Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Redirect/ Olmarik?

Started by gmac73 , May 02 2010 09:01 PM

  • Please log in to reply

#1
gmac73
Posted 02 May 2010 - 09:01 PM

gmac73

    New Member

  • Member
  • Pip
  • 6 posts
I ran a MBAM scan before I found this site, and have followed the instructions on here. The original scan picked up 4 trojans and removed them. TDSSkiller picked up Olmarik in the nvatabus.sys file, but was unable to delete it. Here are the log files:

MBAM (From a scan while following the guide):

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

5/2/2010 6:45:52 PM
mbam-log-2010-05-02 (18-45-52).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|K:\|)
Objects scanned: 198823
Time elapsed: 32 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



OTL:

OTL logfile created on: 5/2/2010 5:39:56 PM - Run 1
OTL by OldTimer - Version 3.2.4.0 Folder = C:\Documents and Settings\user\My Documents\Downloads
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 432.23 Gb Free Space | 92.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-AE587A64F7
Current User Name: Kay M. McClintock
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/02 17:27:23 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\My Documents\Downloads\OTL.exe
PRC - [2009/12/08 15:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/17 15:29:04 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/09/16 11:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/07/08 12:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 20:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/08/18 09:51:22 | 001,699,784 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
PRC - [2007/06/13 03:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/03 11:01:16 | 000,319,488 | ---- | M] (PixArt Imaging Incorporation) -- C:\WINDOWS\Pixart\Pac7302\Monitor.exe
PRC - [2004/07/30 15:47:36 | 000,069,632 | ---- | M] (Dantz Development Corporation) -- C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe


========== Modules (SafeList) ==========

MOD - [2010/05/02 17:27:23 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\My Documents\Downloads\OTL.exe
MOD - [2006/08/25 08:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/10 04:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/12/08 15:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/17 15:29:04 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/09/16 12:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 11:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 10:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/08 12:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 20:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/08/18 09:51:22 | 001,699,784 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) [Auto | Running] -- C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe -- (CarboniteService)
SRV - [2004/07/30 15:47:36 | 000,069,632 | ---- | M] (Dantz Development Corporation) [Auto | Running] -- C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe -- (RetroExpLauncher)


========== Driver Services (SafeList) ==========

DRV - [2010/05/02 17:38:12 | 000,093,440 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2009/09/16 11:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 11:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 11:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 11:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 11:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 13:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2007/06/14 15:29:08 | 000,457,856 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PAC7302.SYS -- (PAC7302)
DRV - [2007/03/01 11:34:36 | 000,028,352 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2006/08/24 13:44:14 | 000,477,696 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ZD1211BU.sys -- (ZD1211BU(ZyDAS)) ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS)
DRV - [2005/08/08 17:54:36 | 000,007,168 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2005/08/08 17:54:34 | 000,439,424 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2005/08/08 17:54:28 | 001,093,632 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2005/08/08 17:54:20 | 000,114,688 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2005/08/08 17:54:16 | 000,142,848 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2005/08/08 17:54:16 | 000,077,824 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2005/08/08 17:54:12 | 000,501,760 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2005/07/26 17:48:30 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/07/26 17:48:28 | 000,033,664 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/07/13 21:18:48 | 000,340,704 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2005/07/08 22:57:00 | 003,198,304 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/08/09 17:49:40 | 000,014,592 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2004/08/03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/03 23:00:14 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\changer.sys -- (Changer)
DRV - [2004/08/03 22:59:34 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\lbrtfdc.sys -- (lbrtfdc)
DRV - [2004/06/16 02:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/03/06 03:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/06 03:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/06 03:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2003/10/10 11:23:48 | 000,032,640 | ---- | M] (Cypress Semiconductor) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxofx.sys -- (MXOFX) USB Storage Adapter FX (MXO)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 12:11:18 | 000,020,160 | ---- | M] (ADMtek Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\adm8511.sys -- (ADM8511)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Ask.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsear.......p;l=zu&o=sb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/04/09 10:35:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/25 21:26:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/25 21:26:32 | 000,000,000 | ---D | M]

[2010/04/25 21:26:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2010/04/27 14:25:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\94bev22h.default\extensions
[2010/04/27 14:25:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\94bev22h.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/25 21:26:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2007/12/21 13:25:42 | 000,221,702 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.1001-search.info
O1 - Hosts: 127.0.0.1 1001-search.info
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 7780 more lines...
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PAC7302_Monitor] C:\WINDOWS\Pixart\Pac7302\Monitor.exe (PixArt Imaging Incorporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O15 - HKLM\..Trusted Domains: localhost ([]http in Local intranet)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo2.walgre...eensActivia.cab (Snapfish Activia)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_15)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx (ArmHelper Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} http://pro.realquest...r/mapviewer.cab (First American Res MapActiveX Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/19 18:46:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1e750a87-339d-11de-903a-001422410187}\Shell\AutoRun\command - "" = L:\PortableRoboForm.exe -- File not found
O33 - MountPoints2\{1e750a87-339d-11de-903a-001422410187}\Shell\RoboForm2Go\command - "" = L:\PortableRoboForm.exe -- File not found
O33 - MountPoints2\{a84aa538-aa95-11dc-87e1-001422410187}\Shell - "" = AutoRun
O33 - MountPoints2\{a84aa538-aa95-11dc-87e1-001422410187}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a84aa538-aa95-11dc-87e1-001422410187}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{c2609fa5-f46b-11dc-87f0-001422410187}\Shell\AutoRun\command - "" = J:\Autorun.exe -- File not found
O33 - MountPoints2\{c2609fa5-f46b-11dc-87f0-001422410187}\Shell\Shell00\Command - "" = J:\Autorun.exe -- File not found
O33 - MountPoints2\{c2609fa5-f46b-11dc-87f0-001422410187}\Shell\Shell01\Command - "" = J:\Autorun.exe -- File not found
O33 - MountPoints2\{c2609fa5-f46b-11dc-87f0-001422410187}\Shell\Shell02\Command - "" = J:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/02 17:30:20 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/05/02 15:50:05 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[2010/05/02 15:48:37 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/02 15:22:03 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2010/05/02 15:14:41 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2010/05/02 14:52:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/05/02 14:52:34 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/05/02 14:29:42 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/02 13:36:35 | 000,000,000 | ---D | C] -- C:\7cf7ddd59f49e35298bed0ee30
[2010/05/01 16:53:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/01 16:53:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/30 21:30:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\jarvlvemn
[2010/04/25 21:47:06 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/04/25 21:40:03 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/04/25 21:40:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/04/25 21:26:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Mozilla
[2010/04/25 21:26:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Mozilla
[2010/04/25 20:01:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/25 20:01:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/25 19:10:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/25 19:10:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/25 19:05:52 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys
[2010/04/25 19:05:52 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys
[2010/04/25 19:05:48 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i2omgmt.sys
[2010/04/25 19:05:41 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2010/04/25 19:05:41 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2010/04/25 19:04:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\45ACB046261207F6FF7D287E6B1A2E3C
[2010/04/25 19:04:38 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2010/04/25 19:04:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DivX
[2010/04/25 18:09:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Malwarebytes
[2010/04/25 18:09:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/25 18:09:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/25 18:09:23 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/25 18:09:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/24 16:18:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Deployment
[2010/04/24 13:28:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\GlarySoft
[2010/04/24 13:18:25 | 000,000,000 | ---D | C] -- C:\Program Files\Glary Utilities
[2010/04/07 09:56:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\CutePDF Writer
[2010/04/07 09:55:26 | 000,000,000 | ---D | C] -- C:\Program Files\GPLGS
[2007/06/19 19:08:01 | 000,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll

========== Files - Modified Within 30 Days ==========

[2010/05/02 17:42:34 | 000,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/02 17:42:34 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/02 17:42:34 | 000,071,904 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/02 17:39:13 | 000,029,204 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/02 17:39:05 | 000,000,336 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/05/02 17:38:26 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/02 17:38:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/02 17:38:12 | 000,093,440 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\nvatabus.sys
[2010/05/02 17:37:57 | 000,064,988 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000003-00000000-00000003-00001102-00000005-10031102}.rfx
[2010/05/02 17:37:57 | 000,054,312 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000003-00000000-00000003-00001102-00000005-10031102}.rfx
[2010/05/02 17:37:57 | 000,054,312 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000003-00000000-00000003-00001102-00000005-10031102}.rfx
[2010/05/02 17:37:57 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/05/02 17:37:57 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/05/02 17:37:52 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\user\NTUSER.DAT
[2010/05/02 17:37:52 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\user\ntuser.ini
[2010/05/02 17:04:54 | 000,020,363 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/05/02 17:04:45 | 004,836,790 | -H-- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\IconCache.db
[2010/05/02 16:12:12 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/02 15:27:09 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/05/02 15:14:41 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2010/05/01 16:53:35 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/01 15:50:46 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Microsoft Office Word 2003.lnk
[2010/05/01 01:00:06 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/04/30 21:29:35 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/30 08:13:28 | 000,162,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netbt.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/29 09:56:46 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Microsoft Office Excel 2003.lnk
[2010/04/28 21:47:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/27 09:18:03 | 000,000,666 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/27 09:18:03 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/27 09:18:03 | 000,000,209 | -HS- | M] () -- C:\boot.ini
[2010/04/27 07:28:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/25 21:47:04 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/04/25 21:26:42 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/04/25 21:26:35 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/04/25 19:05:02 | 000,001,178 | -HS- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\w1vjs2h771
[2010/04/25 19:05:02 | 000,001,178 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\w1vjs2h771
[2010/04/22 07:12:26 | 013,719,807 | ---- | M] () -- C:\Documents and Settings\user\Desktop\South Valley Outdoor, LLC.QBB
[2010/04/17 17:20:29 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Microsoft Office PowerPoint 2003.lnk
[2010/04/15 03:03:34 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/15 01:08:02 | 000,000,364 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/04/05 21:27:28 | 008,201,728 | ---- | M] () -- C:\Documents and Settings\user\Desktop\South Valley Outdoor, LLC.QBX
[2010/04/05 08:28:09 | 000,660,992 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Ross & Kay.QBX

