winss.exe
PRC - [2009/02/06 06:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2009/07/09 12:15:38 | 00,065,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/01/04 17:38:18 | 00,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2005/10/05 16:23:58 | 00,222,784 | ---- | M] (BillP Studios) -- C:\Program Files\Spyware tools\winpatrol.exe
PRC - [2003/08/29 04:59:24 | 00,122,880 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\BCMSMMSG.exe
PRC - [2008/08/13 18:32:40 | 00,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2003/06/01 16:00:00 | 00,099,840 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE
PRC - [2009/07/25 05:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2007/03/15 11:09:36 | 00,460,784 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt.exe
PRC - [2009/01/17 12:50:39 | 00,160,592 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
PRC - [2007/07/22 13:46:47 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2004/07/19 16:26:28 | 00,466,944 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
PRC - [2002/08/29 06:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cidaemon.exe
PRC - [2009/09/20 10:24:25 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\vince rowland\Desktop\recent downloads\malware removal\OTL.exe
========== Win32 Services (SafeList) ==========
SRV - [2004/10/22 14:42:44 | 00,049,152 | ---- | M] (Alpha Networks Inc.) -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -- (ANIWZCSdService [Auto | Stopped])
SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2007/03/07 15:47:46 | 00,076,848 | ---- | M] () -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService [Disabled | Stopped])
SRV - [2008/07/29 22:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/05/01 00:02:20 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 20:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2007/11/27 23:56:32 | 00,755,264 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe -- (msfwsvc [Auto | Running])
SRV - [2008/07/29 20:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/05/16 14:01:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2008/04/13 20:12:02 | 00,065,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\nwwks.dll -- (NWCWorkstation [Auto | Running])
SRV - [2009/07/09 12:15:32 | 00,026,104 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe -- (OcHealthMon [Auto | Running])
SRV - [2008/07/09 18:05:22 | 00,018,704 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe -- (OneCareMP [Auto | Running])
SRV - [2008/04/16 13:00:10 | 00,689,416 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe -- (PD91Agent [Auto | Running])
SRV - [2008/04/16 13:00:12 | 00,894,216 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe -- (PD91Engine [On_Demand | Stopped])
SRV - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort [Auto | Running])
SRV - [2008/08/13 18:32:40 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter [Auto | Running])
SRV - [2002/08/29 06:00:00 | 00,295,424 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\termsrv32.dll -- (TermService [Auto | Running])
SRV - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])
SRV - [2009/07/09 12:15:38 | 01,139,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Windows OneCare Live\winss.exe -- (winss [Auto | Running])
SRV - [2000/08/08 12:32:12 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MsPMSPSv.exe -- (WMDM PMSP Service [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - prefs.js..browser.search.selectedEngine: "Dictionary.com"
FF - prefs.js..browser.startup.homepage: "http://my.yahoo.com/p/d.html"
FF - prefs.js..keyword.URL: "http://www.instafind...p?err=ADD&url="
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/28 12:58:42 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/12/28 11:55:41 | 00,000,000 | ---D | M]
[2005/01/16 14:29:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\vince rowland\Application Data\mozilla\Firefox\Profiles\sieph4ke.default\extensions
[2005/01/16 14:29:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\vince rowland\Application Data\mozilla\Firefox\Profiles\sieph4ke.default\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Stumble&Upon) - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\System32\s1930.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [\\BILLSCOMP\EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Alpha Networks Inc.)
O4 - HKLM..\Run: [BCMSMMSG] C:\WINDOWS\BCMSMMSG.exe (Broadcom Corporation)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe (D-Link)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\test1\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corp.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OneCareUI] C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [WinPatrol] c:\Program Files\Spyware tools\winpatrol.exe (BillP Studios)
O4 - HKCU..\Run: [Aim6] File not found
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\4.0; File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk = C:\WINDOWS\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O8 - Extra context menu item: StumbleUpon: &Blog This - C:\WINDOWS\System32\s1930.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: animemusicvideos.org ([nago] https in Trusted sites)
O15 - HKCU\..Trusted Domains: stumbleupon.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: 78 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} http://download.mcaf...ed/MGBrwFld.cab (BrowseFolderPopup Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} https://www-secure.s...rl/LSSupCtl.cab (LSSupCtl Class)
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} http://portal.uga.ed...t/LocalExec.CAB (LocalExec Control)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} http://us.chat1.yimg...v45/yacscom.cab (Yahoo! Audio Conferencing)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} https://www-secure.s...rl/SymAData.cab (ActiveDataInfo Class)
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} https://www-secure.s...trl/tgctlsi.cab (Symantec SmartIssue)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.s...trl/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} http://www.office.mi...ontent/opuc.cab (OPUCatalog Class)
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} http://chat.yahoo.com/cab/yacsui.cab (Yahoo! Audio UI1)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} http://toolbar.googl...gleActivate.cab (Reg Error: Key error.)
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} http://www.gasou.edu...wland/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...7760.7675810185 (Reg Error: Key error.)