========== Files Created - No Company Name ==========

[2010/05/02 14:54:43 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/30 21:29:35 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/30 21:29:26 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/25 21:47:41 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/04/25 21:26:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/04/25 21:26:35 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/04/25 19:05:02 | 000,001,178 | -HS- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\w1vjs2h771
[2010/04/25 19:05:02 | 000,001,178 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\w1vjs2h771
[2010/04/24 13:18:30 | 000,000,336 | ---- | C] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/04/22 07:12:12 | 013,719,807 | ---- | C] () -- C:\Documents and Settings\user\Desktop\South Valley Outdoor, LLC.QBB
[2010/04/07 09:54:49 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2010/04/05 21:27:20 | 008,201,728 | ---- | C] () -- C:\Documents and Settings\user\Desktop\South Valley Outdoor, LLC.QBX
[2010/04/05 08:28:05 | 000,660,992 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Ross & Kay.QBX
[2009/09/23 20:15:15 | 000,000,566 | ---- | C] () -- C:\WINDOWS\System32\SP7302.INI
[2008/11/02 19:08:45 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2008/04/29 15:17:10 | 000,528,384 | ---- | C] () -- C:\WINDOWS\System32\Tx32.dll
[2008/04/29 15:17:10 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2008/04/29 15:17:09 | 000,000,478 | ---- | C] () -- C:\WINDOWS\System32\ic32.ini
[2008/02/25 14:18:26 | 000,000,069 | ---- | C] () -- C:\WINDOWS\ricdb.ini
[2008/02/25 14:18:25 | 000,000,020 | ---- | C] () -- C:\WINDOWS\System32\RPCS.ini
[2007/06/26 09:09:14 | 000,315,392 | ---- | C] () -- C:\WINDOWS\System32\VLMenuRes.dll
[2007/06/26 09:09:14 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\VlUtils.dll
[2007/06/26 09:09:13 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\c1sizerppg.dll
[2007/06/25 10:40:35 | 000,000,128 | ---- | C] () -- C:\WINDOWS\PMJobCli.ini
[2007/06/25 10:40:33 | 000,012,309 | ---- | C] () -- C:\WINDOWS\PMRicMb.ini
[2007/06/25 10:40:33 | 000,007,873 | ---- | C] () -- C:\WINDOWS\PMRicPMb.ini
[2007/06/25 10:40:33 | 000,005,390 | ---- | C] () -- C:\WINDOWS\PMPrtMb.ini
[2007/06/25 10:40:33 | 000,004,644 | ---- | C] () -- C:\WINDOWS\PMRicFMb.ini
[2007/06/25 10:40:33 | 000,003,149 | ---- | C] () -- C:\WINDOWS\PMDvPrn.ini
[2007/06/25 10:40:33 | 000,002,102 | ---- | C] () -- C:\WINDOWS\PMDvDev.ini
[2007/06/25 10:40:33 | 000,002,047 | ---- | C] () -- C:\WINDOWS\PMDIOMb.ini
[2007/06/25 10:40:33 | 000,002,036 | ---- | C] () -- C:\WINDOWS\PMHostMb.ini
[2007/06/25 10:40:33 | 000,001,885 | ---- | C] () -- C:\WINDOWS\PMPSIOMb.ini
[2007/06/25 10:40:33 | 000,001,727 | ---- | C] () -- C:\WINDOWS\PMRicSMb.ini
[2007/06/25 10:40:33 | 000,001,706 | ---- | C] () -- C:\WINDOWS\PMRicCMb.ini
[2007/06/25 10:40:33 | 000,001,494 | ---- | C] () -- C:\WINDOWS\PMMib2Mb.ini
[2007/06/25 10:40:33 | 000,001,168 | ---- | C] () -- C:\WINDOWS\PMDvFax.ini
[2007/06/25 10:40:33 | 000,001,143 | ---- | C] () -- C:\WINDOWS\PMDPIMb.ini
[2007/06/25 10:40:33 | 000,001,094 | ---- | C] () -- C:\WINDOWS\PMAxsMb.ini
[2007/06/25 10:40:33 | 000,000,842 | ---- | C] () -- C:\WINDOWS\PMDvScan.ini
[2007/06/25 10:40:33 | 000,000,423 | ---- | C] () -- C:\WINDOWS\PMDvCopy.ini
[2007/06/25 10:40:33 | 000,000,332 | ---- | C] () -- C:\WINDOWS\PMSnmpMb.ini
[2007/06/25 10:40:32 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\rpnv2ui.dll
[2007/06/25 10:40:32 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\rtcpf.dll
[2007/06/25 10:40:32 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RLPR.dll
[2007/06/25 10:40:29 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\PMObservps.dll
[2007/06/25 10:05:28 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2007/06/19 23:37:53 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/06/19 19:08:03 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2007/06/19 19:08:01 | 000,000,194 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2007/06/19 19:07:20 | 000,000,055 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/06/19 19:07:19 | 000,049,274 | ---- | C] () -- C:\WINDOWS\System32\claptn32.ini
[2005/08/05 14:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/26 11:53:14 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\MXONmSpace.dll
[2004/08/26 11:49:52 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\MXONmSpMFC.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Unicode (All) ==========
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?ystem32) -- C:\Documents and Settings\user\My Documents\?ystem32
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?ymbols) -- C:\Documents and Settings\user\My Documents\?ymbols
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?racle) -- C:\Documents and Settings\user\My Documents\?racle
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?racle) -- C:\Documents and Settings\user\My Documents\?racle
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?ppPatch) -- C:\Documents and Settings\user\My Documents\?ppPatch
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?icrosoft.NET) -- C:\Documents and Settings\user\My Documents\?icrosoft.NET
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?ecurity) -- C:\Documents and Settings\user\My Documents\?ecurity
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?dobe) -- C:\Documents and Settings\user\My Documents\?dobe
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\??stem32) -- C:\Documents and Settings\user\My Documents\??stem32
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\??sks) -- C:\Documents and Settings\user\My Documents\??sks
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\??pPatch) -- C:\Documents and Settings\user\My Documents\??pPatch
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\??curity) -- C:\Documents and Settings\user\My Documents\??curity
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\??crosoft.NET) -- C:\Documents and Settings\user\My Documents\??crosoft.NET
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?ystem32) -- C:\Documents and Settings\user\My Documents\?ystem32
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?ymbols) -- C:\Documents and Settings\user\My Documents\?ymbols
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?racle) -- C:\Documents and Settings\user\My Documents\?racle
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?racle) -- C:\Documents and Settings\user\My Documents\?racle
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?ppPatch) -- C:\Documents and Settings\user\My Documents\?ppPatch
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?icrosoft.NET) -- C:\Documents and Settings\user\My Documents\?icrosoft.NET
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?ecurity) -- C:\Documents and Settings\user\My Documents\?ecurity
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?dobe) -- C:\Documents and Settings\user\My Documents\?dobe
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\??stem32) -- C:\Documents and Settings\user\My Documents\??stem32
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\??sks) -- C:\Documents and Settings\user\My Documents\??sks
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\??pPatch) -- C:\Documents and Settings\user\My Documents\??pPatch
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\??curity) -- C:\Documents and Settings\user\My Documents\??curity
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\??crosoft.NET) -- C:\Documents and Settings\user\My Documents\??crosoft.NET
[2008/10/06 15:52:09 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\W?nSxS) -- C:\Documents and Settings\user\My Documents\W?nSxS
[2008/10/06 15:52:09 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\T?sks) -- C:\Documents and Settings\user\My Documents\T?sks
[2008/10/06 15:52:09 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\W?nSxS) -- C:\Documents and Settings\user\My Documents\W?nSxS
[2008/10/06 15:52:09 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\T?sks) -- C:\Documents and Settings\user\My Documents\T?sks
[2008/10/06 15:52:03 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\s?stem32) -- C:\Documents and Settings\user\My Documents\s?stem32
[2008/10/06 15:52:03 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\s?stem) -- C:\Documents and Settings\user\My Documents\s?stem
[2008/10/06 15:52:03 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\s?stem32) -- C:\Documents and Settings\user\My Documents\s?stem32
[2008/10/06 15:52:03 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\s?stem) -- C:\Documents and Settings\user\My Documents\s?stem
[2008/10/06 15:49:48 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\M?crosoft) -- C:\Documents and Settings\user\My Documents\M?crosoft
[2008/10/06 15:49:48 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\M?crosoft) -- C:\Documents and Settings\user\My Documents\M?crosoft
[2008/10/06 15:49:00 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\F?nts) -- C:\Documents and Settings\user\My Documents\F?nts
[2008/10/06 15:49:00 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\F?nts) -- C:\Documents and Settings\user\My Documents\F?nts
[2008/10/06 15:49:00 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\F?nts) -- C:\Documents and Settings\user\My Documents\F?nts
[2008/10/06 15:49:00 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\F?nts) -- C:\Documents and Settings\user\My Documents\F?nts

========== Alternate Data Streams ==========

@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C7F04040
< End of report >


EXTRAS (OTL):

OTL Extras logfile created on: 5/2/2010 5:39:56 PM - Run 1
OTL by OldTimer - Version 3.2.4.0 Folder = C:\Documents and Settings\user\My Documents\Downloads
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 432.23 Gb Free Space | 92.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-AE587A64F7
Current User Name: Kay M. McClintock
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 1
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager -- (Intuit, Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{001E7FB6-BB6B-4ED0-BEDC-B5404ED96D4E}" = DocProc
"{10E1E87C-656C-4D08-86D6-5443D28583BE}" = TrayApp
"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
"{1753255A-0AEB-4220-8C75-607B73F0C133}" = Copy
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{1E88F516-C8AA-4D17-9A54-8AB0768F34C1}" = Retrospect Express HD 1.0
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{244E21B9-164C-4EC1-AED8-9BD64161E66D}" = ArcSoft VideoImpression 2
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{29FA38B4-0AE4-4D0D-8A51-6165BB990BB0}" = WebReg
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EC91FDF-FE9A-43D5-96C4-8A9C24372500}" = Maxtor OneTouch
"{415CDA53-9100-476F-A7B2-476691E117C7}" = HP Smart Web Printing
"{44B2E182-DD85-45FC-9F51-326B81D7C7F1}" = Fax
"{487B0B9B-DCD4-440D-89A0-A6EDE1A545A3}" = HPSSupply
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{58F4D4FD-1814-4068-B316-C28FC776C6DD}" = GoToMyPC
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{69B02159-7622-4DBB-B9EE-F933039830AD}" = QuickBooks Pro 2006
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7148F0A8-6813-11D6-A77B-00B0D0142150}" = Java 2 Runtime Environment, SE v1.4.2_15
"{730837D4-FF5E-48DB-BA49-33E732DFF0B3}" = PanoStandAlone
"{824D3839-DAA1-4315-A822-7AE3E620E528}" = VideoToolkit01
"{8389382B-53BA-4A87-8854-91E3D80A5AC7}" = HP Photosmart Essential2.01
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{93F54611-2701-454e-94AB-623F458D9E6B}" = DeviceDiscovery
"{98177940-C048-4831-A279-F3888B1E2C7F}" = InstallMgr
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A8AC89BA-D8CB-4372-9743-1C54D23286B0}" = MSN Toolbar
"{AAB2A3A6-6789-4260-9966-517498589AB5}" = ArcSoft PhotoImpression 5
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{AEA07F97-9088-497c-8821-0F36BD5DC251}" = HPProductAssistant
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B22CFC7C-86DD-4D4E-8898-328DDB8B6400}" = Salesperson Exam Prep
"{B34E4B72-37C6-4f79-A5B3-008EEFC6EA8B}" = PS_AIO_02_Software_min
"{B46AC30C-22D2-4610-B041-1DA7BB29EB57}" = HP Photosmart All-In-One Software 9.0
"{B6EF6DCE-078E-4952-A7FA-352A9C349EB0}" = MSN Toolbar
"{B7148D71-0A8F-4501-96B4-4E1CC67F874E}" = Microsoft Default Manager
"{B7E5D642-E74E-40a4-B5C7-6AB6EE916814}" = PS_AIO_02_ProductContext
"{BC10649A-983B-494e-AD1F-DE0BF717D701}" = PS_AIO_02_Software
"{BCD6CD1A-0DBE-412E-9F25-3B500D1E6BA1}" = SolutionCenter
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C138D676-4F0F-4FDE-8BE5-26CFD3566DCD}" = DeskTopBinder - SmartDeviceMonitor for Client
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0E39A1D-0CEE-4D85-B4A2-E3BE990D075E}" = Destination Component
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{DDAC27F9-8293-465f-A4B0-011F1D38BBA1}" = RoxioShim
"{E031338C-839D-4EDD-9537-99B653C39D81}" = Autodesk MapGuide® Viewer ActiveX Control Release 6.5
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}" = Quicken 2009
"{EF3F9770-CA7B-4c5d-8A98-49AB97216546}" = C8100
"{F0B2D11F-E4D9-4C17-A195-B8BADEAE9C40}" = VGA USB Camera
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4A61B59-A8DE-4faf-B13E-BB596D698089}" = C8100_Help
"{F72E2DDC-3DB8-4190-A21D-63883D955FE7}" = PSSWCORE
"{F75EBC67-0CF7-416a-A8E2-E38251ABE62E}" = C8100_doccd
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}" = Dell Resource CD
"{FD8D8B04-BEAD-4A55-AA1D-62D2373E7DEA}" = Status
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Carbonite Backup" = Carbonite
"CutePDF Writer Installation" = CutePDF Writer 2.8
"Glary Utilities_is1" = Glary Utilities 2.21.0.863
"HitmanPro35" = Hitman Pro 3.5
"HP Imaging Device Functions" = HP Imaging Device Functions 9.0
"HP Photosmart Essential" = HP Photosmart Essential 2.01
"HP Solution Center & Imaging Support Tools" = HP Solution Center 9.0
"HPExtendedCapabilities" = HP Customer Participation Program 9.0
"HPOCR" = HP OCR Software 9.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{3EC91FDF-FE9A-43D5-96C4-8A9C24372500}" = Maxtor OneTouch
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MetroScan Online_is1" = MetroScan Online v3.6
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSC" = McAfee SecurityCenter
"MXOFX" = USB Storage Adapter FX (MXO)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"Retail Tenant Directory" = Retail Tenant Directory
"Revo Uninstaller" = Revo Uninstaller 1.87
"WIC" = Windows Imaging Component
"WinAIR Forms 2.0" = WinAIR Forms 2.0
"Windows Media Format Runtime" = Windows Media Format Runtime

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.0.0.320

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/19/2009 4:07:36 PM | Computer Name = USER-AE587A64F7 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module msneie.dll, version 3.0.1125.0, fault address 0x000220d7.

Error - 12/19/2009 4:49:13 PM | Computer Name = USER-AE587A64F7 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module msneie.dll, version 3.0.1125.0, fault address 0x000220d4.

Error - 12/19/2009 4:54:37 PM | Computer Name = USER-AE587A64F7 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module msneie.dll, version 3.0.1125.0, fault address 0x000220d4.

Error - 12/19/2009 5:15:04 PM | Computer Name = USER-AE587A64F7 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module msneie.dll, version 3.0.1125.0, fault address 0x000220d4.

Error - 12/19/2009 6:02:38 PM | Computer Name = USER-AE587A64F7 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module msneie.dll, version 3.0.1125.0, fault address 0x000220d4.

Error - 12/20/2009 9:17:38 PM | Computer Name = USER-AE587A64F7 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module msneie.dll, version 3.0.1125.0, fault address 0x000220d4.

Error - 12/25/2009 3:05:52 AM | Computer Name = USER-AE587A64F7 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 12/30/2009 1:54:19 PM | Computer Name = USER-AE587A64F7 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module msneie.dll, version 3.0.1125.0, fault address 0x000220d4.

Error - 12/31/2009 9:25:23 PM | Computer Name = USER-AE587A64F7 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module msneie.dll, version 3.0.1125.0, fault address 0x000220d4.

Error - 1/2/2010 6:57:21 PM | Computer Name = USER-AE587A64F7 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module msneie.dll, version 3.0.1125.0, fault address 0x000220d4.

[ System Events ]
Error - 4/28/2010 1:19:43 AM | Computer Name = USER-AE587A64F7 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/28/2010 1:19:43 AM | Computer Name = USER-AE587A64F7 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/28/2010 1:21:11 AM | Computer Name = USER-AE587A64F7 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6

Error - 4/28/2010 1:24:36 AM | Computer Name = USER-AE587A64F7 | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 4/28/2010 1:25:15 AM | Computer Name = USER-AE587A64F7 | Source = Tcpip | ID = 4198
Description = The system detected an address conflict for IP address 192.168.1.64
with the system having network hardware address 00:1E:6B:50:76:E0. The local interface
has been disabled.

Error - 5/1/2010 12:30:19 AM | Computer Name = USER-AE587A64F7 | Source = DCOM | ID = 10010
Description = The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register
with DCOM within the required timeout.

Error - 5/1/2010 12:30:50 AM | Computer Name = USER-AE587A64F7 | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 5/2/2010 6:07:52 PM | Computer Name = USER-AE587A64F7 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/2/2010 6:07:52 PM | Computer Name = USER-AE587A64F7 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/2/2010 6:09:22 PM | Computer Name = USER-AE587A64F7 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cercsr6


< End of report >

GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-02 18:54:11
Windows 5.1.2600 Service Pack 2
Running: gamerssdfsdf.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\pfeyqaog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA6B3878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA6B38821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA6B38738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA6B3874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA6B38835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA6B38861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA6B388CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA6B388B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA6B387CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA6B388FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA6B3880D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA6B38710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA6B38724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA6B3879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA6B38937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA6B388A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA6B3888D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA6B3884B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA6B38923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA6B3890F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA6B38776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA6B38762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA6B38877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA6B387F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA6B388E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA6B387E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA6B387B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device -> \Driver\nvatabus \Device\Harddisk0\DR0 883C0AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\nvatabus.sys suspicious modification

---- EOF - GMER 1.0.15 ----



Thanks in advance for your help guys, this looks like it is a great site. I have been trying this for a few hours, and can't seem to get this out!

Note: This system got the Antispyware 2009 virus, and I thought I got all of that out, idk if this is related to that or not, but I thought it my be useful for you to know. thanks!
  • 0

Advertisements

#2
emeraldnzl
Posted 03 May 2010 - 01:14 AM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello gmac73,

Welcome to Geekstogo.

Please download ComboFix from one of these locations:

NOTE: If you are guest watching this topic. ComboFix is a very powerful tool. The disclaimer clearly states that you should not use it without supervision. There is good reason for this as ComboFix can, and sometimes does, run into conflict on a computer and render it unusable.

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#3
gmac73
Posted 03 May 2010 - 04:29 PM

gmac73

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Okay, I tried to run Combofix twice and it Blue Screened twice, would it be safe to try running it in Safe-Mode?
  • 0

#4
emeraldnzl
Posted 03 May 2010 - 04:59 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Yes, try it in safe mode. Could be McAfee, it's notorious for interfering. :)
  • 0

#5
gmac73
Posted 03 May 2010 - 10:20 PM

gmac73

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the ComboFix log, I am still having the problem, I have to post from another computer is it won't let me do anything on any antivirus type sites.

ComboFix 10-05-03.03 - Kay M. McClintock 05/03/2010 17:50:49.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2045.1716 [GMT -7:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\45ACB046261207F6FF7D287E6B1A2E3C
c:\documents and settings\user\Application Data\45ACB046261207F6FF7D287E6B1A2E3C\enemies-names.txt
C:\mtwb.dat
c:\program files\WindowsUpdate
c:\windows\system32\AutoRun.inf
c:\windows\system32\bszip.dll
c:\windows\system32\gotomon.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_PRAGMApuxdmxtynx
-------\Service_PRAGMApuxdmxtynx


((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-03 04:05 . 2010-05-03 04:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\jrvltdmlb
2010-05-03 01:14 . 2010-05-03 01:14 -------- d-----w- c:\program files\ERUNT
2010-05-03 00:30 . 2010-05-03 00:30 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-05-02 22:50 . 2010-05-02 22:50 -------- d-----w- C:\spoolerlogs
2010-05-02 22:48 . 2010-05-03 00:35 -------- d-----w- c:\program files\Trend Micro
2010-05-02 22:32 . 2010-05-02 22:32 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-02 22:22 . 2010-05-02 22:22 -------- d-----w- c:\program files\VS Revo Group
2010-05-02 22:14 . 2010-05-02 22:14 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-05-02 21:54 . 2010-05-02 23:12 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-02 21:52 . 2010-05-02 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-02 21:52 . 2010-05-02 21:52 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-02 21:29 . 2010-05-02 22:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-02 20:36 . 2010-05-02 21:45 -------- d-----w- C:\7cf7ddd59f49e35298bed0ee30
2010-05-01 23:53 . 2010-05-01 23:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-01 04:30 . 2010-05-01 04:30 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\jarvlvemn
2010-05-01 04:29 . 2010-05-01 04:29 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-01 04:29 . 2010-05-03 04:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-26 04:47 . 2010-04-26 04:47 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-26 04:40 . 2010-05-02 22:28 -------- d-----w- c:\program files\Lavasoft
2010-04-26 04:40 . 2010-04-26 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-26 04:26 . 2010-04-26 04:26 0 ----a-w- c:\windows\nsreg.dat
2010-04-26 04:26 . 2010-04-26 04:26 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Mozilla
2010-04-26 02:05 . 2004-08-04 05:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-26 02:05 . 2004-08-04 05:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-26 02:05 . 2004-08-04 06:00 8192 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-04-26 02:05 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-26 02:05 . 2004-08-04 06:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-04-26 02:05 . 2004-08-04 06:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-26 02:04 . 2010-04-26 02:04 -------- d-----w- c:\program files\DivX
2010-04-26 02:04 . 2010-04-26 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-04-26 01:09 . 2010-04-26 01:09 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-04-26 01:09 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-26 01:09 . 2010-04-26 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-26 01:09 . 2010-05-02 22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-26 01:09 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 23:18 . 2010-04-24 23:18 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Deployment
2010-04-24 20:28 . 2010-04-24 20:28 -------- d-----w- c:\documents and settings\user\Application Data\GlarySoft
2010-04-24 20:18 . 2010-04-24 20:18 -------- d-----w- c:\program files\Glary Utilities
2010-04-07 16:56 . 2010-04-07 21:23 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\CutePDF Writer
2010-04-07 16:55 . 2010-04-07 16:55 -------- d-----w- c:\program files\GPLGS
2010-04-07 16:54 . 2009-11-05 15:39 87552 ----a-w- c:\windows\system32\cpwmon2k.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 00:47 . 2009-09-24 03:35 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2010-05-03 02:46 . 2005-07-20 04:59 93440 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2010-05-02 22:09 . 2007-12-21 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-02 20:15 . 2009-09-24 03:36 -------- d-----w- c:\documents and settings\user\Application Data\skypePM
2010-04-30 15:13 . 2004-08-10 11:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2010-04-24 23:19 . 2007-06-20 01:56 -------- d-----w- c:\program files\GemMaster
2010-04-07 23:10 . 2009-11-04 16:07 -------- d-----w- c:\program files\McAfee
2010-04-07 16:54 . 2007-06-27 16:27 -------- d-----w- c:\program files\Acro Software
2010-03-22 16:10 . 2009-05-18 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\RetroExp
2010-03-11 12:38 . 2004-08-10 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-10 11:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-10 11:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 12:31 . 2004-08-10 11:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 13:17 . 2004-08-10 11:00 2137088 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59 2016768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2004-08-10 11:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2004-08-10 11:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-11 01:44 . 2010-02-11 01:44 726008 ----a-w- c:\documents and settings\user\gotomypc_437.exe
2010-02-07 19:45 . 2009-08-30 19:28 131336 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-08-18 16:51 527304 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-08-18 16:51 527304 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-08-18 16:51 527304 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@="{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}"
[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2008-08-18 16:51 527304 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-08-18 16:51 527304 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 08:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
2008-08-18 16:51 600008 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-10 11:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMyPC]
2007-01-13 00:45 249904 ----a-w- c:\program files\Citrix\GoToMyPC\g2svc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 04:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
2004-08-31 16:23 823296 ----a-w- c:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2009-10-29 14:54 1218008 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-02-03 20:05 233304 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MplSetUp]
2005-06-01 08:59 40960 ----a-w- c:\program files\RDS\RMClient\MplSetUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MXOBG]
2003-10-10 18:23 94208 ----a-w- c:\windows\MXOALDR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-07-09 05:57 7110656 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAC7302_Monitor]
2006-11-03 18:01 319488 ----a-w- c:\windows\Pixart\Pac7302\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RetroExpress]
2004-07-30 22:47 6946816 ----a-w- c:\progra~1\Dantz\RETROS~1\RetroExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-09 04:57 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-05-03 20:45 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/4/2009 9:09 AM 93320]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\adm8511.sys [6/19/2007 7:04 PM 20160]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-04-24 20:03]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-04 20:22]