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} https://www.stopzill...ller/dwnldr.cab (Downloader Class)
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} http://download.abac...es/abasetup.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\WRNotifier: DllName - WRLogonNTF.dll - File not found
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 14:36:02 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1998/01/08 23:06:18 | 00,000,040 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{7b6f361a-2a67-11dc-8f6c-001195e61f1e}\Shell\AutoRun\command - "" = E:\Autorun.exe -- File not found
O33 - MountPoints2\{7b6f361a-2a67-11dc-8f6c-001195e61f1e}\Shell\Shell00\Command - "" = E:\Autorun.exe -- File not found
O33 - MountPoints2\{7b6f361a-2a67-11dc-8f6c-001195e61f1e}\Shell\Shell01\Command - "" = E:\Autorun.exe -- File not found
O33 - MountPoints2\{7b6f361a-2a67-11dc-8f6c-001195e61f1e}\Shell\Shell02\Command - "" = E:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (SsiEfr.e) - File not found
NetSvcs: LasMan - Service key not found. File not found
NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - C:\WINDOWS\System32\nwwks.dll (Microsoft Corporation)
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: TermService - C:\WINDOWS\System32\termsrv32.dll (Microsoft Corporation)
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
NetSvcs: Ip6FwHlp - Service key not found. File not found
========== Files/Folders - Created Within 14 Days ==========
[2009/09/18 08:47:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2009/09/18 08:46:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\vince rowland\Application Data\Office Genuine Advantage
[2009/09/17 20:56:49 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/17 20:56:40 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/17 20:56:39 | 00,000,000 | ---D | C] -- C:\Program Files\test1
[2009/09/17 09:01:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\vince rowland\Application Data\Malwarebytes
[2009/09/17 09:01:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/17 08:56:59 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/09/17 08:55:52 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/09/15 07:34:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\wanatw4.sys
[2009/09/15 07:34:33 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\DDMI2.sys
[2009/09/15 07:34:32 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\wATV03nt.sys
[2009/09/14 20:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2009/09/14 20:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2009/09/14 20:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2009/09/14 20:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2009/09/14 20:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2009/09/14 20:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2009/09/14 20:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2009/09/14 20:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2009/09/14 20:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2009/09/14 20:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2009/09/14 20:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2009/09/14 20:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2009/09/14 20:17:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2009/09/14 20:17:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2009/09/14 20:17:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2009/09/14 20:17:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2009/09/14 20:17:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2009/09/14 08:52:23 | 00,013,824 | ---- | C] () -- C:\Documents and Settings\vince rowland\Desktop\Apartments.xls
[2009/09/08 00:48:11 | 00,021,504 | ---- | C] () -- C:\Documents and Settings\vince rowland\Desktop\Comp Build.xls
========== Files - Modified Within 14 Days ==========
[5 C:\Documents and Settings\vince rowland\My Documents\*.tmp files]
[1 C:\Documents and Settings\vince rowland\Desktop\*.tmp files]
[2009/09/20 10:18:23 | 00,091,648 | ---- | M] () -- C:\Documents and Settings\vince rowland\Desktop\Job search.xls
[2009/09/20 09:31:09 | 00,002,355 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
[2009/09/20 09:30:49 | 00,085,336 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/09/20 09:30:29 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2009/09/20 09:29:25 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/20 09:28:54 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2009/09/20 00:00:08 | 00,000,386 | ---- | M] () -- C:\WINDOWS\tasks\{FF658E9B-A0E5-4AC6-A568-0A6192AD8D99}_VINCE_nick.job
[2009/09/20 00:00:08 | 00,000,386 | ---- | M] () -- C:\WINDOWS\tasks\{FEEA847E-21E8-4AA4-9D38-742BB2015385}_VINCE_nick.job
[2009/09/20 00:00:08 | 00,000,386 | ---- | M] () -- C:\WINDOWS\tasks\{FEC4B19A-5837-4614-B645-11C51F2A4224}_VINCE_nick.job
[2009/09/20 00:00:08 | 00,000,386 | ---- | M] () -- C:\WINDOWS\tasks\{FEB5E044-EBA8-4D2F-AE17-EB490AD59CE6}_VINCE_nick.job
[2009/09/20 00:00:08 | 00,000,386 | ---- | M] () -- C:\WINDOWS\tasks\{FEA9708C-BBE7-4FB2-848F-3F97E0156BF0}_VINCE_nick.job
[2009/09/20 00:00:08 | 00,000,386 | ---- | M] () -- C:\WINDOWS\tasks\{FE86317B-CAFC-4265-A308-93031FD297A1}_VINCE_nick.job
[2009/09/20 00:00:08 | 00,000,386 | ---- | M] () -- C:\WINDOWS\tasks\{FE585A0B-B9B9-4FFE-B91E-92E47688462E}_VINCE_nick.job
[2009/09/20 00:00:08 | 00,000,386 | ---- | M] () -- C:\WINDOWS\tasks\{FE491124-8F95-443A-9B11-DF2DF90F52D6}_VINCE_nick.job
[2009/09/20 00:00:08 | 00,000,386 | ---- | M] () -- C:\WINDOWS\tasks\{FE144C61-AE1C-492E-9CA9-E303BB8C450C}_VINCE_nick.job
[2009/09/20 00:00:08 | 00,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\{FF658E9B-A0E5-4AC6-A568-0A6192AD8D99}_VINCE_nick.job
This is where I had to cut off part of the report due to the log repeating the line
[2009/09/20 00:00:08 | 00,000,386 | ---- | M] () -- C:\WINDOWS\Tasks\{FF658E9B-A0E5-4AC6-A568-0A6192AD8D99}_VINCE_nick.job
Over and over (with slight variations) for the next 110 pages.
========== Purity Check ==========
========== Custom Scans ==========
< %SYSTEMDRIVE%\*.exe >
< %systemroot%\system32\eventlog.dll >
[2008/04/13 20:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll
< %systemroot%\system32\scecli.dll >
[2008/04/13 20:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll
< %systemroot%\netlogon.dll >
< %systemroot%\system32\cngaudit.dll >
< %systemroot%\system32\sceclt.dll >
< %systemroot%\ntelogon.dll >
< %systemroot%\system32\logevent.dll >
< End of report >
Any help is greatly appreciated.
Edited by vrowland, 21 September 2009 - 01:04 PM.