2010-05-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-04 20:22]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUzed004YYUS_ZZzer000&fl=0&ptb=h8MSSKhGNlqqgJODwSNzxg&url=http://www.ask.com/web&q={searchTerms}&l=zu&o=sb
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://pro.realquest.com/mapviewer/mapviewer.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\94bev22h.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKU-Default-Run-yntdmrsh - c:\documents and settings\user\Local Settings\Application Data\jarvlvemn\ayfikextssd.exe
SafeBoot-klmdb.sys
MSConfigStartUp-FBSearch - c:\program files\Search Guard Plus\SearchGuardPlus.exe
MSConfigStartUp-Google Update - c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-SGPUpdater - c:\program files\Search Guard PlusU\sgpUpdaters.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-03 17:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8835BAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cfc3
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba7117b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582414
ParseProcedure -> ntkrnlpa.exe @ 0x80581554
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582414
ParseProcedure -> ntkrnlpa.exe @ 0x80581554
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(568)
c:\windows\system32\WININET.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\Dantz\RETROS~1\retrorun.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2010-05-03 18:02:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-04 01:02

Pre-Run: 463,759,863,808 bytes free
Post-Run: 463,647,309,824 bytes free

- - End Of File - - 009E07E5F4401CB2244B2685DD7D788B
  • 0

#6
emeraldnzl
Posted 03 May 2010 - 10:57 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello again gmac73,

We want to replace some system files. The most effecient way to do this is to update your Windows to Service Pack 3.

You will need to use Internet Explorer to download:

Please go to Windows updates

You may need to allow Microsoft to install an active x component to check your machine before it downloads. Let it do that.

Come back if you have any difficulties.

After that

  • Double click on the OTL icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • Under the Custom Scan box paste this in:




    /md5start
    disk.sys
    atapi.sys
    nvatabus.sys
    ntkrnlpa.exe
    /md5stop

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
When the scan completes, it will open a notepad window, OTL.txt. This is saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of the file and paste it into your reply.
  • 0

#7
gmac73
Posted 04 May 2010 - 06:13 PM

gmac73

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks, I sent a donation your way via Pay Pal, I installed SP3 (I did it in safe mode, I couldn't get it to go in a regular startup, btw)

Here is the OTL log you requested:

OTL logfile created on: 5/4/2010 5:05:04 PM - Run 3
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\user\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 428.95 Gb Free Space | 92.10% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-AE587A64F7
Current User Name: Kay M. McClintock
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/04 17:04:49 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\desktop\OTL.exe
PRC - [2010/04/14 09:47:08 | 002,790,472 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/04/14 09:47:05 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/09/16 11:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/05/26 04:40:52 | 000,755,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SoftwareDistribution\Download\f1fc92ed2a5ec4aa6a3294a4cfcb6c6f\update\update.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/08/18 09:51:22 | 001,699,784 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/03 11:01:16 | 000,319,488 | ---- | M] (PixArt Imaging Incorporation) -- C:\WINDOWS\Pixart\Pac7302\Monitor.exe
PRC - [2004/07/30 15:47:36 | 000,069,632 | ---- | M] (Dantz Development Corporation) -- C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe


========== Modules (SafeList) ==========

MOD - [2010/05/04 17:04:49 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\desktop\OTL.exe
MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/04/14 09:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/04/14 09:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/04/14 09:47:05 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/12/08 15:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/17 15:29:04 | 000,865,832 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/09/16 12:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 11:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 10:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/08 12:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 20:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/08/18 09:51:22 | 001,699,784 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) [Auto | Running] -- C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe -- (CarboniteService)
SRV - [2004/07/30 15:47:36 | 000,069,632 | ---- | M] (Dantz Development Corporation) [Auto | Running] -- C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe -- (RetroExpLauncher)


========== Driver Services (SafeList) ==========

DRV - [2010/05/03 21:08:19 | 000,093,440 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2010/04/14 09:35:47 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/04/14 09:35:25 | 000,162,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/04/14 09:31:39 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/04/14 09:31:12 | 000,100,432 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/04/14 09:31:01 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/04/14 09:30:45 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/09/16 11:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 11:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 11:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 11:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 11:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 13:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/14 00:11:00 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\changer.sys -- (Changer)
DRV - [2008/04/14 00:10:28 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\lbrtfdc.sys -- (lbrtfdc)
DRV - [2007/06/14 15:29:08 | 000,457,856 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PAC7302.SYS -- (PAC7302)
DRV - [2007/03/01 11:34:36 | 000,028,352 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2006/08/24 13:44:14 | 000,477,696 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ZD1211BU.sys -- (ZD1211BU(ZyDAS)) ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS)
DRV - [2005/08/08 17:54:36 | 000,007,168 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2005/08/08 17:54:34 | 000,439,424 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2005/08/08 17:54:28 | 001,093,632 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha20x2k.sys -- (ha20x2k)
DRV - [2005/08/08 17:54:20 | 000,114,688 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2005/08/08 17:54:16 | 000,142,848 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2005/08/08 17:54:16 | 000,077,824 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2005/08/08 17:54:12 | 000,501,760 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2005/07/26 17:48:30 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/07/26 17:48:28 | 000,033,664 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/07/13 21:18:48 | 000,340,704 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2005/07/08 22:57:00 | 003,198,304 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/08/09 17:49:40 | 000,014,592 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2004/06/16 02:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/03/06 03:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/06 03:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/06 03:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2003/10/10 11:23:48 | 000,032,640 | ---- | M] (Cypress Semiconductor) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxofx.sys -- (MXOFX) USB Storage Adapter FX (MXO)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 12:11:18 | 000,020,160 | ---- | M] (ADMtek Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\adm8511.sys -- (ADM8511)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Ask.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsear.......p;l=zu&o=sb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/04/09 10:35:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/25 21:26:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/25 21:26:32 | 000,000,000 | ---D | M]

[2010/04/25 21:26:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2010/05/03 15:48:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\94bev22h.default\extensions
[2010/04/27 14:25:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\94bev22h.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/25 21:26:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/03 17:56:56 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PAC7302_Monitor] C:\WINDOWS\Pixart\Pac7302\Monitor.exe (PixArt Imaging Incorporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll (Hewlett-Packard Co.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O15 - HKLM\..Trusted Domains: localhost ([]http in Local intranet)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo2.walgre...eensActivia.cab (Snapfish Activia)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_15)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx (ArmHelper Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} http://pro.realquest...r/mapviewer.cab (First American Res MapActiveX Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/19 18:46:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/04 17:04:35 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2010/05/04 17:03:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/05/04 16:59:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/05/04 16:49:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood.Tmp
[2010/05/04 16:45:55 | 001,372,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6.dll
[2010/05/04 16:45:55 | 000,079,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml6r.dll
[2010/05/04 16:45:52 | 000,010,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\smtpapi.dll
[2010/05/04 16:45:52 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rwnh.dll
[2010/05/04 16:45:52 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsdupd.exe
[2010/05/04 16:45:51 | 001,888,992 | ---- | C] (ATI Technologies Inc. ) -- C:\WINDOWS\System32\ati3duag.dll
[2010/05/04 16:45:51 | 000,870,784 | ---- | C] (ATI Technologies Inc. ) -- C:\WINDOWS\System32\ati3d1ag.dll
[2010/05/04 16:45:51 | 000,516,768 | ---- | C] (ATI Technologies Inc. ) -- C:\WINDOWS\System32\ativvaxx.dll
[2010/05/04 16:45:51 | 000,377,984 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ati2dvaa.dll
[2010/05/04 16:45:51 | 000,233,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\azroles.dll
[2010/05/04 16:45:51 | 000,229,376 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ati2cqag.dll
[2010/05/04 16:45:51 | 000,201,728 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ati2dvag.dll
[2010/05/04 16:45:51 | 000,136,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\aaclient.dll
[2010/05/04 16:45:51 | 000,032,768 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ativtmxx.dll
[2010/05/04 16:45:51 | 000,023,040 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ativmvxx.ax
[2010/05/04 16:45:51 | 000,009,728 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\ativdaxx.ax
[2010/05/04 16:45:51 | 000,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bitsprx4.dll
[2010/05/04 16:45:50 | 000,650,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3ui.dll
[2010/05/04 16:45:50 | 000,397,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmcex.dll
[2010/05/04 16:45:50 | 000,184,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapp3hst.dll
[2010/05/04 16:45:50 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\microsoft.managementconsole.dll
[2010/05/04 16:45:50 | 000,180,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapphost.dll
[2010/05/04 16:45:50 | 000,155,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mssha.dll
[2010/05/04 16:45:50 | 000,126,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eappcfg.dll
[2010/05/04 16:45:50 | 000,106,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmcfxcommon.dll
[2010/05/04 16:45:50 | 000,094,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eappgnui.dll
[2010/05/04 16:45:50 | 000,086,016 | ---- | C] (Conexant) -- C:\WINDOWS\System32\mdmxsdk.dll
[2010/05/04 16:45:50 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msshavmsg.dll
[2010/05/04 16:45:50 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapqec.dll
[2010/05/04 16:45:50 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3cfg.dll
[2010/05/04 16:45:50 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3msm.dll
[2010/05/04 16:45:50 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dhcpqec.dll
[2010/05/04 16:45:50 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eappprxy.dll
[2010/05/04 16:45:50 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3gpclnt.dll
[2010/05/04 16:45:50 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dimsroam.dll
[2010/05/04 16:45:50 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\l2gpstore.dll
[2010/05/04 16:45:50 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmcperf.exe
[2010/05/04 16:45:50 | 000,032,285 | ---- | C] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\hsfcisp2.dll
[2010/05/04 16:45:50 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eapolqec.dll
[2010/05/04 16:45:50 | 000,026,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3api.dll
[2010/05/04 16:45:50 | 000,009,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dot3dlg.dll
[2010/05/04 16:45:50 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdpash.dll
[2010/05/04 16:45:50 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdnepr.dll
[2010/05/04 16:45:50 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdiultn.dll
[2010/05/04 16:45:50 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdbhc.dll
[2010/05/04 16:45:49 | 001,737,856 | ---- | C] (Matrox Graphics Inc.) -- C:\WINDOWS\System32\mtxparhd.dll
[2010/05/04 16:45:49 | 000,397,056 | ---- | C] (S3 Graphics, Inc.) -- C:\WINDOWS\System32\s3gnb.dll
[2010/05/04 16:45:49 | 000,290,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rhttpaa.dll
[2010/05/04 16:45:49 | 000,286,792 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slextspk.dll
[2010/05/04 16:45:49 | 000,193,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\napmontr.dll
[2010/05/04 16:45:49 | 000,188,508 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slgen.dll
[2010/05/04 16:45:49 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\napstat.exe
[2010/05/04 16:45:49 | 000,150,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qagent.dll
[2010/05/04 16:45:49 | 000,144,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\onex.dll
[2010/05/04 16:45:49 | 000,076,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qutil.dll
[2010/05/04 16:45:49 | 000,073,832 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slcoinst.dll
[2010/05/04 16:45:49 | 000,073,796 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slserv.exe
[2010/05/04 16:45:49 | 000,069,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wlanapi.dll
[2010/05/04 16:45:49 | 000,062,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qcliprov.dll
[2010/05/04 16:45:49 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rasqec.dll
[2010/05/04 16:45:49 | 000,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tsgqec.dll
[2010/05/04 16:45:49 | 000,032,866 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\slrundll.exe
[2010/05/04 16:45:49 | 000,032,866 | ---- | C] (Smart Link) -- C:\WINDOWS\slrundll.exe
[2010/05/04 16:45:49 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\setupn.exe
[2010/05/04 16:45:49 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\napipsec.dll
[2010/05/04 16:45:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2010/05/04 16:45:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2010/05/04 16:45:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2010/05/04 16:45:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2010/05/04 16:43:38 | 000,004,255 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv01nt5.dll
[2010/05/04 16:43:38 | 000,003,967 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv02nt5.dll
[2010/05/04 16:43:38 | 000,003,775 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv11nt5.dll
[2010/05/04 16:43:38 | 000,003,711 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv09nt5.dll
[2010/05/04 16:43:38 | 000,003,647 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv07nt5.dll
[2010/05/04 16:43:38 | 000,003,615 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv05nt5.dll
[2010/05/04 16:43:38 | 000,003,135 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\adv08nt5.dll
[2010/05/04 16:43:37 | 000,701,440 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati2mtag.sys
[2010/05/04 16:43:37 | 000,327,040 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati2mtaa.sys
[2010/05/04 16:43:37 | 000,104,960 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinrvxx.sys
[2010/05/04 16:43:37 | 000,073,216 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atintuxx.sys
[2010/05/04 16:43:37 | 000,063,663 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1rvxx.sys
[2010/05/04 16:43:37 | 000,063,488 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinxsxx.sys
[2010/05/04 16:43:37 | 000,057,856 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinbtxx.sys
[2010/05/04 16:43:37 | 000,056,623 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1btxx.sys
[2010/05/04 16:43:37 | 000,052,224 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinraxx.sys
[2010/05/04 16:43:37 | 000,043,008 | ---- | C] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\drivers\amdagp.sys
[2010/05/04 16:43:37 | 000,036,463 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1tuxx.sys
[2010/05/04 16:43:37 | 000,034,735 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1xsxx.sys
[2010/05/04 16:43:37 | 000,031,744 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinxbxx.sys
[2010/05/04 16:43:37 | 000,030,671 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1raxx.sys
[2010/05/04 16:43:37 | 000,029,455 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1xbxx.sys
[2010/05/04 16:43:37 | 000,028,672 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinsnxx.sys
[2010/05/04 16:43:37 | 000,026,367 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1snxx.sys
[2010/05/04 16:43:37 | 000,025,471 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\atv04nt5.dll
[2010/05/04 16:43:37 | 000,021,343 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1ttxx.sys
[2010/05/04 16:43:37 | 000,021,183 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\atv01nt5.dll
[2010/05/04 16:43:37 | 000,017,279 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\atv10nt5.dll
[2010/05/04 16:43:37 | 000,014,336 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinpdxx.sys
[2010/05/04 16:43:37 | 000,014,143 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\atv06nt5.dll
[2010/05/04 16:43:37 | 000,013,824 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinttxx.sys
[2010/05/04 16:43:37 | 000,013,824 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\atinmdxx.sys
[2010/05/04 16:43:37 | 000,012,047 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1pdxx.sys
[2010/05/04 16:43:37 | 000,011,615 | ---- | C] (ATI Technologies Inc.) -- C:\WINDOWS\System32\drivers\ati1mdxx.sys
[2010/05/04 16:43:37 | 000,011,359 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\atv02nt5.dll
[2010/05/04 16:43:36 | 000,144,384 | ---- | C] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\drivers\hdaudbus.sys
[2010/05/04 16:43:36 | 000,036,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\bthprint.sys
[2010/05/04 16:43:36 | 000,015,423 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\ch7xxnt5.dll
[2010/05/04 16:43:35 | 001,309,184 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\mtlstrm.sys
[2010/05/04 16:43:35 | 000,452,736 | ---- | C] (Matrox Graphics Inc.) -- C:\WINDOWS\System32\drivers\mtxparhm.sys
[2010/05/04 16:43:35 | 000,180,360 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\ntmtlfax.sys
[2010/05/04 16:43:35 | 000,166,912 | ---- | C] (S3 Graphics, Inc.) -- C:\WINDOWS\System32\drivers\s3gnbm.sys
[2010/05/04 16:43:35 | 000,129,535 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slnt7554.sys
[2010/05/04 16:43:35 | 000,126,686 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\mtlmnt5.sys
[2010/05/04 16:43:35 | 000,040,960 | ---- | C] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\drivers\sisagp.sys
[2010/05/04 16:43:35 | 000,030,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rndismpx.sys
[2010/05/04 16:43:35 | 000,013,776 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\recagent.sys
[2010/05/04 16:43:35 | 000,012,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mutohpen.sys
[2010/05/04 16:43:35 | 000,003,901 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\siint5.dll
[2010/05/04 16:43:34 | 000,404,990 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slntamr.sys
[2010/05/04 16:43:34 | 000,095,424 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slnthal.sys
[2010/05/04 16:43:34 | 000,025,471 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\watv10nt.sys
[2010/05/04 16:43:34 | 000,022,271 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\watv06nt.sys
[2010/05/04 16:43:34 | 000,013,240 | ---- | C] (Smart Link) -- C:\WINDOWS\System32\drivers\slwdmsup.sys
[2010/05/04 16:43:34 | 000,011,935 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\wadv11nt.sys
[2010/05/04 16:43:34 | 000,011,871 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\wadv09nt.sys
[2010/05/04 16:43:34 | 000,011,807 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\wadv07nt.sys
[2010/05/04 16:43:34 | 000,011,325 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\vchnt5.dll
[2010/05/04 16:43:34 | 000,011,295 | ---- | C] (Intel® Corporation) -- C:\WINDOWS\System32\drivers\wadv08nt.sys
[2010/05/04 16:43:34 | 000,005,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\smbali.sys
[2010/05/04 16:40:55 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2010/05/04 16:37:40 | 000,000,000 | ---D | C] -- C:\eaaab0e213ad7479a53d10
[2010/05/03 21:03:47 | 000,162,768 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/05/03 21:03:47 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/05/03 21:03:47 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/05/03 21:03:47 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/05/03 21:03:47 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/05/03 21:03:47 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/05/03 21:03:47 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/05/03 21:03:42 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/05/03 21:03:42 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/05/03 21:03:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/05/03 18:19:42 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/03 15:15:50 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/03 15:14:40 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/03 15:14:40 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/03 15:14:40 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/03 15:14:40 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/03 15:14:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/03 15:12:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/02 21:05:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\jrvltdmlb
[2010/05/02 19:57:27 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\My Documents\OTL.exe
[2010/05/02 18:14:28 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/02 17:57:48 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/05/02 17:30:20 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/05/02 15:50:05 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[2010/05/02 15:48:37 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/02 15:22:03 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2010/05/02 14:52:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/05/02 14:52:34 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/05/02 14:29:42 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/02 13:36:35 | 000,000,000 | ---D | C] -- C:\7cf7ddd59f49e35298bed0ee30
[2010/05/01 16:53:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/01 16:53:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/30 21:30:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\jarvlvemn
[2010/04/25 21:47:06 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/04/25 21:40:03 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/04/25 21:40:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/04/25 21:26:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Mozilla
[2010/04/25 21:26:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Mozilla
[2010/04/25 20:01:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/25 20:01:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/25 19:10:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/25 19:10:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/25 19:05:52 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys
[2010/04/25 19:05:41 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2010/04/25 19:04:38 | 000,000,000 | ---D | C] -- C:\Program Files\DivX
[2010/04/25 19:04:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DivX
[2010/04/25 18:09:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Malwarebytes
[2010/04/25 18:09:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/25 18:09:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/25 18:09:23 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/25 18:09:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/24 16:18:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Deployment
[2010/04/24 13:28:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\GlarySoft
[2010/04/24 13:18:25 | 000,000,000 | ---D | C] -- C:\Program Files\Glary Utilities
[2010/04/07 09:56:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\CutePDF Writer
[2010/04/07 09:55:26 | 000,000,000 | ---D | C] -- C:\Program Files\GPLGS
[2007/06/19 19:08:01 | 000,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/04 17:07:46 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/04 17:04:49 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\OTL.exe
[2010/05/04 17:03:44 | 000,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/04 17:03:44 | 000,444,028 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/04 17:03:44 | 000,071,904 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/04 17:03:10 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/05/04 17:02:02 | 000,029,204 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/04 17:01:44 | 000,000,336 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/05/04 17:00:25 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/04 16:59:15 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/04 16:58:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/04 16:58:34 | 000,597,352 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/04 16:57:52 | 006,553,600 | -H-- | M] () -- C:\Documents and Settings\user\NTUSER.DAT
[2010/05/04 16:57:52 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\user\ntuser.ini
[2010/05/04 16:57:50 | 003,712,656 | -H-- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\IconCache.db
[2010/05/04 16:57:31 | 002,054,644 | ---- | M] () -- C:\WINDOWS\iis6.BAK
[2010/05/04 16:43:23 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/04 16:17:51 | 000,001,174 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2010/05/04 16:15:38 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/04 08:02:22 | 000,352,856 | ---- | M] () -- C:\Documents and Settings\user\Desktop\T06611-04.tif
[2010/05/04 08:02:17 | 000,595,396 | ---- | M] () -- C:\Documents and Settings\user\Desktop\T06611-03.tif
[2010/05/04 08:02:11 | 000,279,760 | ---- | M] () -- C:\Documents and Settings\user\Desktop\T06611-02.tif
[2010/05/04 08:02:06 | 000,395,664 | ---- | M] () -- C:\Documents and Settings\user\Desktop\T06611-01.tif
[2010/05/04 08:01:50 | 000,455,168 | ---- | M] () -- C:\Documents and Settings\user\Desktop\T06520A03.tif
[2010/05/04 08:01:44 | 000,317,110 | ---- | M] () -- C:\Documents and Settings\user\Desktop\T06520A02.tif
[2010/05/04 08:01:37 | 000,443,548 | ---- | M] () -- C:\Documents and Settings\user\Desktop\T06520A01.tif
[2010/05/04 07:47:23 | 000,064,988 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000003-00000000-00000003-00001102-00000005-10031102}.rfx
[2010/05/04 07:47:23 | 000,054,312 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000003-00000000-00000003-00001102-00000005-10031102}.rfx
[2010/05/04 07:47:23 | 000,054,312 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000003-00000000-00000003-00001102-00000005-10031102}.rfx
[2010/05/04 07:47:23 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/05/04 07:47:23 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/05/03 21:08:19 | 000,093,440 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\nvatabus.sys
[2010/05/03 21:03:47 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/05/03 21:03:47 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/05/03 20:53:24 | 000,020,395 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/05/03 20:53:05 | 000,000,666 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/03 20:53:05 | 000,000,279 | RHS- | M] () -- C:\boot.ini
[2010/05/03 20:53:05 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/03 17:56:56 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/03 16:36:44 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/05/02 21:05:22 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/02 18:53:05 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\user\My Documents\gamerssdfsdf.exe
[2010/05/02 17:27:23 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\My Documents\OTL.exe
[2010/05/01 15:50:46 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Microsoft Office Word 2003.lnk
[2010/05/01 01:00:06 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/04/30 21:29:35 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/29 09:56:46 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Microsoft Office Excel 2003.lnk
[2010/04/27 09:18:03 | 000,000,209 | ---- | M] () -- C:\Boot.bak
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/25 21:47:04 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/04/25 21:26:42 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/04/25 21:26:35 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/04/25 19:05:02 | 000,001,178 | -HS- | M] () -- C:\Documents and Settings\user\Local Settings\Application Data\w1vjs2h771
[2010/04/25 19:05:02 | 000,001,178 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\w1vjs2h771
[2010/04/22 07:12:26 | 013,719,807 | ---- | M] () -- C:\Documents and Settings\user\Desktop\South Valley Outdoor, LLC.QBB
[2010/04/17 17:20:29 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Microsoft Office PowerPoint 2003.lnk
[2010/04/15 01:08:02 | 000,000,364 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/04/14 09:47:23 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/04/14 09:47:03 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/04/14 09:35:47 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/04/14 09:35:25 | 000,162,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/04/14 09:31:39 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/04/14 09:31:12 | 000,100,432 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/04/14 09:31:09 | 000,094,800 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/04/14 09:31:01 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/04/14 09:30:45 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/04/05 21:27:28 | 008,201,728 | ---- | M] () -- C:\Documents and Settings\user\Desktop\South Valley Outdoor, LLC.QBX
[2010/04/05 08:28:09 | 000,660,992 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Ross & Kay.QBX
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/04 16:43:37 | 000,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
[2010/05/04 16:43:36 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
[2010/05/04 16:43:35 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
[2010/05/04 16:17:51 | 000,001,174 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2010/05/04 08:02:21 | 000,352,856 | ---- | C] () -- C:\Documents and Settings\user\Desktop\T06611-04.tif
[2010/05/04 08:02:16 | 000,595,396 | ---- | C] () -- C:\Documents and Settings\user\Desktop\T06611-03.tif
[2010/05/04 08:02:10 | 000,279,760 | ---- | C] () -- C:\Documents and Settings\user\Desktop\T06611-02.tif
[2010/05/04 08:02:05 | 000,395,664 | ---- | C] () -- C:\Documents and Settings\user\Desktop\T06611-01.tif
[2010/05/04 08:01:49 | 000,455,168 | ---- | C] () -- C:\Documents and Settings\user\Desktop\T06520A03.tif
[2010/05/04 08:01:43 | 000,317,110 | ---- | C] () -- C:\Documents and Settings\user\Desktop\T06520A02.tif
[2010/05/04 08:01:37 | 000,443,548 | ---- | C] () -- C:\Documents and Settings\user\Desktop\T06520A01.tif
[2010/05/03 21:03:47 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/05/03 15:15:54 | 000,000,209 | ---- | C] () -- C:\Boot.bak
[2010/05/03 15:15:51 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/03 15:14:40 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/03 15:14:40 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/03 15:14:40 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/03 15:14:40 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/03 15:14:40 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/02 19:57:27 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\user\My Documents\gamerssdfsdf.exe
[2010/05/02 14:54:43 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/30 21:29:35 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/30 21:29:26 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/25 21:26:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/04/25 21:26:35 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/04/25 19:05:02 | 000,001,178 | -HS- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\w1vjs2h771
[2010/04/25 19:05:02 | 000,001,178 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\w1vjs2h771
[2010/04/24 13:18:30 | 000,000,336 | ---- | C] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/04/22 07:12:12 | 013,719,807 | ---- | C] () -- C:\Documents and Settings\user\Desktop\South Valley Outdoor, LLC.QBB
[2010/04/07 09:54:49 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2010/04/05 21:27:20 | 008,201,728 | ---- | C] () -- C:\Documents and Settings\user\Desktop\South Valley Outdoor, LLC.QBX
[2010/04/05 08:28:05 | 000,660,992 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Ross & Kay.QBX
[2009/09/23 20:15:15 | 000,000,566 | ---- | C] () -- C:\WINDOWS\System32\SP7302.INI
[2008/11/02 19:08:45 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2008/04/29 15:17:10 | 000,528,384 | ---- | C] () -- C:\WINDOWS\System32\Tx32.dll
[2008/04/29 15:17:10 | 000,053,760 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2008/04/29 15:17:09 | 000,000,478 | ---- | C] () -- C:\WINDOWS\System32\ic32.ini
[2008/02/25 14:18:26 | 000,000,069 | ---- | C] () -- C:\WINDOWS\ricdb.ini
[2008/02/25 14:18:25 | 000,000,020 | ---- | C] () -- C:\WINDOWS\System32\RPCS.ini
[2007/06/26 09:09:14 | 000,315,392 | ---- | C] () -- C:\WINDOWS\System32\VLMenuRes.dll
[2007/06/26 09:09:14 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\VlUtils.dll
[2007/06/26 09:09:13 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\c1sizerppg.dll
[2007/06/25 10:40:35 | 000,000,128 | ---- | C] () -- C:\WINDOWS\PMJobCli.ini
[2007/06/25 10:40:33 | 000,012,309 | ---- | C] () -- C:\WINDOWS\PMRicMb.ini
[2007/06/25 10:40:33 | 000,007,873 | ---- | C] () -- C:\WINDOWS\PMRicPMb.ini
[2007/06/25 10:40:33 | 000,005,390 | ---- | C] () -- C:\WINDOWS\PMPrtMb.ini
[2007/06/25 10:40:33 | 000,004,644 | ---- | C] () -- C:\WINDOWS\PMRicFMb.ini
[2007/06/25 10:40:33 | 000,003,149 | ---- | C] () -- C:\WINDOWS\PMDvPrn.ini
[2007/06/25 10:40:33 | 000,002,102 | ---- | C] () -- C:\WINDOWS\PMDvDev.ini
[2007/06/25 10:40:33 | 000,002,047 | ---- | C] () -- C:\WINDOWS\PMDIOMb.ini
[2007/06/25 10:40:33 | 000,002,036 | ---- | C] () -- C:\WINDOWS\PMHostMb.ini
[2007/06/25 10:40:33 | 000,001,885 | ---- | C] () -- C:\WINDOWS\PMPSIOMb.ini
[2007/06/25 10:40:33 | 000,001,727 | ---- | C] () -- C:\WINDOWS\PMRicSMb.ini
[2007/06/25 10:40:33 | 000,001,706 | ---- | C] () -- C:\WINDOWS\PMRicCMb.ini
[2007/06/25 10:40:33 | 000,001,494 | ---- | C] () -- C:\WINDOWS\PMMib2Mb.ini
[2007/06/25 10:40:33 | 000,001,168 | ---- | C] () -- C:\WINDOWS\PMDvFax.ini
[2007/06/25 10:40:33 | 000,001,143 | ---- | C] () -- C:\WINDOWS\PMDPIMb.ini
[2007/06/25 10:40:33 | 000,001,094 | ---- | C] () -- C:\WINDOWS\PMAxsMb.ini
[2007/06/25 10:40:33 | 000,000,842 | ---- | C] () -- C:\WINDOWS\PMDvScan.ini
[2007/06/25 10:40:33 | 000,000,423 | ---- | C] () -- C:\WINDOWS\PMDvCopy.ini
[2007/06/25 10:40:33 | 000,000,332 | ---- | C] () -- C:\WINDOWS\PMSnmpMb.ini
[2007/06/25 10:40:32 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\rpnv2ui.dll
[2007/06/25 10:40:32 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\rtcpf.dll
[2007/06/25 10:40:32 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\RLPR.dll
[2007/06/25 10:40:29 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\PMObservps.dll
[2007/06/25 10:05:28 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2007/06/19 23:37:53 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/06/19 19:08:03 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2007/06/19 19:08:01 | 000,000,194 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2007/06/19 19:07:20 | 000,000,055 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/06/19 19:07:19 | 000,049,274 | ---- | C] () -- C:\WINDOWS\System32\claptn32.ini
[2005/08/05 14:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/26 11:53:14 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\MXONmSpace.dll
[2004/08/26 11:49:52 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\MXONmSpMFC.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Custom Scans ==========



< MD5 for: ATAPI.SYS >
[2004/08/10 04:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/10 04:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/10 04:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/10 04:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/10 04:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/14 00:10:48 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 11:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\disk.sys
[2008/04/14 00:10:48 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: NTKRNLPA.EXE >
[2004/08/10 04:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:ntkrnlpa.exe
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:ntkrnlpa.exe
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:ntkrnlpa.exe
[2008/04/14 00:01:22 | 002,065,792 | ---- | M] (Microsoft Corporation) MD5=109F8E3E3C82E337BB71B6BC9B895D61 -- C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
[2008/04/13 11:31:21 | 002,065,792 | ---- | M] (Microsoft Corporation) MD5=109F8E3E3C82E337BB71B6BC9B895D61 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
[2010/02/17 11:57:54 | 002,063,744 | ---- | M] (Microsoft Corporation) MD5=1811AFC2FADB60B88947E3D08E250860 -- C:\WINDOWS\$hf_mig$\KB979683\SP2QFE\ntkrnlpa.exe
[2010/02/17 11:57:54 | 002,063,744 | ---- | M] (Microsoft Corporation) MD5=1811AFC2FADB60B88947E3D08E250860 -- C:\WINDOWS\SoftwareDistribution\Download\9d21500a4aa475547c4a2420fee1c623\SP2QFE\ntkrnlpa.exe
[2010/02/16 05:39:04 | 002,058,368 | ---- | M] (Microsoft Corporation) MD5=1EE6B94ACA7BE115A1813BBCA65099A8 -- C:\WINDOWS\SoftwareDistribution\Download\9d21500a4aa475547c4a2420fee1c623\SP2GDR\ntkrnlpa.exe
[2010/02/16 05:39:04 | 002,016,768 | ---- | M] (Microsoft Corporation) MD5=26A901A1840E9E46FFFC6D09B9618CDF -- C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
[2010/02/16 05:39:04 | 002,016,768 | ---- | M] (Microsoft Corporation) MD5=26A901A1840E9E46FFFC6D09B9618CDF -- C:\WINDOWS\ERDNT\cache\ntkrnlpa.exe
[2009/08/04 18:47:50 | 002,066,176 | ---- | M] (Microsoft Corporation) MD5=363B2BBEE0AEDC9E5433616D0AD0236A -- C:\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe
[2005/03/01 17:34:42 | 002,015,232 | ---- | M] (Microsoft Corporation) MD5=3CD941E472DDF3534E53038535719771 -- C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
[2008/08/14 02:33:16 | 002,066,048 | ---- | M] (Microsoft Corporation) MD5=4AC58F03EB94A72809949D757FC39D80 -- C:\WINDOWS\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[2007/02/28 02:15:56 | 002,059,392 | ---- | M] (Microsoft Corporation) MD5=4D3DBDCCBF97F5BA1E74F322B155C3BA -- C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[2009/12/08 11:19:32 | 002,015,744 | ---- | M] (Microsoft Corporation) MD5=5B542B9C2D8D613CE7D24563926F3411 -- C:\WINDOWS\$NtUninstallKB979683$\ntkrnlpa.exe
[2009/02/07 19:02:58 | 002,066,048 | ---- | M] (Microsoft Corporation) MD5=5BA7F2141BC6DB06100D0E5A732C617A -- C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[2009/02/06 03:30:40 | 002,066,176 | ---- | M] (Microsoft Corporation) MD5=607352B9CB3D708C67F6039097801B5A -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[2008/08/14 02:18:44 | 002,062,976 | ---- | M] (Microsoft Corporation) MD5=63EC865DFF6CCFC7BEF94B5C50297CAD -- C:\WINDOWS\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[2009/02/06 03:32:56 | 002,023,936 | ---- | M] (Microsoft Corporation) MD5=65D4220799E6FC2CB079070A6393CC0E -- C:\WINDOWS\$NtUninstallKB971486$\ntkrnlpa.exe
[2009/08/04 07:20:08 | 002,066,048 | ---- | M] (Microsoft Corporation) MD5=7437BA6F538E89381A2E3643AED296C7 -- C:\WINDOWS\$hf_mig$\KB971486\SP3GDR\ntkrnlpa.exe
[2008/04/14 00:01:22 | 002,023,936 | ---- | M] (Microsoft Corporation) MD5=7F653A89F6E89E3AE0D49830EECE35D4 -- C:\WINDOWS\$NtUninstallKB956572$\ntkrnlpa.exe
[2009/08/04 05:02:00 | 002,062,976 | ---- | M] (Microsoft Corporation) MD5=97E912E94CCED4064F5DEEE5C25A9278 -- C:\WINDOWS\$hf_mig$\KB971486\SP2QFE\ntkrnlpa.exe
[2009/02/06 02:49:25 | 002,062,976 | ---- | M] (Microsoft Corporation) MD5=9D832AF3FD1917DB0E1E8B2F000A2E3A -- C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\ntkrnlpa.exe
[2010/02/16 06:25:04 | 002,066,816 | ---- | M] (Microsoft Corporation) MD5=A046C627EC20456E2959B7BD628E1FD0 -- C:\WINDOWS\$hf_mig$\KB979683\SP3GDR\ntkrnlpa.exe
[2010/02/16 06:25:04 | 002,066,816 | ---- | M] (Microsoft Corporation) MD5=A046C627EC20456E2959B7BD628E1FD0 -- C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
[2010/02/16 06:25:04 | 002,066,816 | ---- | M] (Microsoft Corporation) MD5=A046C627EC20456E2959B7BD628E1FD0 -- C:\WINDOWS\SoftwareDistribution\Download\9d21500a4aa475547c4a2420fee1c623\SP3GDR\ntkrnlpa.exe
[2010/02/16 06:25:04 | 002,066,816 | ---- | M] (Microsoft Corporation) MD5=A046C627EC20456E2959B7BD628E1FD0 -- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
[2008/08/14 15:39:46 | 002,066,048 | ---- | M] (Microsoft Corporation) MD5=A25E9B86EFFB2AF33BF51E676B68BFB0 -- C:\WINDOWS\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[2007/02/28 01:38:57 | 002,015,744 | ---- | M] (Microsoft Corporation) MD5=A58AC1C6199EF34228ABEE7FC057AE09 -- C:\WINDOWS\$NtUninstallKB956841_0$\ntkrnlpa.exe
[2009/12/08 11:43:50 | 002,066,048 | ---- | M] (Microsoft Corporation) MD5=A6683E23468776F75EB2D8C6A02AAD3B -- C:\WINDOWS\$hf_mig$\KB977165\SP3GDR\ntkrnlpa.exe
[2009/02/06 09:49:02 | 002,015,744 | ---- | M] (Microsoft Corporation) MD5=B238AB60093BABFE76AEC8F34B4D399D -- C:\WINDOWS\$NtUninstallKB971486_0$\ntkrnlpa.exe
[2009/12/08 10:35:22 | 002,063,104 | ---- | M] (Microsoft Corporation) MD5=BC123D9238A0C9BB3D853E407EE77254 -- C:\WINDOWS\$hf_mig$\KB977165\SP2QFE\ntkrnlpa.exe
[2005/03/01 17:36:40 | 002,056,832 | ---- | M] (Microsoft Corporation) MD5=D8ABA3EAB509627E707A3B14F00FBB6B -- C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[2008/08/14 02:22:14 | 002,015,744 | ---- | M] (Microsoft Corporation) MD5=DC097A896A03B8277457D228FD12D4E6 -- C:\WINDOWS\$NtUninstallKB956572_0$\ntkrnlpa.exe
[2010/02/16 05:12:52 | 002,066,944 | ---- | M] (Microsoft Corporation) MD5=DED8B5A89B085284634502E9D75AC78C -- C:\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntkrnlpa.exe
[2010/02/16 05:12:52 | 002,066,944 | ---- | M] (Microsoft Corporation) MD5=DED8B5A89B085284634502E9D75AC78C -- C:\WINDOWS\SoftwareDistribution\Download\9d21500a4aa475547c4a2420fee1c623\SP3QFE\ntkrnlpa.exe
[2009/08/04 06:13:35 | 002,015,744 | ---- | M] (Microsoft Corporation) MD5=E832C72D32FA117CB0D033C5EA95B58F -- C:\WINDOWS\$NtUninstallKB977165$\ntkrnlpa.exe
[2010/02/16 06:25:04 | 002,024,448 | ---- | M] (Microsoft Corporation) MD5=E8B8801DE921912EBDEEFC76662F7EAD -- C:\WINDOWS\system32\ntkrnlpa.exe
[2004/08/10 04:00:00 | 002,015,232 | ---- | M] (Microsoft Corporation) MD5=FB142B7007CA2EEA76966C6C5CC12150 -- C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
[2009/12/09 00:10:32 | 002,066,176 | ---- | M] (Microsoft Corporation) MD5=FFDCE1EEA79C678C40237D4E031E5B51 -- C:\WINDOWS\$hf_mig$\KB977165\SP3QFE\ntkrnlpa.exe

< MD5 for: NVATABUS.SYS >
[2005/07/20 01:59:26 | 000,093,440 | ---- | M] (NVIDIA Corporation) MD5=52B64661469FA11E51C006099B251FA7 -- C:\drivers\storage\SATA\onboard\nvatabus.sys
[2005/07/19 21:59:26 | 000,093,440 | ---- | M] (NVIDIA Corporation) MD5=52B64661469FA11E51C006099B251FA7 -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys
[2010/05/03 21:08:19 | 000,093,440 | ---- | M] (NVIDIA Corporation) MD5=52B64661469FA11E51C006099B251FA7 -- C:\WINDOWS\system32\drivers\nvatabus.sys

========== Files - Unicode (All) ==========
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?ystem32) -- C:\Documents and Settings\user\My Documents\ѕystem32
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?ymbols) -- C:\Documents and Settings\user\My Documents\ѕymbols
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?racle) -- C:\Documents and Settings\user\My Documents\Оracle
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?racle) -- C:\Documents and Settings\user\My Documents\Οracle
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?ppPatch) -- C:\Documents and Settings\user\My Documents\ΑppPatch
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?icrosoft.NET) -- C:\Documents and Settings\user\My Documents\Мicrosoft.NET
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?ecurity) -- C:\Documents and Settings\user\My Documents\ѕecurity
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\?dobe) -- C:\Documents and Settings\user\My Documents\Аdobe
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\??stem32) -- C:\Documents and Settings\user\My Documents\ѕуstem32
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\??sks) -- C:\Documents and Settings\user\My Documents\Таsks
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\??pPatch) -- C:\Documents and Settings\user\My Documents\АрpPatch
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\??curity) -- C:\Documents and Settings\user\My Documents\ѕеcurity
[2008/10/06 15:52:10 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\??crosoft.NET) -- C:\Documents and Settings\user\My Documents\Μіcrosoft.NET
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?ystem32) -- C:\Documents and Settings\user\My Documents\ѕystem32
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?ymbols) -- C:\Documents and Settings\user\My Documents\ѕymbols
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?racle) -- C:\Documents and Settings\user\My Documents\Оracle
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?racle) -- C:\Documents and Settings\user\My Documents\Οracle
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?ppPatch) -- C:\Documents and Settings\user\My Documents\ΑppPatch
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?icrosoft.NET) -- C:\Documents and Settings\user\My Documents\Мicrosoft.NET
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?ecurity) -- C:\Documents and Settings\user\My Documents\ѕecurity
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\?dobe) -- C:\Documents and Settings\user\My Documents\Аdobe
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\??stem32) -- C:\Documents and Settings\user\My Documents\ѕуstem32
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\??sks) -- C:\Documents and Settings\user\My Documents\Таsks
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\??pPatch) -- C:\Documents and Settings\user\My Documents\АрpPatch
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\??curity) -- C:\Documents and Settings\user\My Documents\ѕеcurity
[2008/10/06 15:52:10 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\??crosoft.NET) -- C:\Documents and Settings\user\My Documents\Μіcrosoft.NET
[2008/10/06 15:52:09 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\W?nSxS) -- C:\Documents and Settings\user\My Documents\WіnSxS
[2008/10/06 15:52:09 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\T?sks) -- C:\Documents and Settings\user\My Documents\Tаsks
[2008/10/06 15:52:09 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\W?nSxS) -- C:\Documents and Settings\user\My Documents\WіnSxS
[2008/10/06 15:52:09 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\T?sks) -- C:\Documents and Settings\user\My Documents\Tаsks
[2008/10/06 15:52:03 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\s?stem32) -- C:\Documents and Settings\user\My Documents\sуstem32
[2008/10/06 15:52:03 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\s?stem) -- C:\Documents and Settings\user\My Documents\sуstem
[2008/10/06 15:52:03 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\s?stem32) -- C:\Documents and Settings\user\My Documents\sуstem32
[2008/10/06 15:52:03 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\s?stem) -- C:\Documents and Settings\user\My Documents\sуstem
[2008/10/06 15:49:48 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\M?crosoft) -- C:\Documents and Settings\user\My Documents\Mіcrosoft
[2008/10/06 15:49:48 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\M?crosoft) -- C:\Documents and Settings\user\My Documents\Mіcrosoft
[2008/10/06 15:49:00 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\F?nts) -- C:\Documents and Settings\user\My Documents\Fоnts
[2008/10/06 15:49:00 | 000,000,000 | ---D | M](C:\Documents and Settings\user\My Documents\F?nts) -- C:\Documents and Settings\user\My Documents\Fοnts
[2008/10/06 15:49:00 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\F?nts) -- C:\Documents and Settings\user\My Documents\Fоnts
[2008/10/06 15:49:00 | 000,000,000 | ---D | C](C:\Documents and Settings\user\My Documents\F?nts) -- C:\Documents and Settings\user\My Documents\Fοnts

========== Alternate Data Streams ==========

@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C7F04040
< End of report >
  • 0

#8
emeraldnzl
Posted 04 May 2010 - 08:53 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello gmac73,

I see two anti-virus programs running on your machine.

Running two or more real-time anti-virus, anti-spyware and firewall monitors at the same time can cause a conflict. That conflict can result in slow computer performance, error messages, crashes of the programs or other types of failure. You will very likely end up with little or no protection.

Please uninstall Avast or McAfee. If either of them is a paid for version then I would keep that one, if they are free for home use then I would retain Avast and remove McAfee.

After that

Please see if you can run ComboFix in normal mode (ensure you disable your anti-malware programs including your Comodo firewall); if not run in Safe Mode again and post the contents of the log back here.
  • 0

#9
gmac73
Posted 05 May 2010 - 04:41 PM

gmac73

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the ComboFix Report. I had disabled McAfee but hadn't uninstalled it yet, so I went ahead and did that and kept Avast! Thanks!

ComboFix 10-05-05.04 - Kay M. McClintock 05/05/2010 15:31:43.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1669 [GMT -7:00]
Running from: c:\documents and settings\user\desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-04 23:43 . 2008-04-14 12:41 4255 ------w- c:\windows\system32\drivers\adv01nt5.dll
2010-05-04 23:37 . 2010-05-04 23:38 -------- d-----w- C:\eaaab0e213ad7479a53d10
2010-05-04 04:03 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-04 04:03 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-04 04:03 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-04 04:03 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-04 04:03 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-04 04:03 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-04 04:03 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-04 04:03 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-04 04:03 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-04 04:03 . 2010-05-04 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-03 04:05 . 2010-05-03 04:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\jrvltdmlb
2010-05-03 00:30 . 2010-05-03 00:30 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-05-02 22:50 . 2010-05-02 22:50 -------- d-----w- C:\spoolerlogs
2010-05-02 22:48 . 2010-05-03 00:35 -------- d-----w- c:\program files\Trend Micro
2010-05-02 22:32 . 2010-05-02 22:32 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-05-02 22:22 . 2010-05-02 22:22 -------- d-----w- c:\program files\VS Revo Group
2010-05-02 21:54 . 2010-05-04 23:15 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-02 21:52 . 2010-05-02 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-02 21:29 . 2010-05-02 22:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-02 20:36 . 2010-05-02 21:45 -------- d-----w- C:\7cf7ddd59f49e35298bed0ee30
2010-05-01 23:53 . 2010-05-01 23:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-01 04:30 . 2010-05-01 04:30 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\jarvlvemn
2010-05-01 04:29 . 2010-05-01 04:29 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-01 04:29 . 2010-05-03 04:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-26 04:47 . 2010-04-26 04:47 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-26 04:40 . 2010-05-02 22:28 -------- d-----w- c:\program files\Lavasoft
2010-04-26 04:40 . 2010-04-26 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-26 04:26 . 2010-04-26 04:26 0 ----a-w- c:\windows\nsreg.dat
2010-04-26 04:26 . 2010-04-26 04:26 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Mozilla
2010-04-26 02:05 . 2008-04-14 07:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-26 02:05 . 2008-04-14 07:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-04-26 02:05 . 2008-04-14 07:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-26 02:04 . 2010-04-26 02:04 -------- d-----w- c:\program files\DivX
2010-04-26 02:04 . 2010-04-26 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-04-26 01:09 . 2010-04-26 01:09 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-04-26 01:09 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-26 01:09 . 2010-04-26 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-26 01:09 . 2010-05-02 22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-26 01:09 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 23:18 . 2010-04-24 23:18 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Deployment
2010-04-24 20:28 . 2010-04-24 20:28 -------- d-----w- c:\documents and settings\user\Application Data\GlarySoft
2010-04-24 20:18 . 2010-05-05 00:33 -------- d-----w- c:\program files\Glary Utilities
2010-04-07 16:56 . 2010-04-07 21:23 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\CutePDF Writer
2010-04-07 16:55 . 2010-04-07 16:55 -------- d-----w- c:\program files\GPLGS
2010-04-07 16:54 . 2009-11-05 15:39 87552 ----a-w- c:\windows\system32\cpwmon2k.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 00:29 . 2007-06-20 08:29 131336 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-05 00:28 . 2007-06-20 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-04 23:47 . 2007-06-20 01:46 87747 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-04 04:08 . 2005-07-20 04:59 93440 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2010-05-04 04:03 . 2007-12-21 20:15 -------- d-----w- c:\program files\Alwil Software
2010-05-04 00:47 . 2009-09-24 03:35 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2010-05-02 22:09 . 2007-12-21 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-02 20:15 . 2009-09-24 03:36 -------- d-----w- c:\documents and settings\user\Application Data\skypePM
2010-04-24 23:19 . 2007-06-20 01:56 -------- d-----w- c:\program files\GemMaster
2010-04-07 16:54 . 2007-06-27 16:27 -------- d-----w- c:\program files\Acro Software
2010-03-22 16:10 . 2009-05-18 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\RetroExp
2010-03-11 12:38 . 2004-08-10 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-10 11:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-10 11:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2004-08-10 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2004-08-10 11:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-10 11:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-10 11:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-11 01:44 . 2010-02-11 01:44 726008 ----a-w- c:\documents and settings\user\gotomypc_437.exe
2010-02-07 19:45 . 2009-08-30 19:28 131336 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-08-18 16:51 527304 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-08-18 16:51 527304 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-08-18 16:51 527304 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@="{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}"
[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2008-08-18 16:51 527304 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-08-18 16:51 527304 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 08:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
2008-08-18 16:51 600008 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-05-05 00:25 136176 ----atw- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMyPC]
2007-01-13 00:45 249904 ----a-w- c:\program files\Citrix\GoToMyPC\g2svc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 04:34 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
2004-08-31 16:23 823296 ----a-w- c:\progra~1\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Default Manager]
2009-02-03 20:05 233304 ----a-w- c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MplSetUp]
2005-06-01 08:59 40960 ----a-w- c:\program files\RDS\RMClient\MplSetUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MXOBG]
2003-10-10 18:23 94208 ----a-w- c:\windows\MXOALDR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-07-09 05:57 7110656 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAC7302_Monitor]
2006-11-03 18:01 319488 ----a-w- c:\windows\Pixart\Pac7302\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RetroExpress]
2004-07-30 22:47 6946816 ----a-w- c:\progra~1\Dantz\RETROS~1\RetroExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-09 04:57 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-05-03 20:45 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"MpfService"=2 (0x2)
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"McProxy"=2 (0x2)
"McODS"=3 (0x3)
"McNASvc"=2 (0x2)
"mcmscsvc"=2 (0x2)
"McAfee SiteAdvisor Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/3/2010 9:03 PM 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/3/2010 9:03 PM 19024]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\adm8511.sys [6/19/2007 7:04 PM 20160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-05 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-04-24 04:36]

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-1958367476-725345543-1003Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-05 00:25]

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-1958367476-725345543-1003UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-05 00:25]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUzed004YYUS_ZZzer000&fl=0&ptb=h8MSSKhGNlqqgJODwSNzxg&url=http://www.ask.com/web&q={searchTerms}&l=zu&o=sb
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://pro.realquest.com/mapviewer/mapviewer.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\94bev22h.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 15:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-05 15:38:32
ComboFix-quarantined-files.txt 2010-05-05 22:38
ComboFix2.txt 2010-05-04 01:02

Pre-Run: 461,119,590,400 bytes free
Post-Run: 461,095,653,376 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 1D0837A3160F0B032426BA81B53E024A
  • 0

#10
emeraldnzl
Posted 05 May 2010 - 07:32 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello gmac73,

You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

If you no-longer have Malwarebytes please download from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3.

Go to Kaspersky website and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste that information in your next post.

So when you return please post
  • MBAM log
  • Kaspersky scan results
  • and tell me how your computer is performing now
  • 0

#11
gmac73
Posted 06 May 2010 - 02:45 PM

gmac73

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4072

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/6/2010 9:58:17 AM
mbam-log-2010-05-06 (09-58-17).txt

Scan type: Quick scan
Objects scanned: 138488
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, May 6, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, May 06, 2010 13:22:20
Records in database: 4065738
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\
K:\

Scan statistics:
Objects scanned: 81675
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:25:46


File name / Threat / Threats count
C:\Program Files\AeVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1

Selected area has been scanned.


The computer seems to be running great, I searched that one thing Kaspersky picked up, and it says it is released by AT&T which is the ISP my parents have. This is my parents system, I just got home from school for the summer, but it is running faster than it has in a long while and the redirect is no longer happening. I ran TDSSkiller again to see if it picked anything up, and it said that it was gone.
  • 0

#12
emeraldnzl
Posted 06 May 2010 - 03:10 PM

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,051 posts
Hello gmac73,

I think this machine is clean. The only one found by Kaspersky is a false positive.

I ran TDSSkiller again to see if it picked anything up, and it said that it was gone.


I wouldn't run that any more. You should remove it from the computer. These tools are powerful and they date very quickly. You can do damage your machine by running obsolete anti-malware programs.

Now

We have a couple of last steps to perform and then you're all set.Posted Image

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    Posted Image
Step 2
  • Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep. Erunt can also be uninstalled via the add/remove programs utility, for some though, it may be a useful backup program to hold on to. TDSSkiller folders/files can be removed.

-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that your machine is clean here are some things that I think are worth having a look at if you don't already know about them:

---------------------------------------------------------------------------------------------------------------------

Regularly check that your Java is up to date. Older versions are vunerable to malicious attack.
  • Download from here Java Runtime Environment (JDK) Update
  • Scroll to where it says "Windows XP/Vista/2000/2003/2008 online" and download and follow the instructions to install.

    Reboot your computer.
    You also need to uininstall older versions of Java.

  • Click Start > Control Panel > Add or Remove Programs
  • Remove all Java updates except the latest one you have just installed.
--------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week.

For ease of use, you might consider the following free program:--------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* Consider using an alternate browser.

Opera may be downloaded from here. It is one of the least targeted of all browers.

Avant may be downloaded from here. Another one that is less well known.

Firefox may be downloaded from Here. I use Firefox because I like it. Used to be one of the safest but now targeted probably as much as IE.

Adblock Plus is a good Add-on for Firefox that helps prevent those annoying pop ups.
-----------------------------------------------------------------------------------------------------------------------

Startuplite is a tool to help you stop some programs not needed when you start your computer from loading. They will begin automatically only when needed.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

  • It is recommended that you do set Windows to check, download and install your updates automatically.

    * Click Start > Control Panel > Automatic Updates
    * Set the day and time for the update check. Set this to a time when your computer will normally be on and connected to the internet.
    * Click Apply then OK.

    And to keep your system clean consider choosing from these free for home use malware scanners and updating and running weekly.
  • Malwarebytes
  • SuperAntiSpyWare
Be aware of what emails you open and websites you visit.

Go here for some good advice about how to prevent infection.

Have a safe and happy computing day!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP