Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows explorer steals focus on "p" keystroke: infection?

Started by clearly , Mar 03 2011 04:03 PM

  • Please log in to reply

#1
clearly
Posted 03 March 2011 - 04:03 PM

clearly

    Member

  • Member
  • PipPip
  • 18 posts
Recently I thought my "p" key was somehow disfunctional or broken. I swapped keyboards and the problem persists. Clearly this is a software problem.

When I am typing the lowercase letter "p" in an application, such as email, notepad or anything, the letter is not typed and instead focus shifts to an existing increment of Windows Explorer. On further investigation I discovered that this does not occur if I type an uppercase letter "p". I also found that if there is no increment of Windows Explorer open then the letter "p" is faithfully rendered in whatever application I'm in and no focus stealing occurs. A web search turned up similar symptoms here, but I don't have Kaspersky and my problem remains. I really do hope this is a simple software issue that someone has seen before.

Now user drbits from the forum above also suggested this might be a possible rootkit infection. I ran a RootRepeal scan. I received numerous popup errors during the scan saying that the boot sector was unavailable and that I should change my Disk Access Level in the settings. Nevertheless, RootRepeal found rootkits on my external drives (H:, K:, M:, X:). Each drive also had sector mismatches (the RootRepeal log is attached).

I opened Avira and discovered that my regular full system scans appeared to not be checking for rootkits on all my drives: only the system (C:) drive was selected in Avira's settings (Local protection > Scanner > Rootkit search). I checked/selected all my drives in Avira's settings and ran a rootkit search scan. One virus was found (TR/Crypt.XPACK.Gen) and quarantined. I do make a consistent effort to effect security measures so this was quite a disappointment.

A subsequent RootRepeal run still finds the rootkits on my external drives, along with the sector mismatches as before.

Certainly I don't want to be infected and want to make sure this is not a virus. Ultimately I would like to figure out why this is happening and fix it. It is slowly driving me nuts.

Thank you in advance. Your site and your kind helpers are a huge asset to the internet and computer world in general.

Thanks,
Morgan

-------------------------------------
OTL Log
Note: I got "Windows - No Disk" popup errors (more than 50) while the OTL program ran with the associated error message "Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c". Options were to Cancel, Try Again or Continue. Only continue seemed to work.
-------------------------------------

OTL logfile created on: 2011/03/03 11:43:46 PM - Run 2
OTL by OldTimer - Version 3.2.22.2 Folder = H:\software\security\malware guide\2011
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001C09 | Country: South Africa | Language: ENS | Date Format: yyyy/MM/dd

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 74.00% Memory free
9.00 Gb Paging File | 8.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 6144 6144 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 86.68 Gb Total Space | 11.78 Gb Free Space | 13.59% Space Free | Partition Type: NTFS
Drive E: | 6.47 Gb Total Space | 0.56 Gb Free Space | 8.70% Space Free | Partition Type: FAT32
Drive H: | 1863.01 Gb Total Space | 1098.85 Gb Free Space | 58.98% Space Free | Partition Type: NTFS
Drive K: | 931.51 Gb Total Space | 217.75 Gb Free Space | 23.38% Space Free | Partition Type: NTFS
Drive M: | 1863.01 Gb Total Space | 170.43 Gb Free Space | 9.15% Space Free | Partition Type: NTFS
Drive X: | 596.17 Gb Total Space | 165.82 Gb Free Space | 27.81% Space Free | Partition Type: NTFS

Computer Name: MORGAN | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - H:\software\security\malware guide\2011\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Opera\opera.exe (Opera Software)
PRC - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe (Locktime Software)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe (Vodafone)
PRC - C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\ESRI\License\arcgis9x\ARCGIS.exe ()
PRC - C:\Program Files\Norton Ghost\Agent\VProTray.exe (Symantec Corporation)
PRC - C:\Program Files\Norton Ghost\Agent\VProSvc.exe (Symantec Corporation)
PRC - C:\Program Files\FolderSize\FolderSizeSvc.exe (Brio)
PRC - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe (SafeNet, Inc)
PRC - C:\WINDOWS\SMINST\Scheduler.exe ()
PRC - C:\Program Files\HPQ\Shared\HpqToaster.exe ()
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\Program Files\HPQ\IAM\Bin\asghost.exe (Cognizance Corporation)
PRC - C:\WINDOWS\system32\Brmfrmps.exe (Brother Industries, Ltd.)
PRC - C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe ()


========== Modules (SafeList) ==========

MOD - H:\software\security\malware guide\2011\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (nlsvc) -- C:\Program Files\NetLimiter 2 Pro\nlsvc.exe (Locktime Software)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (VMCService) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe (Vodafone)
SRV - (W3SVC) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (SMTPSVC) Simple Mail Transfer Protocol (SMTP) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (IISADMIN) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE (Symantec Corporation)
SRV - (Automatic LiveUpdate Scheduler) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)
SRV - (Norton Ghost) -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe (Symantec Corporation)
SRV - (Symantec Core LC) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (Symantec Corporation)
SRV - (FolderSize) -- C:\Program Files\FolderSize\FolderSizeSvc.exe (Brio)
SRV - (SentinelProtectionServer) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe (SafeNet, Inc)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (WmcCds) Windows Media Connect (WMC) -- c:\Program Files\Windows Media Connect\mswmccds.exe (Microsoft Corporation)
SRV - (WmcCdsLs) Windows Media Connect (WMC) -- C:\Program Files\Windows Media Connect\mswmcls.exe (Microsoft Corporation)
SRV - (brmfrmps) -- C:\WINDOWS\System32\Brmfrmps.exe (Brother Industries, Ltd.)
SRV - (ArcGIS License Manager) -- C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe ()


========== Driver Services (SafeList) ==========

DRV - (pbfilter) -- C:\Program Files\PeerBlock\pbfilter.sys ()
DRV - (nltdi) -- C:\WINDOWS\system32\drivers\nltdi.sys (Locktime Software)
DRV - (seehcri) -- C:\WINDOWS\system32\drivers\seehcri.sys (Sony Ericsson Mobile Communications)
DRV - (ggsemc) -- C:\WINDOWS\system32\drivers\ggsemc.sys (Sony Ericsson Mobile Communications)
DRV - (ggflt) -- C:\WINDOWS\system32\drivers\ggflt.sys (Sony Ericsson Mobile Communications)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (nmwcdnsu) -- C:\WINDOWS\system32\drivers\nmwcdnsu.sys (Nokia)
DRV - (UsbserFilt) -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys (Nokia)
DRV - (nmwcdc) -- C:\WINDOWS\system32\drivers\ccdcmbo.sys (Nokia)
DRV - (nmwcd) -- C:\WINDOWS\system32\drivers\ccdcmb.sys (Nokia)
DRV - (upperdev) -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys (Nokia)
DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (RMCAST) -- C:\WINDOWS\system32\drivers\rmcast.sys (Microsoft Corporation)
DRV - (MQAC) -- C:\WINDOWS\system32\drivers\mqac.sys (Microsoft Corporation)
DRV - (hwdatacard) -- C:\WINDOWS\system32\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.)
DRV - (s116unic) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM) -- C:\WINDOWS\system32\drivers\s116unic.sys (MCCI Corporation)
DRV - (s116obex) -- C:\WINDOWS\system32\drivers\s116obex.sys (MCCI Corporation)
DRV - (s116nd5) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS) -- C:\WINDOWS\system32\drivers\s116nd5.sys (MCCI Corporation)
DRV - (s116mgmt) Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\s116mgmt.sys (MCCI Corporation)
DRV - (s116mdm) -- C:\WINDOWS\system32\drivers\s116mdm.sys (MCCI Corporation)
DRV - (s116mdfl) -- C:\WINDOWS\system32\drivers\s116mdfl.sys (MCCI Corporation)
DRV - (s116bus) Sony Ericsson Device 116 driver (WDM) -- C:\WINDOWS\system32\drivers\s116bus.sys (MCCI Corporation)
DRV - (WimFltr) -- C:\WINDOWS\system32\drivers\WimFltr.sys (Microsoft Corporation)
DRV - (symsnap) -- C:\WINDOWS\system32\DRIVERS\symsnap.sys (StorageCraft)
DRV - (v2imount) -- C:\WINDOWS\system32\drivers\v2imount.sys (Symantec Corporation)
DRV - (VPROEVENTMONITOR) -- C:\WINDOWS\system32\drivers\vproeventmonitor.sys (Symantec Corporation)
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (k750mdm) -- C:\WINDOWS\system32\drivers\k750mdm.sys (MCCI)
DRV - (k750mdfl) -- C:\WINDOWS\system32\drivers\k750mdfl.sys (MCCI)
DRV - (k750bus) Sony Ericsson 750 driver (WDM) -- C:\WINDOWS\system32\drivers\k750bus.sys (MCCI)
DRV - (symlcbrd) -- C:\WINDOWS\system32\drivers\symlcbrd.sys (Symantec Corporation)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (Sentinel) -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS (SafeNet, Inc.)
DRV - (btaudio) -- C:\WINDOWS\system32\drivers\btaudio.sys (Broadcom Corporation.)
DRV - (BTKRNL) -- C:\WINDOWS\system32\drivers\btkrnl.sys (Broadcom Corporation.)
DRV - (BTDriver) -- C:\WINDOWS\system32\drivers\btport.sys (Broadcom Corporation.)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (BTWDNDIS) -- C:\WINDOWS\system32\drivers\btwdndis.sys (Broadcom Corporation.)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (w39n51) Intel® -- C:\WINDOWS\system32\drivers\w39n51.sys (Intel® Corporation)
DRV - (eabusb) -- C:\WINDOWS\system32\drivers\EabUsb.sys (Hewlett-Packard Development Company, L.P.)
DRV - (HBtnKey) -- C:\WINDOWS\system32\drivers\CPQBttn.sys (Hewlett-Packard Development Company, L.P.)
DRV - (eabfiltr) -- C:\WINDOWS\system32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (k750obex) -- C:\WINDOWS\system32\drivers\k750obex.sys (MCCI)
DRV - (k750mgmt) -- C:\WINDOWS\system32\drivers\k750mgmt.sys (MCCI)
DRV - (st3tiger) -- C:\WINDOWS\system32\drivers\st3tiger.sys ( )
DRV - (st3tgbus) -- C:\WINDOWS\system32\drivers\st3tgbus.sys ( )
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.discover...ndividual/login
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = cache.uct.ac.za:8080

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/15 22:34:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2011/01/30 18:07:02 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/04/25 11:07:36 | 000,000,783 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 morgan
O1 - Hosts: 127.0.0.1 activate.adobe.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (IE to GetRight Helper) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll (Headlight Software, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (HP Credential Manager for ProtectTools) - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll (Infineon Technologies AG)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CognizanceTS] C:\Program Files\HPQ\IAM\Bin\AsTsVcc.dll (Cognizance Corporation)
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Co.)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Norton Ghost 12.0] C:\Program Files\Norton Ghost\Agent\VProTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\CREATOR\Remind_XP.exe ()
O4 - HKLM..\Run: [Resume copy] C:\WINDOWS\copyfstq.exe ()
O4 - HKLM..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe ()
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe (Brother Industories, Ltd.)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe ()
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Second Copy] C:\Program Files\SecCopy\SecCopy.exe (Centered Systems)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF 03 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRDownload.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRBrowse.htm ()
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O16 - DPF: {00000161-9980-0010-8000-00AA00389B71} http://download.micr...66614/msaud.CAB (Reg Error: Key error.)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.micr...D0C/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: System - (ziswin.exe) - File not found
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\OneCard: DllName - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll (Cognizance Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/07/27 23:07:00 | 000,000,000 | -HS- | M] () - E:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 15:01:00 | 000,000,053 | -HS- | M] () - E:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{0477e248-1555-11de-8e81-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{0477e248-1555-11de-8e81-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0477e248-1555-11de-8e81-0017084b7179}\Shell\AutoRun\command - "" = M:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{0477e24a-1555-11de-8e81-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{0477e24a-1555-11de-8e81-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0477e24a-1555-11de-8e81-0017084b7179}\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{1993596f-f41e-11df-9d5a-028037150300}\Shell\AutoRun\command - "" = F:\Get_Started_for_Win.exe
O33 - MountPoints2\{19a2125b-4087-11df-8ae9-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{19a2125b-4087-11df-8ae9-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{19a2125b-4087-11df-8ae9-0017084b7179}\Shell\AutoRun\command - "" = M:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{19a2125c-4087-11df-8ae9-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{19a2125c-4087-11df-8ae9-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{19a2125c-4087-11df-8ae9-0017084b7179}\Shell\AutoRun\command - "" = H:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{25f202e6-1125-11dd-a47b-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
O33 - MountPoints2\{25f202e6-1125-11dd-a47b-0019d21a5a5d}\Shell\open\command - "" = F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
O33 - MountPoints2\{3718250e-9713-11df-acac-0019d21a5a5d}\Shell - "" = AutoRun
O33 - MountPoints2\{3718250e-9713-11df-acac-0019d21a5a5d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3718250e-9713-11df-acac-0019d21a5a5d}\Shell\AutoRun\command - "" = J:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{45c42734-04ac-11de-b001-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\j60osk9.cmd
O33 - MountPoints2\{45c42734-04ac-11de-b001-0019d21a5a5d}\Shell\open\Command - "" = F:\j60osk9.cmd
O33 - MountPoints2\{6cb0a241-da9d-11dd-8403-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\j60osk9.cmd
O33 - MountPoints2\{6cb0a241-da9d-11dd-8403-0019d21a5a5d}\Shell\open\Command - "" = F:\j60osk9.cmd
O33 - MountPoints2\{6f67d90b-13d3-11e0-8231-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{6f67d90b-13d3-11e0-8231-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6f67d90b-13d3-11e0-8231-0017084b7179}\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{6f67d90c-13d3-11e0-8231-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{6f67d90c-13d3-11e0-8231-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6f67d90c-13d3-11e0-8231-0017084b7179}\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{768f2255-e1a9-11df-b680-0019d21a5a5d}\Shell - "" = AutoRun
O33 - MountPoints2\{768f2255-e1a9-11df-b680-0019d21a5a5d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{768f2255-e1a9-11df-b680-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{89ae7d87-cc47-11df-b0e9-0019d21a5a5d}\Shell - "" = AutoRun
O33 - MountPoints2\{89ae7d87-cc47-11df-b0e9-0019d21a5a5d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{89ae7d87-cc47-11df-b0e9-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{9e9bd31d-dfba-11dd-9cf8-0019d21a5a5d}\Shell\AutoRun\command - "" = 80avp08.com
O33 - MountPoints2\{9e9bd31d-dfba-11dd-9cf8-0019d21a5a5d}\Shell\explore\Command - "" = 80avp08.com
O33 - MountPoints2\{9e9bd31d-dfba-11dd-9cf8-0019d21a5a5d}\Shell\open\Command - "" = 80avp08.com
O33 - MountPoints2\{9f83224b-048c-11e0-af30-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{9f83224b-048c-11e0-af30-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9f83224b-048c-11e0-af30-0017084b7179}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL KuIeHI.EXE
O33 - MountPoints2\{c5df72ee-e3bd-11dd-b1ad-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe
O33 - MountPoints2\{c5df72ee-e3bd-11dd-b1ad-0019d21a5a5d}\Shell\open\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe
O33 - MountPoints2\{ca3a65e8-b259-11df-b870-0019d21a5a5d}\Shell - "" = AutoRun
O33 - MountPoints2\{ca3a65e8-b259-11df-b870-0019d21a5a5d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ca3a65e8-b259-11df-b870-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{dd0da4fe-05a6-11de-ad77-0019d21a5a5d}\Shell\AutoRun\command - "" = j60osk9.cmd
O33 - MountPoints2\{dd0da4fe-05a6-11de-ad77-0019d21a5a5d}\Shell\open\Command - "" = j60osk9.cmd
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/28 18:25:18 | 000,000,000 | ---D | C] -- C:\Program Files\Extreme URL Generator
[2011/02/27 20:38:44 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/02/10 18:00:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Roxio
[2011/02/10 16:58:51 | 000,033,592 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLADHK_M.SYS
[2011/02/10 15:11:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DLA
[2011/02/10 15:11:24 | 000,000,000 | ---D | C] -- C:\swtools
[2011/02/08 00:51:38 | 000,000,000 | ---D | C] -- C:\Program Files\APDFR
[2011/02/08 00:51:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Advanced PDF Repair
[2011/02/08 00:37:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinDjView
[2011/02/06 19:15:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\WinRAR
[2011/01/28 11:39:37 | 000,121,344 | ---- | C] ( ) -- C:\WINDOWS\System32\lagarith.dll
[2008/05/18 11:08:57 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL
[2003/03/12 19:38:24 | 000,099,168 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\st3tiger.sys
[2003/03/12 19:37:56 | 000,008,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\st3tgbus.sys

========== Files - Modified Within 30 Days ==========

[2011/03/03 23:33:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/03 18:15:39 | 3366,405,120 | ---- | M] () -- C:\morgan_personal2008.pst
[2011/03/03 17:24:29 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/03/03 17:24:27 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/03 17:20:16 | 002,160,528 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/03 17:20:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/03 17:20:01 | 3212,234,752 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/03 17:02:25 | 000,001,831 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Avira AntiVir Personal Profile Rootkit search.LNK
[2011/03/03 12:35:41 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/03/03 11:33:36 | 000,004,096 | -HS- | M] () -- C:\VSNAP.IDX
[2011/02/28 18:51:30 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/02/20 08:57:20 | 000,001,206 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to Google Earth Plus 6.0.1.2032 Portable.exe.lnk
[2011/02/15 23:02:19 | 000,000,513 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\UCT STUDY DOCUMENTS.lnk
[2011/02/13 13:41:06 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2011/02/12 09:19:37 | 000,001,520 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera 11.01 1190.lnk
[2011/02/10 16:58:51 | 000,000,313 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/02/08 23:54:01 | 000,001,433 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\UCT STUDY DOX.lnk
[2011/02/03 10:07:10 | 000,000,671 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Resources for Research skills.lnk

========== Files Created - No Company Name ==========

[2011/03/03 17:02:25 | 000,001,831 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Avira AntiVir Personal Profile Rootkit search.LNK
[2011/02/20 08:57:20 | 000,001,206 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to Google Earth Plus 6.0.1.2032 Portable.exe.lnk
[2011/02/13 13:41:06 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2011/02/13 13:41:05 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2011/02/12 09:19:37 | 000,001,520 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera 11.01 1190.lnk
[2011/02/12 09:19:37 | 000,001,508 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Opera 11.01 1190.lnk
[2011/02/10 17:04:30 | 3212,234,752 | -HS- | C] () -- C:\hiberfil.sys
[2011/02/03 10:07:10 | 000,000,671 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Resources for Research skills.lnk
[2011/01/28 11:39:39 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/01/28 11:39:39 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2011/01/28 11:39:37 | 002,582,016 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2011/01/28 11:39:36 | 000,810,496 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/01/28 11:39:36 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/01/28 11:39:36 | 000,080,896 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/05/03 22:56:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Versabook.INI
[2010/05/03 11:34:14 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\VbMCHook.dll
[2010/04/23 19:23:00 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/03 21:37:02 | 000,000,062 | ---- | C] () -- C:\WINDOWS\dcmvwr.INI
[2009/12/03 10:17:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcvcdvw.INI
[2009/12/03 10:13:47 | 000,000,062 | ---- | C] () -- C:\WINDOWS\PCVCDBR.INI
[2009/04/20 19:09:20 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/04/04 18:28:21 | 000,000,065 | ---- | C] () -- C:\WINDOWS\minitab.ini
[2008/08/24 17:08:19 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\EONSYS.DLL
[2008/06/23 13:02:02 | 000,097,410 | R--- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceManager.xml.rc4
[2008/05/23 17:48:50 | 000,020,270 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceInstaller.xml
[2008/04/12 21:15:10 | 000,000,130 | ---- | C] () -- C:\WINDOWS\EurekaLog.ini
[2008/02/03 22:12:09 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/11/19 13:58:33 | 000,002,634 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\WWB7_32.DAT
[2007/09/23 23:24:42 | 000,003,453 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2007/08/06 17:27:37 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2007/08/01 16:19:50 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\setupw2k.dll
[2007/08/01 16:19:48 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\nwslog32.dll
[2007/06/02 17:09:57 | 000,094,636 | ---- | C] () -- C:\WINDOWS\dropcpyr.dll
[2007/06/02 17:09:57 | 000,073,728 | ---- | C] () -- C:\WINDOWS\copyfstq.exe
[2007/04/27 19:58:44 | 000,038,467 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Comma Separated Values (Windows).ADR
[2007/04/27 14:08:06 | 000,000,401 | ---- | C] () -- C:\WINDOWS\Mail2Contact.ini
[2007/04/27 13:54:57 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2007/02/13 23:24:02 | 000,000,089 | ---- | C] () -- C:\WINDOWS\pdsccc.ini
[2007/02/11 22:05:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2007/02/11 22:02:56 | 000,000,051 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2007/02/11 21:50:43 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2007/02/11 21:49:14 | 000,000,462 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2007/02/11 21:49:14 | 000,000,234 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2007/02/11 21:49:14 | 000,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2007/02/11 21:49:14 | 000,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2007/02/11 21:49:14 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\BRIDF04A.dat
[2007/02/11 21:48:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brdfxspd.dat
[2007/02/11 21:46:31 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2007/02/01 22:42:02 | 000,036,939 | ---- | C] () -- C:\WINDOWS\System32\insrepim.exe
[2007/02/01 22:36:50 | 000,000,185 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2007/02/01 22:25:27 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2007/02/01 22:22:18 | 000,000,856 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/31 12:32:03 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2007/01/31 12:32:03 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2007/01/31 12:31:38 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2007/01/31 12:31:38 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2007/01/31 12:31:38 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2007/01/29 19:10:49 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2007/01/29 19:10:49 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2007/01/29 19:10:49 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2007/01/29 19:10:49 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2007/01/29 19:10:49 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2007/01/29 19:10:48 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2007/01/29 18:35:50 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/01/29 13:43:12 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat
[2007/01/29 13:38:33 | 000,128,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/11/17 11:34:40 | 000,091,520 | ---- | C] () -- C:\WINDOWS\HPBroker.dll
[2006/08/18 11:03:42 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2006/08/18 10:53:43 | 000,000,313 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/08/18 10:52:20 | 000,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/02/15 16:04:52 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/08/26 14:28:34 | 000,143,360 | ---- | C] () -- C:\WINDOWS\unzip.exe
[2005/08/26 14:27:58 | 000,045,056 | ---- | C] () -- C:\WINDOWS\devenum.exe
[2004/08/07 15:19:26 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/07 15:19:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 15:14:52 | 000,522,284 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/07 15:14:52 | 000,099,958 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/07 15:12:40 | 000,000,890 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/07 15:07:40 | 002,160,528 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/07 15:02:46 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/07 14:59:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/04 10:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 10:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 10:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 10:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 10:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 10:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 10:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 10:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/06/01 11:39:56 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2004/03/16 14:09:12 | 000,454,761 | ---- | C] () -- C:\WINDOWS\System32\boost_regex-vc6-mt-1_31.dll
[2004/03/16 14:08:26 | 000,467,052 | ---- | C] () -- C:\WINDOWS\System32\boost_regex-vc6-mt-gd-1_31.dll
[2003/03/27 20:03:04 | 000,003,955 | ---- | C] () -- C:\WINDOWS\maxus.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/28 10:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/05/28 10:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/04/17 14:21:44 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\XMLPARSE.DLL
[2002/03/19 17:30:00 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\msvdm.dll
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[1999/08/07 01:05:16 | 000,212,480 | ---- | C] () -- C:\WINDOWS\System32\DBPORT6.DLL
[1998/12/14 19:00:00 | 000,021,986 | ---- | C] () -- C:\WINDOWS\crwd32.ini
[1998/12/06 16:56:04 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\verinst.exe
[1998/06/10 00:00:00 | 000,015,120 | ---- | C] () -- C:\WINDOWS\System32\REPUTIL.DLL
[1998/05/18 00:00:00 | 000,014,017 | ---- | C] () -- C:\WINDOWS\JAUTOEXP.INI
[1998/05/07 04:10:00 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ODMA32.dll
[1998/04/24 00:00:00 | 000,000,218 | ---- | C] () -- C:\WINDOWS\FRONTPG.INI
[1997/06/25 15:24:16 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\RegObj.dll
[1996/06/07 21:07:14 | 000,043,008 | ---- | C] () -- C:\WINDOWS\System32\ltfil60n.dll
[1996/06/07 21:07:14 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\lfwpg60n.dll
[1996/06/07 21:07:12 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\lftif60n.dll
[1996/06/07 21:07:12 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\lftga60n.dll
[1996/06/07 21:07:12 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\lfwmf60n.dll
[1996/06/07 21:07:10 | 000,110,080 | ---- | C] () -- C:\WINDOWS\System32\lfpng60n.dll
[1996/06/07 21:07:10 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\lfpcx60n.dll
[1996/06/07 21:07:10 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\lfpsd60n.dll
[1996/06/07 21:07:08 | 000,022,528 | ---- | C] () -- C:\WINDOWS\System32\lfpct60n.dll
[1996/06/07 21:07:08 | 000,018,432 | ---- | C] () -- C:\WINDOWS\System32\lfmsp60n.dll
[1996/06/07 21:07:08 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\lfmac60n.dll
[1996/06/07 21:07:06 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\lffax60n.dll
[1996/06/07 21:07:04 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\lfcmp60n.dll
[1996/06/07 21:07:04 | 000,022,528 | ---- | C] () -- C:\WINDOWS\System32\lfeps60n.dll
[1996/06/07 21:07:04 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\lfbmp60n.dll

========== LOP Check ==========

[2011/03/03 23:38:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Azureus
[2007/08/01 18:11:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Canon
[2010/04/10 10:53:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\EndNote
[2009/01/07 17:10:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ESRI
[2010/04/02 08:49:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\EurekaLog
[2007/04/02 19:12:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Flexiblesoft
[2009/03/21 23:20:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\foobar2000
[2009/08/29 19:32:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit
[2010/02/02 17:55:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit Software
[2007/01/29 20:18:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterVideo
[2009/10/25 16:26:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\JAM Software
[2007/01/29 20:15:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2010/06/19 09:43:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Locktime
[2007/04/30 16:18:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\M2C
[2010/02/25 23:05:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nokia
[2007/01/29 21:39:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Opera
[2009/04/04 22:57:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PanoramaStudio
[2010/02/24 17:43:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PC Suite
[2006/08/18 11:24:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SampleView
[2007/02/11 22:04:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ScanSoft
[2008/04/04 16:04:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\StatSoft
[2010/03/11 21:30:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Teleca
[2009/04/15 08:10:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Thinstall
[2010/08/17 12:18:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Transcend
[2009/03/23 17:25:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Vodafone
[2010/06/08 19:57:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\WinFF
[2007/11/27 12:13:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Xenocode
[2008/09/29 14:31:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\4D
[2009/08/22 18:22:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avg7
[2007/09/24 11:23:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Eset
[2008/12/09 20:59:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESRI
[2007/04/02 19:12:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FlexibleSoft
[2009/08/22 18:22:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2010/02/24 17:30:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2009/03/22 17:50:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Last.fm
[2010/06/19 00:01:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Locktime
[2010/02/26 11:34:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OviInstallerCache
[2010/02/24 17:32:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2007/02/11 21:45:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/03/23 17:44:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\StatSoft
[2008/08/03 12:38:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2009/11/30 11:41:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vodafone
[2007/11/22 15:35:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ZappaSoft
[2011/03/03 17:24:29 | 000,000,274 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



< End of report >

Attached Files


Edited by clearly, 03 March 2011 - 09:36 PM.

  • 0

Advertisements

#2
RKinner
Posted 05 March 2011 - 11:14 AM

RKinner

    Malware Expert

  • Expert
  • 24,623 posts
  • MVP
Looks like one or more usb devices is/are infected.

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************************************
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /f

**********************************************************************

Start, Run, cmd, OK to bring up a new Command Prompt window. Rightclick and select Paste and the above text should appear. Make sure you got it all and then hit Enter.

Close the Command Prompt window.

Download Flash_Disinfector.exe by sUBs
http://download.blee...Disinfector.exe
and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.


Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
Also want to install AutoRun Eater v2.5
http://download.cnet...4-10752777.html
It will stay resident and prevent USB drives from infecting your PC.

Copy the text in the code box by highlighting and Ctrl + c 


:Services

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = cache.uct.ac.za:8080
O4 - HKCU..\Run: [AdobeBridge] File not found
O32 - AutoRun File - [2004/04/30 15:01:00 | 000,000,053 | -HS- | M] () - E:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{0477e248-1555-11de-8e81-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{0477e248-1555-11de-8e81-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0477e248-1555-11de-8e81-0017084b7179}\Shell\AutoRun\command - "" = M:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{0477e24a-1555-11de-8e81-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{0477e24a-1555-11de-8e81-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0477e24a-1555-11de-8e81-0017084b7179}\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{1993596f-f41e-11df-9d5a-028037150300}\Shell\AutoRun\command - "" = F:\Get_Started_for_Win.exe
O33 - MountPoints2\{19a2125b-4087-11df-8ae9-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{19a2125b-4087-11df-8ae9-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{19a2125b-4087-11df-8ae9-0017084b7179}\Shell\AutoRun\command - "" = M:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{19a2125c-4087-11df-8ae9-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{19a2125c-4087-11df-8ae9-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{19a2125c-4087-11df-8ae9-0017084b7179}\Shell\AutoRun\command - "" = H:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{25f202e6-1125-11dd-a47b-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
O33 - MountPoints2\{25f202e6-1125-11dd-a47b-0019d21a5a5d}\Shell\open\command - "" = F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
O33 - MountPoints2\{3718250e-9713-11df-acac-0019d21a5a5d}\Shell - "" = AutoRun
O33 - MountPoints2\{3718250e-9713-11df-acac-0019d21a5a5d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3718250e-9713-11df-acac-0019d21a5a5d}\Shell\AutoRun\command - "" = J:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{45c42734-04ac-11de-b001-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\j60osk9.cmd
O33 - MountPoints2\{45c42734-04ac-11de-b001-0019d21a5a5d}\Shell\open\Command - "" = F:\j60osk9.cmd
O33 - MountPoints2\{6cb0a241-da9d-11dd-8403-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\j60osk9.cmd
O33 - MountPoints2\{6cb0a241-da9d-11dd-8403-0019d21a5a5d}\Shell\open\Command - "" = F:\j60osk9.cmd
O33 - MountPoints2\{6f67d90b-13d3-11e0-8231-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{6f67d90b-13d3-11e0-8231-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6f67d90b-13d3-11e0-8231-0017084b7179}\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{6f67d90c-13d3-11e0-8231-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{6f67d90c-13d3-11e0-8231-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6f67d90c-13d3-11e0-8231-0017084b7179}\Shell\AutoRun\command - "" = I:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{768f2255-e1a9-11df-b680-0019d21a5a5d}\Shell - "" = AutoRun
O33 - MountPoints2\{768f2255-e1a9-11df-b680-0019d21a5a5d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{768f2255-e1a9-11df-b680-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{89ae7d87-cc47-11df-b0e9-0019d21a5a5d}\Shell - "" = AutoRun
O33 - MountPoints2\{89ae7d87-cc47-11df-b0e9-0019d21a5a5d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{89ae7d87-cc47-11df-b0e9-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O33 - MountPoints2\{9e9bd31d-dfba-11dd-9cf8-0019d21a5a5d}\Shell\AutoRun\command - "" = 80avp08.com
O33 - MountPoints2\{9e9bd31d-dfba-11dd-9cf8-0019d21a5a5d}\Shell\explore\Command - "" = 80avp08.com
O33 - MountPoints2\{9e9bd31d-dfba-11dd-9cf8-0019d21a5a5d}\Shell\open\Command - "" = 80avp08.com
O33 - MountPoints2\{9f83224b-048c-11e0-af30-0017084b7179}\Shell - "" = AutoRun
O33 - MountPoints2\{9f83224b-048c-11e0-af30-0017084b7179}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9f83224b-048c-11e0-af30-0017084b7179}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL KuIeHI.EXE
O33 - MountPoints2\{c5df72ee-e3bd-11dd-b1ad-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe
O33 - MountPoints2\{c5df72ee-e3bd-11dd-b1ad-0019d21a5a5d}\Shell\open\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe
O33 - MountPoints2\{ca3a65e8-b259-11df-b870-0019d21a5a5d}\Shell - "" = AutoRun
O33 - MountPoints2\{ca3a65e8-b259-11df-b870-0019d21a5a5d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ca3a65e8-b259-11df-b870-0019d21a5a5d}\Shell\AutoRun\command - "" = F:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{dd0da4fe-05a6-11de-ad77-0019d21a5a5d}\Shell\AutoRun\command - "" = j60osk9.cmd
O33 - MountPoints2\{dd0da4fe-05a6-11de-ad77-0019d21a5a5d}\Shell\open\Command - "" = j60osk9.cmd
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


:Files
C:\j60osk9.cmd
C:\80avp08.com
E:\Autorun.inf
     
:Commands
[RESETHOSTS]
[purity]
[emptytemp]
[Reboot]
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select either the Use SafeList or All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.


Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.


Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Ron
  • 0

#3
clearly
Posted 05 March 2011 - 03:13 PM

clearly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Ron,

Thank you so much for your reply. I really appreciate the help.

Since my original post I thought it prudent to run full system scans using Avira and MalwareBytes. Five infected files and two infected registry entries were found on my external hard drives with MalwareBytes (log attached). Avira found one virus in a A0100450.exe file in a system restore point on the c: drive (TRTrash.Gen Trojan).

I have also run windowsupdate and am up to date and RootRepeal showed no infections.

Now, I have begun following your steps. When I try to download the executable for flash disinfector my Avira pops-up several instances of "Contains recognition pattern of the APPL/NirCmd.2 application". Should I ignore this? I'm sure it'll warn me again when I try to run the file. I gather this is needed but I should be cautious with Avira's warning.

Thank you so much for your detailed help. I hope we can sort this out.

Morgan

Attached Files


  • 0

#4
RKinner
Posted 05 March 2011 - 06:13 PM

RKinner

    Malware Expert

  • Expert
  • 24,623 posts
  • MVP
Both programs sometimes trigger alerts from a-v programs. If in doubt, submit them (and any program you don't fully trust) to http://virustotal.com and see what the consensus is from about 40 a-v companies.

Ron

PS DO NOT ATTACH LOGS! They're too hard to work with that way. Just open them, then copy and paste the text into the Reply.
  • 0

#5
clearly
Posted 07 March 2011 - 03:00 AM

clearly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Ron,

Thank you so much for your patient help with my system.

-----------------------------------------------------------------------------------------------------
1. I deleted the registry entry
-----------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------
2. I ran flash_disinfector
-----------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------
3. I installed AutoRun Eater and it's now resident in my system tray (note that I already hade PowerToys for Windows > TweakUI installed and had all autoruns turned off)
-----------------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------
4. I ran your OTL custom fix, log follows
While running this scan I received windows "no disk" popup errors, an example is attached
After completing all these steps I continue to receive these popup errors sporadically, I just received one on startup and while composing my reply
-----------------------------------------------------------------------------------------------------

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Secondary_Page_URL| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge deleted successfully.
File E:\Autorun.inf not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0477e248-1555-11de-8e81-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0477e248-1555-11de-8e81-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0477e248-1555-11de-8e81-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0477e248-1555-11de-8e81-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0477e248-1555-11de-8e81-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0477e248-1555-11de-8e81-0017084b7179}\ not found.
File M:\setup_vmc_lite.exe /checkApplicationPresence not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0477e24a-1555-11de-8e81-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0477e24a-1555-11de-8e81-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0477e24a-1555-11de-8e81-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0477e24a-1555-11de-8e81-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0477e24a-1555-11de-8e81-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0477e24a-1555-11de-8e81-0017084b7179}\ not found.
File I:\setup_vmc_lite.exe /checkApplicationPresence not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1993596f-f41e-11df-9d5a-028037150300}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1993596f-f41e-11df-9d5a-028037150300}\ not found.
File F:\Get_Started_for_Win.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{19a2125b-4087-11df-8ae9-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19a2125b-4087-11df-8ae9-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{19a2125b-4087-11df-8ae9-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19a2125b-4087-11df-8ae9-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{19a2125b-4087-11df-8ae9-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19a2125b-4087-11df-8ae9-0017084b7179}\ not found.
File M:\setup_vmc_lite.exe /checkApplicationPresence not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{19a2125c-4087-11df-8ae9-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19a2125c-4087-11df-8ae9-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{19a2125c-4087-11df-8ae9-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19a2125c-4087-11df-8ae9-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{19a2125c-4087-11df-8ae9-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19a2125c-4087-11df-8ae9-0017084b7179}\ not found.
File H:\setup_vmc_lite.exe /checkApplicationPresence not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{25f202e6-1125-11dd-a47b-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25f202e6-1125-11dd-a47b-0019d21a5a5d}\ not found.
File F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{25f202e6-1125-11dd-a47b-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25f202e6-1125-11dd-a47b-0019d21a5a5d}\ not found.
File F:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3718250e-9713-11df-acac-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3718250e-9713-11df-acac-0019d21a5a5d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3718250e-9713-11df-acac-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3718250e-9713-11df-acac-0019d21a5a5d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3718250e-9713-11df-acac-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3718250e-9713-11df-acac-0019d21a5a5d}\ not found.
File J:\setup_vmc_lite.exe /checkApplicationPresence not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45c42734-04ac-11de-b001-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45c42734-04ac-11de-b001-0019d21a5a5d}\ not found.
File F:\j60osk9.cmd not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45c42734-04ac-11de-b001-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45c42734-04ac-11de-b001-0019d21a5a5d}\ not found.
File F:\j60osk9.cmd not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6cb0a241-da9d-11dd-8403-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6cb0a241-da9d-11dd-8403-0019d21a5a5d}\ not found.
File F:\j60osk9.cmd not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6cb0a241-da9d-11dd-8403-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6cb0a241-da9d-11dd-8403-0019d21a5a5d}\ not found.
File F:\j60osk9.cmd not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f67d90b-13d3-11e0-8231-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6f67d90b-13d3-11e0-8231-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f67d90b-13d3-11e0-8231-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6f67d90b-13d3-11e0-8231-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f67d90b-13d3-11e0-8231-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6f67d90b-13d3-11e0-8231-0017084b7179}\ not found.
File I:\setup_vmc_lite.exe /checkApplicationPresence not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f67d90c-13d3-11e0-8231-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6f67d90c-13d3-11e0-8231-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f67d90c-13d3-11e0-8231-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6f67d90c-13d3-11e0-8231-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f67d90c-13d3-11e0-8231-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6f67d90c-13d3-11e0-8231-0017084b7179}\ not found.
File I:\setup_vmc_lite.exe /checkApplicationPresence not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{768f2255-e1a9-11df-b680-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{768f2255-e1a9-11df-b680-0019d21a5a5d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{768f2255-e1a9-11df-b680-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{768f2255-e1a9-11df-b680-0019d21a5a5d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{768f2255-e1a9-11df-b680-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{768f2255-e1a9-11df-b680-0019d21a5a5d}\ not found.
File F:\LaunchU3.exe -a not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{89ae7d87-cc47-11df-b0e9-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{89ae7d87-cc47-11df-b0e9-0019d21a5a5d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{89ae7d87-cc47-11df-b0e9-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{89ae7d87-cc47-11df-b0e9-0019d21a5a5d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{89ae7d87-cc47-11df-b0e9-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{89ae7d87-cc47-11df-b0e9-0019d21a5a5d}\ not found.
File F:\LaunchU3.exe -a not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e9bd31d-dfba-11dd-9cf8-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9e9bd31d-dfba-11dd-9cf8-0019d21a5a5d}\ not found.
File 80avp08.com not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e9bd31d-dfba-11dd-9cf8-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9e9bd31d-dfba-11dd-9cf8-0019d21a5a5d}\ not found.
File 80avp08.com not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e9bd31d-dfba-11dd-9cf8-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9e9bd31d-dfba-11dd-9cf8-0019d21a5a5d}\ not found.
File 80avp08.com not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f83224b-048c-11e0-af30-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9f83224b-048c-11e0-af30-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f83224b-048c-11e0-af30-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9f83224b-048c-11e0-af30-0017084b7179}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f83224b-048c-11e0-af30-0017084b7179}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9f83224b-048c-11e0-af30-0017084b7179}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL KuIeHI.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c5df72ee-e3bd-11dd-b1ad-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c5df72ee-e3bd-11dd-b1ad-0019d21a5a5d}\ not found.
File F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c5df72ee-e3bd-11dd-b1ad-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c5df72ee-e3bd-11dd-b1ad-0019d21a5a5d}\ not found.
File F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ca3a65e8-b259-11df-b870-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ca3a65e8-b259-11df-b870-0019d21a5a5d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ca3a65e8-b259-11df-b870-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ca3a65e8-b259-11df-b870-0019d21a5a5d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ca3a65e8-b259-11df-b870-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ca3a65e8-b259-11df-b870-0019d21a5a5d}\ not found.
File F:\setup_vmc_lite.exe /checkApplicationPresence not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dd0da4fe-05a6-11de-ad77-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dd0da4fe-05a6-11de-ad77-0019d21a5a5d}\ not found.
File j60osk9.cmd not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dd0da4fe-05a6-11de-ad77-0019d21a5a5d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dd0da4fe-05a6-11de-ad77-0019d21a5a5d}\ not found.
File j60osk9.cmd not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480 not found.
========== FILES ==========
File\Folder C:\j60osk9.cmd not found.
File\Folder C:\80avp08.com not found.
File\Folder E:\Autorun.inf not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temporary Internet Files folder emptied: 499276 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 47190 bytes

User: All Users

User: Default User
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temporary Internet Files folder emptied: 391682 bytes
->Flash cache emptied: 405 bytes

User: morgan

User: NetworkService
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
Session Manager Temp folder emptied: 218676 bytes
Session Manager Tmp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 28479830 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1364101 bytes

Total Files Cleaned = 30.00 mb


OTL by OldTimer - Version 3.2.22.2 log created on 03062011_112312

Files\Folders moved on Reboot...
File\Folder c:\temp\Perflib_Perfdata_768.dat not found!

Registry entries deleted on Reboot...

-----------------------------------------------------------------------------------------------------
5. I ran OTL again selecting the All option under the Extra Registry Group and got the following two logs (first OTL log then Extras log):
-----------------------------------------------------------------------------------------------------

OTL logfile created on: 2011/03/06 11:31:33 AM - Run 3
OTL by OldTimer - Version 3.2.22.2 Folder = H:\software\security\malware guide\2011
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001C09 | Country: South Africa | Language: ENS | Date Format: yyyy/MM/dd

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 71.00% Memory free
9.00 Gb Paging File | 8.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 6144 6144 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 86.68 Gb Total Space | 13.15 Gb Free Space | 15.17% Space Free | Partition Type: NTFS
Drive E: | 6.47 Gb Total Space | 0.56 Gb Free Space | 8.70% Space Free | Partition Type: FAT32
Drive H: | 1863.01 Gb Total Space | 1097.89 Gb Free Space | 58.93% Space Free | Partition Type: NTFS
Drive I: | 1.87 Gb Total Space | 0.56 Gb Free Space | 30.11% Space Free | Partition Type: FAT
Drive K: | 931.51 Gb Total Space | 217.62 Gb Free Space | 23.36% Space Free | Partition Type: NTFS
Drive L: | 959.13 Mb Total Space | 897.81 Mb Free Space | 93.61% Space Free | Partition Type: FAT
Drive M: | 1863.01 Gb Total Space | 123.82 Gb Free Space | 6.65% Space Free | Partition Type: NTFS
Drive X: | 596.17 Gb Total Space | 166.06 Gb Free Space | 27.85% Space Free | Partition Type: NTFS

Computer Name: MORGAN | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - H:\software\security\malware guide\2011\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Opera\opera.exe (Opera Software)
PRC - C:\Program Files\Autorun Eater\billy.exe (Old McDonald's Farm)
PRC - C:\Program Files\Autorun Eater\oldmcdonald.exe (Old McDonald's Farm)
PRC - C:\Program Files\NetLimiter 2 Pro\NLClient.exe (Locktime Software)
PRC - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe (Locktime Software)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe (Vodafone)
PRC - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
PRC - C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\ESRI\License\arcgis9x\ARCGIS.exe ()
PRC - C:\Program Files\NetMeter\NetMeter.exe ()
PRC - C:\Program Files\Norton Ghost\Agent\VProTray.exe (Symantec Corporation)
PRC - C:\Program Files\Norton Ghost\Agent\VProSvc.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (Symantec Corporation)
PRC - C:\Program Files\SecCopy\SecCopy.exe (Centered Systems)
PRC - C:\Program Files\FolderSize\FolderSizeSvc.exe (Brio)
PRC - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe (SafeNet, Inc)
PRC - C:\WINDOWS\SMINST\Scheduler.exe ()
PRC - C:\Program Files\HPQ\Shared\HpqToaster.exe ()
PRC - C:\Program Files\HPQ\IAM\Bin\asghost.exe (Cognizance Corporation)
PRC - C:\WINDOWS\system32\Brmfrmps.exe (Brother Industries, Ltd.)
PRC - C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe ()


========== Modules (SafeList) ==========

MOD - H:\software\security\malware guide\2011\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (nlsvc) -- C:\Program Files\NetLimiter 2 Pro\nlsvc.exe (Locktime Software)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (VMCService) -- C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe (Vodafone)
SRV - (W3SVC) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (SMTPSVC) Simple Mail Transfer Protocol (SMTP) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (IISADMIN) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE (Symantec Corporation)
SRV - (Automatic LiveUpdate Scheduler) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)
SRV - (Norton Ghost) -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe (Symantec Corporation)
SRV - (Symantec Core LC) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (Symantec Corporation)
SRV - (FolderSize) -- C:\Program Files\FolderSize\FolderSizeSvc.exe (Brio)
SRV - (SentinelProtectionServer) -- C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe (SafeNet, Inc)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (WmcCds) Windows Media Connect (WMC) -- c:\Program Files\Windows Media Connect\mswmccds.exe (Microsoft Corporation)
SRV - (WmcCdsLs) Windows Media Connect (WMC) -- C:\Program Files\Windows Media Connect\mswmcls.exe (Microsoft Corporation)
SRV - (brmfrmps) -- C:\WINDOWS\System32\Brmfrmps.exe (Brother Industries, Ltd.)
SRV - (ArcGIS License Manager) -- C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe ()


========== Driver Services (SafeList) ==========

DRV - (nltdi) -- C:\WINDOWS\system32\drivers\nltdi.sys (Locktime Software)
DRV - (seehcri) -- C:\WINDOWS\system32\drivers\seehcri.sys (Sony Ericsson Mobile Communications)
DRV - (ggsemc) -- C:\WINDOWS\system32\drivers\ggsemc.sys (Sony Ericsson Mobile Communications)
DRV - (ggflt) -- C:\WINDOWS\system32\drivers\ggflt.sys (Sony Ericsson Mobile Communications)
DRV - (avgntflt) -- C:\WINDOWS\system32\drivers\avgntflt.sys (Avira GmbH)
DRV - (nmwcdnsu) -- C:\WINDOWS\system32\drivers\nmwcdnsu.sys (Nokia)
DRV - (UsbserFilt) -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys (Nokia)
DRV - (nmwcdc) -- C:\WINDOWS\system32\drivers\ccdcmbo.sys (Nokia)
DRV - (nmwcd) -- C:\WINDOWS\system32\drivers\ccdcmb.sys (Nokia)
DRV - (upperdev) -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys (Nokia)
DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys (Avira GmbH)
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (RMCAST) -- C:\WINDOWS\system32\drivers\rmcast.sys (Microsoft Corporation)
DRV - (MQAC) -- C:\WINDOWS\system32\drivers\mqac.sys (Microsoft Corporation)
DRV - (hwdatacard) -- C:\WINDOWS\system32\drivers\ewusbmdm.sys (Huawei Technologies Co., Ltd.)
DRV - (s116unic) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM) -- C:\WINDOWS\system32\drivers\s116unic.sys (MCCI Corporation)
DRV - (s116obex) -- C:\WINDOWS\system32\drivers\s116obex.sys (MCCI Corporation)
DRV - (s116nd5) Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS) -- C:\WINDOWS\system32\drivers\s116nd5.sys (MCCI Corporation)
DRV - (s116mgmt) Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\s116mgmt.sys (MCCI Corporation)
DRV - (s116mdm) -- C:\WINDOWS\system32\drivers\s116mdm.sys (MCCI Corporation)
DRV - (s116mdfl) -- C:\WINDOWS\system32\drivers\s116mdfl.sys (MCCI Corporation)
DRV - (s116bus) Sony Ericsson Device 116 driver (WDM) -- C:\WINDOWS\system32\drivers\s116bus.sys (MCCI Corporation)
DRV - (WimFltr) -- C:\WINDOWS\system32\drivers\WimFltr.sys (Microsoft Corporation)
DRV - (symsnap) -- C:\WINDOWS\system32\DRIVERS\symsnap.sys (StorageCraft)
DRV - (v2imount) -- C:\WINDOWS\system32\drivers\v2imount.sys (Symantec Corporation)
DRV - (VPROEVENTMONITOR) -- C:\WINDOWS\system32\drivers\vproeventmonitor.sys (Symantec Corporation)
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (k750mdm) -- C:\WINDOWS\system32\drivers\k750mdm.sys (MCCI)
DRV - (k750mdfl) -- C:\WINDOWS\system32\drivers\k750mdfl.sys (MCCI)
DRV - (k750bus) Sony Ericsson 750 driver (WDM) -- C:\WINDOWS\system32\drivers\k750bus.sys (MCCI)
DRV - (symlcbrd) -- C:\WINDOWS\system32\drivers\symlcbrd.sys (Symantec Corporation)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (Sentinel) -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS (SafeNet, Inc.)
DRV - (btaudio) -- C:\WINDOWS\system32\drivers\btaudio.sys (Broadcom Corporation.)
DRV - (BTKRNL) -- C:\WINDOWS\system32\drivers\btkrnl.sys (Broadcom Corporation.)
DRV - (BTDriver) -- C:\WINDOWS\system32\drivers\btport.sys (Broadcom Corporation.)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (BTWDNDIS) -- C:\WINDOWS\system32\drivers\btwdndis.sys (Broadcom Corporation.)
DRV - (bcm4sbxp) -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys (Broadcom Corporation)
DRV - (w39n51) Intel® -- C:\WINDOWS\system32\drivers\w39n51.sys (Intel® Corporation)
DRV - (eabusb) -- C:\WINDOWS\system32\drivers\EabUsb.sys (Hewlett-Packard Development Company, L.P.)
DRV - (HBtnKey) -- C:\WINDOWS\system32\drivers\CPQBttn.sys (Hewlett-Packard Development Company, L.P.)
DRV - (eabfiltr) -- C:\WINDOWS\system32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (k750obex) -- C:\WINDOWS\system32\drivers\k750obex.sys (MCCI)
DRV - (k750mgmt) -- C:\WINDOWS\system32\drivers\k750mgmt.sys (MCCI)
DRV - (st3tiger) -- C:\WINDOWS\system32\drivers\st3tiger.sys ( )
DRV - (st3tgbus) -- C:\WINDOWS\system32\drivers\st3tgbus.sys ( )
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.discover...ndividual/login
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" =



O1 HOSTS File: ([2011/03/06 11:23:42 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (IE to GetRight Helper) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll (Headlight Software, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (HP Credential Manager for ProtectTools) - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll (Infineon Technologies AG)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe (Old McDonald's Farm)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CognizanceTS] C:\Program Files\HPQ\IAM\Bin\AsTsVcc.dll (Cognizance Corporation)
O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Norton Ghost 12.0] C:\Program Files\Norton Ghost\Agent\VProTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\CREATOR\Remind_XP.exe ()
O4 - HKLM..\Run: [Resume copy] C:\WINDOWS\copyfstq.exe ()
O4 - HKLM..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe ()
O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe (Brother Industories, Ltd.)
O4 - HKCU..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe ()
O4 - HKCU..\Run: [Second Copy] C:\Program Files\SecCopy\SecCopy.exe (Centered Systems)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRDownload.htm ()
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRBrowse.htm ()
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O16 - DPF: {00000161-9980-0010-8000-00AA00389B71} http://download.micr...66614/msaud.CAB (Reg Error: Key error.)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.micr...D0C/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: System - (ziswin.exe) - File not found
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\OneCard: DllName - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll (Cognizance Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/03/06 11:05:01 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 23:07:00 | 000,000,000 | -HS- | M] () - E:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2011/03/06 11:05:02 | 000,000,000 | RHSD | M] - H:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2011/03/06 11:05:04 | 000,000,000 | RHSD | M] - I:\autorun.inf -- [ FAT ]
O32 - AutoRun File - [2011/03/06 11:05:03 | 000,000,000 | RHSD | M] - K:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2011/03/06 11:05:42 | 000,000,000 | RHSD | M] - L:\autorun.inf -- [ FAT ]
O32 - AutoRun File - [2011/03/06 11:05:03 | 000,000,000 | RHSD | M] - M:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2011/03/06 11:05:03 | 000,000,000 | RHSD | M] - X:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/06 11:27:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\fixes logs
[2011/03/06 11:18:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Autorun Eater
[2011/03/06 11:17:56 | 000,000,000 | ---D | C] -- C:\Program Files\Autorun Eater
[2011/03/06 11:17:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Autorun Eater
[2011/03/06 11:17:20 | 001,396,513 | ---- | C] (Old McDonald's Farm) -- C:\Documents and Settings\Administrator\Desktop\aesetup2.5.exe
[2011/03/06 11:05:01 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2011/03/05 16:52:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\mel
[2011/03/05 11:27:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/03/04 14:05:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Foxit Reader
[2011/03/04 07:44:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Media Player Classic
[2011/03/04 00:24:27 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/02/28 18:25:18 | 000,000,000 | ---D | C] -- C:\Program Files\Extreme URL Generator
[2011/02/10 18:00:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Roxio
[2011/02/10 16:58:51 | 000,033,592 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLADHK_M.SYS
[2011/02/10 15:11:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DLA
[2011/02/10 15:11:24 | 000,000,000 | ---D | C] -- C:\swtools
[2011/02/08 00:51:38 | 000,000,000 | ---D | C] -- C:\Program Files\APDFR
[2011/02/08 00:51:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Advanced PDF Repair
[2011/02/08 00:37:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinDjView
[2011/02/06 19:15:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\WinRAR
[2011/01/28 11:39:37 | 000,121,344 | ---- | C] ( ) -- C:\WINDOWS\System32\lagarith.dll
[2008/05/18 11:08:57 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL
[2003/03/12 19:38:24 | 000,099,168 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\st3tiger.sys
[2003/03/12 19:37:56 | 000,008,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\st3tgbus.sys

========== Files - Modified Within 30 Days ==========

[2011/03/06 11:33:03 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/06 11:30:44 | 000,000,573 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to 2011.lnk
[2011/03/06 11:27:11 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2011/03/06 11:27:05 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/06 11:25:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/06 11:25:25 | 3212,234,752 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/06 11:24:18 | 000,004,096 | -HS- | M] () -- C:\VSNAP.IDX
[2011/03/06 11:23:42 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/03/06 10:59:38 | 3370,468,352 | ---- | M] () -- C:\morgan_personal2008.pst
[2011/03/06 10:51:16 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe
[2011/03/05 22:28:55 | 002,160,528 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/05 22:19:03 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/05 22:02:03 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/05 21:46:31 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/03/05 18:07:20 | 000,001,417 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\UCT STUDY DOX.lnk
[2011/03/05 15:21:37 | 000,001,295 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to IN_KEG.lnk
[2011/03/05 12:35:01 | 000,000,381 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to IN_KEG.lnk
[2011/03/05 12:34:13 | 000,000,415 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to blog.lnk
[2011/03/05 11:30:03 | 001,440,054 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\virus2.bmp
[2011/03/05 09:31:16 | 005,644,854 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\infections.bmp
[2011/03/04 23:05:24 | 000,000,573 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to 2009.lnk
[2011/03/04 14:58:36 | 000,002,018 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Pimm (2008) Fame - or how i did it!.pdf.lnk
[2011/03/04 14:58:26 | 000,002,041 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Yes!, 50 Scientifically Proven Ways to Be Persuasive (7Summits).pdf.lnk
[2011/03/04 14:05:18 | 000,000,911 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Foxit Reader.lnk
[2011/03/04 10:00:49 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2011/02/20 08:57:20 | 000,001,206 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to Google Earth Plus 6.0.1.2032 Portable.exe.lnk
[2011/02/15 23:02:19 | 000,000,513 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\UCT STUDY DOCUMENTS.lnk
[2011/02/13 13:41:06 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2011/02/12 09:19:37 | 000,001,520 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera 11.01 1190.lnk
[2011/02/10 16:58:51 | 000,000,313 | ---- | M] () -- C:\WINDOWS\wininit.ini

========== Files Created - No Company Name ==========

[2011/03/06 11:30:44 | 000,000,573 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to 2011.lnk
[2011/03/06 10:51:05 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Flash_Disinfector.exe
[2011/03/05 22:16:16 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/03/05 15:00:33 | 000,001,295 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to IN_KEG.lnk
[2011/03/05 12:35:01 | 000,000,381 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to IN_KEG.lnk
[2011/03/05 12:34:13 | 000,000,415 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to blog.lnk
[2011/03/05 11:30:03 | 001,440,054 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\virus2.bmp
[2011/03/05 09:31:15 | 005,644,854 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\infections.bmp
[2011/03/04 23:05:24 | 000,000,573 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to 2009.lnk
[2011/03/04 13:06:10 | 000,002,018 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to Pimm (2008) Fame - or how i did it!.pdf.lnk
[2011/02/20 08:57:20 | 000,001,206 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to Google Earth Plus 6.0.1.2032 Portable.exe.lnk
[2011/02/13 13:41:06 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2011/02/13 13:41:05 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2011/02/12 09:19:37 | 000,001,520 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Opera 11.01 1190.lnk
[2011/02/12 09:19:37 | 000,001,508 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Opera 11.01 1190.lnk
[2011/02/10 17:04:30 | 3212,234,752 | -HS- | C] () -- C:\hiberfil.sys
[2011/01/28 11:39:39 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/01/28 11:39:39 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2011/01/28 11:39:37 | 002,582,016 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2011/01/28 11:39:36 | 000,810,496 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/01/28 11:39:36 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/01/28 11:39:36 | 000,080,896 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/05/03 22:56:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Versabook.INI
[2010/05/03 11:34:14 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\VbMCHook.dll
[2010/04/23 19:23:00 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/03 21:37:02 | 000,000,062 | ---- | C] () -- C:\WINDOWS\dcmvwr.INI
[2009/12/03 10:17:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcvcdvw.INI
[2009/12/03 10:13:47 | 000,000,062 | ---- | C] () -- C:\WINDOWS\PCVCDBR.INI
[2009/04/20 19:09:20 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/04/04 18:28:21 | 000,000,065 | ---- | C] () -- C:\WINDOWS\minitab.ini
[2008/08/24 17:08:19 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\EONSYS.DLL
[2008/06/23 13:02:02 | 000,097,410 | R--- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceManager.xml.rc4
[2008/05/23 17:48:50 | 000,020,270 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DeviceInstaller.xml
[2008/04/12 21:15:10 | 000,000,130 | ---- | C] () -- C:\WINDOWS\EurekaLog.ini
[2008/02/03 22:12:09 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/11/19 13:58:33 | 000,002,634 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\WWB7_32.DAT
[2007/09/23 23:24:42 | 000,003,453 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
[2007/08/06 17:27:37 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2007/08/01 16:19:50 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\setupw2k.dll
[2007/08/01 16:19:48 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\nwslog32.dll
[2007/06/02 17:09:57 | 000,094,636 | ---- | C] () -- C:\WINDOWS\dropcpyr.dll
[2007/06/02 17:09:57 | 000,073,728 | ---- | C] () -- C:\WINDOWS\copyfstq.exe
[2007/04/27 19:58:44 | 000,038,467 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Comma Separated Values (Windows).ADR
[2007/04/27 14:08:06 | 000,000,401 | ---- | C] () -- C:\WINDOWS\Mail2Contact.ini
[2007/04/27 13:54:57 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2007/02/13 23:24:02 | 000,000,089 | ---- | C] () -- C:\WINDOWS\pdsccc.ini
[2007/02/11 22:05:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2007/02/11 22:02:56 | 000,000,051 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2007/02/11 21:50:43 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2007/02/11 21:49:14 | 000,000,462 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2007/02/11 21:49:14 | 000,000,234 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2007/02/11 21:49:14 | 000,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2007/02/11 21:49:14 | 000,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2007/02/11 21:49:14 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\BRIDF04A.dat
[2007/02/11 21:48:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brdfxspd.dat
[2007/02/11 21:46:31 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2007/02/01 22:42:02 | 000,036,939 | ---- | C] () -- C:\WINDOWS\System32\insrepim.exe
[2007/02/01 22:36:50 | 000,000,185 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2007/02/01 22:25:27 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2007/02/01 22:22:18 | 000,000,856 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/01/31 12:32:03 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2007/01/31 12:32:03 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2007/01/31 12:31:38 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2007/01/31 12:31:38 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2007/01/31 12:31:38 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2007/01/29 19:10:49 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2007/01/29 19:10:49 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2007/01/29 19:10:49 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2007/01/29 19:10:49 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2007/01/29 19:10:49 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2007/01/29 19:10:48 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2007/01/29 18:35:50 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/01/29 13:43:12 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat
[2007/01/29 13:38:33 | 000,128,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/11/17 11:34:40 | 000,091,520 | ---- | C] () -- C:\WINDOWS\HPBroker.dll
[2006/08/18 11:03:42 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2006/08/18 10:53:43 | 000,000,313 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/08/18 10:52:20 | 000,028,510 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/02/15 16:04:52 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/08/26 14:28:34 | 000,143,360 | ---- | C] () -- C:\WINDOWS\unzip.exe
[2005/08/26 14:27:58 | 000,045,056 | ---- | C] () -- C:\WINDOWS\devenum.exe
[2004/08/07 15:19:26 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/07 15:19:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 15:14:52 | 000,522,284 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/07 15:14:52 | 000,099,958 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/07 15:12:40 | 000,000,890 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/07 15:07:40 | 002,160,528 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/07 15:02:46 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/07 14:59:58 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/04 10:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 10:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 10:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 10:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 10:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 10:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 10:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 10:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/06/01 11:39:56 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2004/03/16 14:09:12 | 000,454,761 | ---- | C] () -- C:\WINDOWS\System32\boost_regex-vc6-mt-1_31.dll
[2004/03/16 14:08:26 | 000,467,052 | ---- | C] () -- C:\WINDOWS\System32\boost_regex-vc6-mt-gd-1_31.dll
[2003/03/27 20:03:04 | 000,003,955 | ---- | C] () -- C:\WINDOWS\maxus.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/28 10:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/05/28 10:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/04/17 14:21:44 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\XMLPARSE.DLL
[2002/03/19 17:30:00 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\msvdm.dll
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[1999/08/07 01:05:16 | 000,212,480 | ---- | C] () -- C:\WINDOWS\System32\DBPORT6.DLL
[1998/12/14 19:00:00 | 000,021,986 | ---- | C] () -- C:\WINDOWS\crwd32.ini
[1998/12/06 16:56:04 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\verinst.exe
[1998/06/10 00:00:00 | 000,015,120 | ---- | C] () -- C:\WINDOWS\System32\REPUTIL.DLL
[1998/05/18 00:00:00 | 000,014,017 | ---- | C] () -- C:\WINDOWS\JAUTOEXP.INI
[1998/05/07 04:10:00 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ODMA32.dll
[1998/04/24 00:00:00 | 000,000,218 | ---- | C] () -- C:\WINDOWS\FRONTPG.INI
[1997/06/25 15:24:16 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\RegObj.dll
[1996/06/07 21:07:14 | 000,043,008 | ---- | C] () -- C:\WINDOWS\System32\ltfil60n.dll
[1996/06/07 21:07:14 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\lfwpg60n.dll
[1996/06/07 21:07:12 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\lftif60n.dll
[1996/06/07 21:07:12 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\lftga60n.dll
[1996/06/07 21:07:12 | 000,019,456 | ---- | C] () -- C:\WINDOWS\System32\lfwmf60n.dll
[1996/06/07 21:07:10 | 000,110,080 | ---- | C] () -- C:\WINDOWS\System32\lfpng60n.dll
[1996/06/07 21:07:10 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\lfpcx60n.dll
[1996/06/07 21:07:10 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\lfpsd60n.dll
[1996/06/07 21:07:08 | 000,022,528 | ---- | C] () -- C:\WINDOWS\System32\lfpct60n.dll
[1996/06/07 21:07:08 | 000,018,432 | ---- | C] () -- C:\WINDOWS\System32\lfmsp60n.dll
[1996/06/07 21:07:08 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\lfmac60n.dll
[1996/06/07 21:07:06 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\lffax60n.dll
[1996/06/07 21:07:04 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\lfcmp60n.dll
[1996/06/07 21:07:04 | 000,022,528 | ---- | C] () -- C:\WINDOWS\System32\lfeps60n.dll
[1996/06/07 21:07:04 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\lfbmp60n.dll

< End of report >

OTL Extras logfile created on: 2011/03/06 11:31:33 AM - Run 3
OTL by OldTimer - Version 3.2.22.2 Folder = H:\software\security\malware guide\2011
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001C09 | Country: South Africa | Language: ENS | Date Format: yyyy/MM/dd

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 71.00% Memory free
9.00 Gb Paging File | 8.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 6144 6144 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 86.68 Gb Total Space | 13.15 Gb Free Space | 15.17% Space Free | Partition Type: NTFS
Drive E: | 6.47 Gb Total Space | 0.56 Gb Free Space | 8.70% Space Free | Partition Type: FAT32
Drive H: | 1863.01 Gb Total Space | 1097.89 Gb Free Space | 58.93% Space Free | Partition Type: NTFS
Drive I: | 1.87 Gb Total Space | 0.56 Gb Free Space | 30.11% Space Free | Partition Type: FAT
Drive K: | 931.51 Gb Total Space | 217.62 Gb Free Space | 23.36% Space Free | Partition Type: NTFS
Drive L: | 959.13 Mb Total Space | 897.81 Mb Free Space | 93.61% Space Free | Partition Type: FAT
Drive M: | 1863.01 Gb Total Space | 123.82 Gb Free Space | 6.65% Space Free | Partition Type: NTFS
Drive X: | 596.17 Gb Total Space | 166.06 Gb Free Space | 27.85% Space Free | Partition Type: NTFS

Computer Name: MORGAN | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\System32\rundll32.exe (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
https [open] -- "C:\Program Files\Opera\Opera.exe" "%1" (Opera Software)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ACDBrowse] -- C:\Program Files\ACDSee32\ACDSee32.exe "%1" (ACD Systems, Ltd.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"ManageSecuritySettings" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
"80:TCP" = 80:TCP:*:Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\SMINST\Scheduler.exe" = C:\WINDOWS\SMINST\Scheduler.exe:*:Enabled:Scheduler -- ()
"C:\Program Files\Azureus\Azureus.exe" = C:\Program Files\Azureus\Azureus.exe:*:Disabled:Azureus -- (Aelitis)
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\ApexDC++\ApexDC.exe" = C:\Program Files\ApexDC++\ApexDC.exe:*:Enabled:ApexDC++
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe" = C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe:*:Disabled:Sentinel Protection Server -- (SafeNet, Inc)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.1 (r518)
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{098A2A49-7CF3-4F08-A38D-FB879117152A}" = Adobe Color NA Extra Settings CS4
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0DC0E85F-36E4-463B-B3EA-4CD8ED2222A1}" = Adobe Color EU Recommended Settings CS4
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{13d868cf-47e9-4b3d-9366-a0c60f82e5aa}" = Striata Reader
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{171E6C1E-B5FC-11DF-B115-005056C00008}" = Google Earth Plug-in
"{1CC99A0B-3B83-4169-BB32-524669A32BB3}" = Minitab 15 English
"{1F34839E-4826-4B64-B1B3-42E5AE8DEC5A}" = ArcGIS Desktop
"{22C28506-B1E0-4050-B0B7-B97AEB061381}" = HP User Guides 0029
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1" = Media Player Classic - Home Cinema v. 1.3.1249.0
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 23
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.00 D2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3AFDB27A-CE54-4C98-89A4-AB26FE9A0419}" = PRIMER 6
"{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}" = Skype Plugin Manager
"{3D5FA2BC-BD08-41E2-BB8D-ED784ABDE4DF}" = TrendnTrade
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3F4EC965-28EF-45C3-B063-04B25D4E9679}" = HP Integrated Module with Bluetooth wireless technology
"{3F55B0C9-D552-4D02-BBCF-76E2EE60C686}" = EndNote 8.0.2
"{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup and Recovery Manager Installer
"{4025244F-7F7C-4AB8-BF9A-F4A017AE6674}" = InkSaver
"{40A6C96D-808E-41DD-8716-617AB6B0F1F1}" = Brother MFL-Pro Suite
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 2.00 E1
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50E5B93D-73C5-43C1-BFD4-D1E1EA27D480}_is1" = FlexibleSoft Dialer XP Pro
"{519C4DB6-B53B-4F5C-8297-89B2BE949FA5}_is1" = Data Lifeguard Diagnostic for Windows 1.21
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5D97A4A7-C274-4B63-86D9-07A33435F505}" = InterVideo DVD Check
"{61d789d8-14f5-1852-4d98-00cfaa3e593f}" = STATISTICA 9.0.231.14
"{67B9AF41-C0B9-4960-84D9-A61D23DE85D8}" = Garmin Trip and Waypoint Manager v4
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{69DAC00A-7665-4E9B-B441-093D40736429}" = HP BatteryCheck 2.10 A2
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6DC0632A-A838-4B34-AC19-0FA18E1C533C}" = Sentinel Protection Installer 7.2.2
"{6E0352EE-6F0D-4FBC-B1B8-4FF032C78BE0}" = PC Connectivity Solution
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{831F0023-5785-4A30-96F1-0D9AF3BC267F}" = PDSNET Data Centre
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{87532CAB-7932-4F84-8937-823337622807}" = Adobe Illustrator CS4
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C58945F-C9CA-42E8-B144-29A51326B469}" = CUE Splitter
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{8CE08C3C-8FF4-45D9-925E-4F3CE2D7FA7D}" = Adobe Setup
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{914E1AB1-DCA0-4A7D-935F-B58C4B887A2B}" = HP ProtectTools Security Manager 2.00 C3
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{991B1E79-12B6-40C3-A081-1FC47C6F2F37}" = Bulk Rename Utility 2, 7, 0, 3
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9F7AF7CD-E3D0-4C68-A3BA-C76C359B3AA8}" = LightScribe 1.4.105.1
"{A17EABB6-D0C6-44E5-820C-72DC7F495064}" = PaperPort
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7AD8CEF-72D7-4FE4-8A14-DDD09DC86074}" = HP Notebook Accessories Product Tour
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{A97F2F52-B154-4027-B364-C6AEADCC3315}" = Share Friend Executive
"{AC76BA86-1033-0000-7760-000000000001}" = Adobe Acrobat 6.0 Professional
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{AE052EF7-2640-48D7-8915-69B810D975CB}" = HP BIOS Configuration for ProtectTools 2.00 C3
"{B0255743-165B-4BD5-8DA8-37DFB9930012}" = Norton Ghost
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{B9F4C05D-E42F-4E9A-A73F-FDD9355319FB}" = HP Credential Manager for ProtectTools
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C50EF365-2898-489A-B6C7-30DAA466E9A2}" = Nokia Connectivity Cable Driver
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C656142F-EFE1-44CD-BFAD-6CBC6DCB9860}" = Vodafone Mobile Connect Lite
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D20E421C-81E7-4921-9CC4-AD802AE3833A}" = SOUTHERN AFRICA STREETMAPS, TOPO & REC V1.5
"{D984A737-6615-4C2C-8A0D-B7A56B06C3A0}" = inSSIDer 2.0
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E0DBC47C-ED3F-4A1B-A929-9A26DAAA14B3}" = Application Installer 4.00.B5
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{E9EEE4CB-CB2B-4273-9AF5-7E12022B444B}" = Opera 9.23
"{F02DBC5D-33E3-45E9-B0F8-B7745229ED1C}" = NICI (Shared) U.S./Worldwide (128 bit) (2.7.0-2)
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F14B8ECC-BDA0-4987-9201-D7B7DBE11033}" = Nero 7 Ultra Edition
"{F251B999-08A9-4704-999C-9962F0DFD88E}" = Virtual Desktop Manager Powertoy for Windows XP
"{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}" = Windows Media Connect
"{F7E1CA14-B39D-452A-960B-39423DDDD933}" = DriveImage XML (Private Edition)
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FC66E05E-8D39-47A6-8D07-759F33727EB0}" = Opera 10.00
"{FC8D21C8-7B29-4104-ADB0-FEE9CA1C7922}" = Folder Size for Windows
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"7-Zip" = 7-Zip 4.65
"ACDSee Classic" = ACDSee Classic
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_2a31ae7a5c43ff52d8577782dd34e04" = Adobe Illustrator CS4
"Advanced PDF Repair v2.0" = Advanced PDF Repair v2.0
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"ArcGIS License Manager" = ArcGIS License Manager
"Autorun Eater_is1" = Autorun Eater v2.5
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Avira UnErase Personal" = Avira UnErase Personal
"Azureus" = Azureus
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"CCleaner" = CCleaner
"CDisplay_is1" = CDisplay 1.8
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"CrystalReports7" = Seagate Crystal Reports for ESRI
"CSCLIB" = Canon Camera Support Core Library
"Defraggler" = Defraggler
"DISKdata" = DISKdata
"DPP" = Canon Utilities Digital Photo Professional 2.2
"DVD Flick_is1" = DVD Flick 1.3.0.7
"DVD Identifier_is1" = DVD Identifier
"DVD Shrink_is1" = DVD Shrink 3.2
"EOS Utility" = Canon Utilities EOS Utility
"ERUNT_is1" = ERUNT 1.1j
"foo_audioscrobbler" = Audioscrobbler for foobar2000 (remove only)
"foobar2000" = foobar2000 v0.9.6.3
"Foxit Reader" = Foxit Reader
"GetRight_is1" = GetRight
"Google Earth Pro 4.2" = Google Earth Pro 4.2
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{4025244F-7F7C-4AB8-BF9A-F4A017AE6674}" = InkSaver
"ISI ResearchSoft - Export Helper" = ISI ResearchSoft - Export Helper
"JDownloader" = JDownloader
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 6.8.0
"LastFM_is1" = Last.fm 1.5.4.27091
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mendeley Desktop" = Mendeley Desktop 0.9.6.3
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2000" = Microsoft SQL Server 2000
"Microsoft SQL Server 2000 (MORGAN)" = Microsoft SQL Server 2000 (MORGAN)
"Mince" = Mince
"mIRC" = mIRC
"MPE" = MyPhoneExplorer
"MusicBrainz Picard" = MusicBrainz Picard 0.10
"NetLimiter 2 Pro" = NetLimiter 2 Pro (remove only)
"NetMeter_is1" = NetMeter 1.1.3
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Ocean Data View (mp)" = Ocean Data View (mp)
"Ocean Data View 4" = Ocean Data View 4
"Opera 11.01.1190" = Opera 11.01
"PanoramaStudio" = PanoramaStudio 1.5 (uninstall)
"PeerGuardian_is1" = PeerGuardian 2.0
"PhotoStitch" = Canon Utilities PhotoStitch
"Public Mail2Contact_is1" = Public Mail2Contact
"Python 2.4.1" = Python 2.4.1
"QuicktimeAlt_is1" = QuickTime Alternative 1.77
"R for Windows 2.10.1_is1" = R for Windows 2.10.1
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealAlt_is1" = Real Alternative 1.51 Lite
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"Second Copy (7.0)" = Second Copy (7.0)
"Skype_is1" = Skype 3.1
"Speccy" = Speccy
"SpeechAPI" = Microsoft Speech API 3.0
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"The New Oxford Dictionary of English" = The New Oxford Dictionary of English
"TreeSize Free_is1" = TreeSize Free V2.3.3
"Tweak UI 2.10" = Tweak UI
"Unlocker" = Unlocker 1.9.0
"Visual Studio 6.0 Enterprise Edition" = Microsoft Visual Studio 6.0 Enterprise Edition
"VLC media player" = VideoLAN VLC media player 0.8.6b
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WinDjView" = WinDjView 1.0.3
"Windows Media Connect" = Windows Media Connect
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinFF_is1" = WinFF 0.41
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"Write-N-Cite" = Write-N-Cite
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ArcView GIS 3.2a" = ArcView GIS 3.2a

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2011/03/02 12:28:41 PM | Computer Name = MORGAN | Source = FolderSize | ID = 0
Description =

Error - 2011/03/02 12:28:49 PM | Computer Name = MORGAN | Source = FolderSize | ID = 0
Description =

Error - 2011/03/02 12:28:50 PM | Computer Name = MORGAN | Source = FolderSize | ID = 0
Description =

Error - 2011/03/02 12:28:50 PM | Computer Name = MORGAN | Source = FolderSize | ID = 0
Description =

Error - 2011/03/02 12:28:50 PM | Computer Name = MORGAN | Source = FolderSize | ID = 0
Description =

Error - 2011/03/02 12:28:50 PM | Computer Name = MORGAN | Source = FolderSize | ID = 0
Description =

Error - 2011/03/02 12:28:50 PM | Computer Name = MORGAN | Source = FolderSize | ID = 0
Description =

Error - 2011/03/02 12:28:50 PM | Computer Name = MORGAN | Source = FolderSize | ID = 0
Description =

Error - 2011/03/05 10:38:59 AM | Computer Name = MORGAN | Source = Application Hang | ID = 1002
Description = Hanging application nero.exe, version 7.5.7.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2011/03/06 05:27:26 AM | Computer Name = MORGAN | Source = VMCService | ID = 0
Description = conflictManagerTypeValue

[ Credential Manager Events ]
Error - 2007/01/29 01:54:17 PM | Computer Name = MORGAN | Source = AuthServer | ID = 100811779
Description = The system failed to authenticate the submitted user credentials. User:
Administrator@Credential Manager Client GUID: {Password} Error: 0xC516020B Client
Host: localhost Client Address: 127.0.0.1 Authority: HP Server Host: localhost Protocol:
HTTP

[ System Events ]
Error - 2011/03/06 05:23:16 AM | Computer Name = MORGAN | Source = Service Control Manager | ID = 7034
Description = The LightScribeService Direct Disc Labeling Service service terminated
unexpectedly. It has done this 1 time(s).

Error - 2011/03/06 05:23:16 AM | Computer Name = MORGAN | Source = Service Control Manager | ID = 7034
Description = The Folder Size service terminated unexpectedly. It has done this
1 time(s).

Error - 2011/03/06 05:23:16 AM | Computer Name = MORGAN | Source = Service Control Manager | ID = 7034
Description = The Norton Ghost service terminated unexpectedly. It has done this
1 time(s).

Error - 2011/03/06 05:23:16 AM | Computer Name = MORGAN | Source = Service Control Manager | ID = 7034
Description = The Symantec Core LC service terminated unexpectedly. It has done
this 1 time(s).

Error - 2011/03/06 05:23:16 AM | Computer Name = MORGAN | Source = Service Control Manager | ID = 7031
Description = The Vodafone Mobile Connect Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
60000 milliseconds: Restart the service.

Error - 2011/03/06 05:23:16 AM | Computer Name = MORGAN | Source = Service Control Manager | ID = 7034
Description = The Sentinel Protection Server service terminated unexpectedly. It
has done this 1 time(s).

Error - 2011/03/06 05:23:16 AM | Computer Name = MORGAN | Source = Service Control Manager | ID = 7034
Description = The Canon Camera Access Library 8 service terminated unexpectedly.
It has done this 1 time(s).

Error - 2011/03/06 05:23:16 AM | Computer Name = MORGAN | Source = Service Control Manager | ID = 7034
Description = The hpqwmiex service terminated unexpectedly. It has done this 1
time(s).

Error - 2011/03/06 05:27:49 AM | Computer Name = MORGAN | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Canon Camera Access Library
8 service to connect.

Error - 2011/03/06 05:27:50 AM | Computer Name = MORGAN | Source = Service Control Manager | ID = 7000
Description = The Canon Camera Access Library 8 service failed to start due to the
following error: %%1053


< End of report >

-----------------------------------------------------------------------------------------------------
6. I ran the Malwarebytes' Anti-Malware full scan, log follows
-----------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5972

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2011/03/06 09:55:20 PM
mbam-log-2011-03-06 (21-55-20).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|H:\|I:\|K:\|L:\|M:\|X:\|)
Objects scanned: 1316904
Time elapsed: 10 hour(s), 1 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-----------------------------------------------------------------------------------------------------
7. I ran ComboFix as described, log follows
-----------------------------------------------------------------------------------------------------

ComboFix 11-03-05.02 - Administrator 2011/03/06 23:03:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3063.2278 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\george.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\EurekaLog
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{991B1E79-12B6-40C3-A081-1FC47C6F2F37}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{991B1E79-12B6-40C3-A081-1FC47C6F2F37}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{991B1E79-12B6-40C3-A081-1FC47C6F2F37}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{991B1E79-12B6-40C3-A081-1FC47C6F2F37}\Setup.ico
c:\windows\copyfstq.exe
c:\windows\dropcpyr.dll
c:\windows\system\VI30AUT.DLL
c:\windows\system32\_000002_.tmp.dll
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000004_.tmp.dll
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\_000013_.tmp.dll
c:\windows\system32\_000019_.tmp.dll
c:\windows\system32\Cache
.
----- BITS: Possible infected sites -----
.
hxxp://msupdate.uct.ac.za
.
((((((((((((((((((((((((( Files Created from 2011-02-06 to 2011-03-06 )))))))))))))))))))))))))))))))
.
.
2011-03-06 09:18 . 2011-03-06 09:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Autorun Eater
2011-03-06 09:17 . 2011-03-06 09:17 -------- d-----w- c:\program files\Autorun Eater
2011-03-04 05:44 . 2011-03-04 05:44 -------- d-----w- c:\documents and settings\LocalService\Application Data\Media Player Classic
2011-02-28 16:25 . 2011-03-03 20:46 -------- d-----w- c:\program files\Extreme URL Generator
2011-02-13 11:41 . 2011-02-13 11:41 1409 ----a-w- c:\windows\QTFont.for
2011-02-10 16:00 . 2011-02-10 16:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Roxio
2011-02-10 14:58 . 2007-06-18 14:29 33592 ----a-w- c:\windows\system32\drivers\DLADHK_M.SYS
2011-02-10 13:11 . 2011-02-10 16:08 -------- d-----w- c:\windows\system32\DLA
2011-02-10 13:11 . 2011-02-10 13:11 -------- d-----w- C:\swtools
2011-02-07 22:51 . 2011-02-07 22:51 -------- d-----w- c:\program files\APDFR
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-04 08:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 08:00 . 2011-01-28 09:39 80896 ----a-w- c:\windows\system32\ff_vfw.dll
2011-01-07 14:09 . 2004-08-04 08:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2007-02-01 01:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-25 19:44 . 2011-01-28 09:39 2582016 ----a-w- c:\windows\system32\x264vfw.dll
2010-12-22 12:34 . 2004-08-04 08:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-04 08:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2007-02-01 01:04 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 16:09 . 2011-01-20 08:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 16:08 . 2011-01-20 08:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 12:55 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-08-04 08:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-04 08:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 08:00 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-07 18:40 . 2011-01-28 09:39 183808 ----a-w- c:\windows\system32\xvidvfw.dll
2010-12-07 18:22 . 2011-01-28 09:39 810496 ----a-w- c:\windows\system32\xvidcore.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Second Copy"="c:\program files\SecCopy\SecCopy.exe" [2006-04-18 2643456]
"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"CognizanceTS"="c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-01-23 802816]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"Norton Ghost 12.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2007-03-28 2037352]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-20 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-20 137752]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2010-05-06 516216]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41 40960 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-20 15:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 12:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"ManageSecuritySettings"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2007/02/01 09:21 PM 646392]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2010/03/16 09:21 PM 82872]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009/08/05 04:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009/08/05 04:06 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009/08/22 06:28 PM 108289]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\ESRI\License\arcgis9x\lmgrd.exe [2010/02/17 02:16 PM 467968]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2004/08/04 10:00 AM 14336]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2008/07/04 12:52 PM 14336]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010/03/06 11:34 AM 27632]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010/05/09 09:27 AM 136176]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010/03/06 11:37 AM 13224]
S3 MSSQL$MORGAN;MSSQL$MORGAN;c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sMORGAN --> c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sMORGAN [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010/02/24 05:31 PM 136704]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009/08/05 04:06 PM 7408]
S3 SQLAgent$MORGAN;SQLAgent$MORGAN;c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe -i MORGAN --> c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe -i MORGAN [?]
S3 st3tgbus;st3tgbus;c:\windows\system32\drivers\st3tgbus.sys [2003/03/12 07:37 PM 8640]
S3 st3tiger;st3tiger;c:\windows\system32\drivers\st3tiger.sys [2003/03/12 07:38 PM 99168]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004/08/04 10:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-09 07:26]
.
2011-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-09 07:26]
.
2011-03-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-08-23 20:18]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.discover...ndividual/login
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyServer = cache.uct.ac.za:8080
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all by Net Transport - c:\program files\NetTransport 2\NTAddList.html
IE: Download by Net Transport - c:\program files\NetTransport 2\NTAddLink.html
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Resume copy - copyfstq.exe
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
Notify-WgaLogon - (no file)
MSConfigStartUp-MobileConnect - %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
MSConfigStartUp-QlbCtrl - %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
AddRemove-{991B1E79-12B6-40C3-A081-1FC47C6F2F37} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{991B1~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-06 23:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????Q??????(?@???????@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1030600268-589541376-3850531083-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ae,be,af,f5,a3,a0,da,4c,9c,80,56,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ae,be,af,f5,a3,a0,da,4c,9c,80,56,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(948)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
.
- - - - - - - > 'explorer.exe'(584)
c:\windows\system32\WININET.dll
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\HPQ\IAM\bin\asghost.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\Brmfrmps.exe
c:\progra~1\ESRI\License\arcgis9x\ARCGIS.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Autorun Eater\billy.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\NetLimiter 2 Pro\nlsvc.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\mqsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2011-03-06 23:18:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-06 21:18
.
Pre-Run: 13,898,063,872 bytes free
Post-Run: 13,630,808,064 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 243C05E7C68B070524589E3FD43AB09F

-----------------------------------------------------------------------------------------------------
8. I ran MBRCheck, log follows
-----------------------------------------------------------------------------------------------------

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00801dfc

Kernel Drivers (total 155):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF72AC000 sptd.sys
0xF7989000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF7294000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7266000 ACPI.sys
0xF7487000 isapnp.sys
0xF7497000 ohci1394.sys
0xF74A7000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7255000 pci.sys
0xF789B000 compbatt.sys
0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF798D000 viaide.sys
0xF798F000 aliide.sys
0xF7237000 pcmcia.sys
0xF74B7000 MountMgr.sys
0xF7218000 ftdisk.sys
0xF7991000 dmload.sys
0xF71F2000 dmio.sys
0xF78A3000 ACPIEC.sys
0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF770F000 PartMgr.sys
0xF74C7000 VolSnap.sys
0xF71DA000 atapi.sys
0xF7104000 iaStor.sys
0xF74D7000 disk.sys
0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF70E4000 fltmgr.sys
0xF70D2000 sr.sys
0xF70B3000 symsnap.sys
0xF709C000 KSecDD.sys
0xF700F000 Ntfs.sys
0xF6FE2000 NDIS.sys
0xF6FC8000 Mup.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF60E3000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF60CF000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF60A7000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF5F4A000 \SystemRoot\system32\DRIVERS\w39n51.sys
0xF776F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF5F26000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7777000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\serial.sys
0xF6FA4000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF5F12000 \SystemRoot\system32\DRIVERS\parport.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF777F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF5EE3000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF79F9000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7787000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7527000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7537000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF5EC0000 \SystemRoot\system32\DRIVERS\ks.sys
0xF778F000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF5E76000 \SystemRoot\System32\Drivers\a9b1dgpx.SYS
0xF6F7C000 \SystemRoot\system32\DRIVERS\cpqbttn.sys
0xF7547000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF77DF000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF6F78000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF6F74000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF5D31000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xF7AEB000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7557000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6F70000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5D1A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7567000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7577000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5D09000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7587000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF5CD9000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7597000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF77FF000 \SystemRoot\system32\DRIVERS\seehcri.sys
0xF79FF000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5C7B000 \SystemRoot\system32\DRIVERS\update.sys
0xF6F54000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF6F4C000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF75A7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x9F419000 \SystemRoot\system32\drivers\ADIHdAud.sys
0x9F3F5000 \SystemRoot\system32\drivers\portcls.sys
0xA01A4000 \SystemRoot\system32\drivers\drmk.sys
0x9F3DD000 \SystemRoot\system32\drivers\AEAudio.sys
0x9F2C2000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xA00D5000 \SystemRoot\System32\Drivers\Modem.SYS
0xA0184000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79BF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA0077000 \SystemRoot\System32\Drivers\Null.SYS
0xF79C1000 \SystemRoot\System32\Drivers\Beep.SYS
0xA00C5000 \SystemRoot\System32\drivers\vga.sys
0xF79C3000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79C5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA00BD000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA00B5000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA4337000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x9F249000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x9F1F0000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x9F1DD000 \??\C:\WINDOWS\system32\drivers\nltdi.sys
0x9F18F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x9F167000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA0AE1000 \SystemRoot\System32\drivers\ws2ifsl.sys
0x9F145000 \SystemRoot\System32\drivers\afd.sys
0xA0174000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF79C7000 \SystemRoot\system32\DRIVERS\eabfiltr.sys
0xA00AD000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x9F120000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xA00A5000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0x9F0F5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9F085000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA0164000 \SystemRoot\System32\Drivers\Fips.SYS
0x9FD38000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9F9D0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x9F069000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x9C6F8000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0x9AFBB000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x9AFB3000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x9B32D000 \SystemRoot\System32\Drivers\BrScnUsb.sys
0x99884000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x997AE000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0x9AF70000 \SystemRoot\System32\drivers\Dxapi.sys
0x99E39000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A82000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBF47A000 \SystemRoot\System32\ATMFD.DLL
0x9979A000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x9D634000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x99745000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x99668000 \SystemRoot\system32\drivers\wdmaud.sys
0x9A7B2000 \SystemRoot\system32\drivers\sysaudio.sys
0x9958D000 \SystemRoot\System32\Drivers\SENTINEL.SYS
0xF68A9000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9950A000 \SystemRoot\System32\Drivers\adfs.SYS
0x99159000 \SystemRoot\System32\Drivers\HTTP.sys
0x99011000 \SystemRoot\system32\DRIVERS\srv.sys
0x98FD2000 \??\C:\WINDOWS\system32\drivers\mqac.sys
0x98E99000 \??\C:\WINDOWS\system32\drivers\RMCast.sys
0xF7767000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0x9F9A0000 \SystemRoot\system32\DRIVERS\v2imount.sys
0x98426000 \SystemRoot\system32\drivers\kmixer.sys
0xA588F000 \??\C:\george\catchme.sys
0xF7A2D000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 59):
0 System Idle Process
4 System
868 C:\WINDOWS\system32\smss.exe
924 csrss.exe
948 C:\WINDOWS\system32\winlogon.exe
992 C:\WINDOWS\system32\services.exe
1004 C:\WINDOWS\system32\lsass.exe
1204 C:\WINDOWS\system32\svchost.exe
1292 svchost.exe
1436 C:\WINDOWS\system32\svchost.exe
1592 svchost.exe
1676 svchost.exe
1972 C:\WINDOWS\system32\brss01a.exe
1980 C:\WINDOWS\system32\spoolsv.exe
2036 C:\Program Files\Avira\AntiVir Desktop\sched.exe
200 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
280 svchost.exe
1428 C:\Program Files\HPQ\IAM\Bin\asghost.exe
332 msdtc.exe
772 C:\Program Files\Common Files\Java\Java Update\jusched.exe
800 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1372 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
448 C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe
916 C:\WINDOWS\SMINST\Scheduler.exe
1640 C:\Program Files\Norton Ghost\Agent\VProTray.exe
2084 C:\Program Files\Analog Devices\Core\smax4pnp.exe
2116 C:\WINDOWS\system32\hkcmd.exe
2152 C:\WINDOWS\system32\igfxpers.exe
2216 C:\WINDOWS\system32\igfxsrvc.exe
2224 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2268 C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
2364 C:\Program Files\Autorun Eater\oldmcdonald.exe
2412 C:\WINDOWS\system32\svchost.exe
2664 C:\WINDOWS\system32\Brmfrmps.exe
2676 C:\Program Files\ESRI\License\arcgis9x\ARCGIS.exe
2748 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
2948 C:\Program Files\FolderSize\FolderSizeSvc.exe
3280 C:\WINDOWS\system32\inetsrv\inetinfo.exe
3312 C:\Program Files\Autorun Eater\billy.exe
3656 C:\Program Files\Java\jre6\bin\jqs.exe
3712 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
3856 C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
3900 C:\Program Files\Norton Ghost\Agent\VProSvc.exe
196 C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
2276 C:\WINDOWS\system32\svchost.exe
2436 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
2548 wdfmgr.exe
2844 C:\WINDOWS\system32\mqsvc.exe
2864 C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
3340 C:\Program Files\Canon\CAL\CALMAIN.exe
3112 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
3364 C:\WINDOWS\system32\mqtgsvc.exe
1864 wmiprvse.exe
3428 alg.exe
1808 C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
3368 wmiprvse.exe
584 C:\WINDOWS\explorer.exe
1768 C:\Program Files\Opera\opera.exe
3552 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000015`ab42c000 (FAT32)
\\.\H: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)
\\.\K: --> \\.\PhysicalDrive4 at offset 0x00000000`00007e00 (NTFS)
\\.\M: --> \\.\PhysicalDrive6 at offset 0x00000000`00007e00 (NTFS)
\\.\X: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHV2100BHPL, Rev: 892C
PhysicalDrive5 Model Number: ToshibaStorE HDD, Rev:
PhysicalDrive4 Model Number: WDC WD10EAVS-00D7B0, Rev:
PhysicalDrive6 Model Number: TOSHIBAExternal HDD, Rev: 1.04
PhysicalDrive3 Model Number: StoreJetTranscend, Rev:

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 0C62942DB383379A3F323ED173858423662B0152
1863 GB \\.\PhysicalDrive5 MBR Code Faked!
SHA1: 2DE2B508101F68DEE6DAFA7642D2DCF5E31209F1
931 GB \\.\PhysicalDrive4 MBR Code Faked!
SHA1: D20141A2392F7EABF933A0085737F78D3E27AA83
1863 GB \\.\PhysicalDrive6 RE: Windows 98 MBR code detected
SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E
596 GB \\.\PhysicalDrive3 RE: Unknown MBR code
SHA1: 5BF5B6A463F9AB1ADEA9814C596F474BB14D2F2A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

-----------------------------------------------------------------------------------------------------
9. I ran the GMER scan, log follows
-----------------------------------------------------------------------------------------------------

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-07 09:34:10
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.892C
Running: c2qrleej.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kgtdypog.sys


---- System - GMER 1.0.15 ----

SSDT 9A9CF0DE ZwCreateKey
SSDT 9A9CF0D4 ZwCreateThread
SSDT 9A9CF0E3 ZwDeleteKey
SSDT 9A9CF0ED ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey [0xF72B2A92]
SSDT sptd.sys ZwEnumerateValueKey [0xF72B2E20]
SSDT 9A9CF0F2 ZwLoadKey
SSDT sptd.sys ZwOpenKey [0xF72AD090]
SSDT 9A9CF0C0 ZwOpenProcess
SSDT 9A9CF0C5 ZwOpenThread
SSDT sptd.sys ZwQueryKey [0xF72B2EF8]
SSDT sptd.sys ZwQueryValueKey [0xF72B2D78]
SSDT 9A9CF0FC ZwReplaceKey
SSDT 9A9CF0F7 ZwRestoreKey
SSDT 9A9CF0E8 ZwSetValueKey
SSDT 9A9CF0CF ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FC0 8050485C 4 Bytes CALL 98EAE551 \??\C:\WINDOWS\system32\drivers\RMCast.sys (Reliable Multicast Transport/Microsoft Corporation)
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F5F3E8AC 5 Bytes JMP 8A5781C8
? System32\Drivers\a9b1dgpx.SYS The system cannot find the path specified. !
? C:\george\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\SMINST\Scheduler.exe[916] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 00418ED0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[916] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 00418F40 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[916] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 00418DC0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[916] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 00418D10 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[916] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 00418E90 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[916] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 00418D50 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[916] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 00418E00 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[916] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 00418D80 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[916] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 00418E40 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[916] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 00418CD0 C:\WINDOWS\SMINST\Scheduler.exe

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72ADAB4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72ADBFA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72ADB7C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72AE728] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72AE5FE] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72C0C5A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B0A51E8

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\Fastfat \FatCdrom 8A263980

AttachedDevice \Driver\Tcpip \Device\Ip nltdi.sys (NetLimiter Driver/Locktime Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

Device \Driver\usbuhci \Device\USBPDO-0 8A51C6F0
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B0A71E8
Device \Driver\dmio \Device\DmControl\DmConfig 8B0A71E8
Device \Driver\dmio \Device\DmControl\DmPnP 8B0A71E8
Device \Driver\dmio \Device\DmControl\DmInfo 8B0A71E8
Device \Driver\usbuhci \Device\USBPDO-1 8A51C6F0
Device \Driver\usbuhci \Device\USBPDO-2 8A51C6F0
Device \Driver\usbuhci \Device\USBPDO-3 8A51C6F0
Device \Driver\usbehci \Device\USBPDO-4 8A52C558

AttachedDevice \Driver\Tcpip \Device\Tcp nltdi.sys (NetLimiter Driver/Locktime Software)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8B11A1E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Ftdisk \Device\HarddiskVolume2 8B11A1E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Cdrom \Device\CdRom0 8A567928
Device \Driver\iaStor \Device\Ide\iaStor0 8B0A61E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F71E3B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F71E3B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 8B0A61E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8B11A1E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Cdrom \Device\CdRom1 8A567928
Device \Driver\Ftdisk \Device\HarddiskVolume4 8B11A1E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\PCI_NTPNP1640 \Device\00000067 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume5 8B11A1E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\USBSTOR \Device\000000c0 89EF17E8
Device \Driver\Ftdisk \Device\HarddiskVolume6 8B11A1E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\USBSTOR \Device\000000c1 89EF17E8
Device \Driver\USBSTOR \Device\000000b4 89EF17E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A090980
Device \Driver\USBSTOR \Device\000000b5 89EF17E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{3D3851F0-CF56-41BE-8F8D-41337E146F59} 8A090980
Device \Driver\USBSTOR \Device\000000c3 89EF17E8
Device \Driver\USBSTOR \Device\000000b6 89EF17E8
Device \Driver\USBSTOR \Device\000000c4 89EF17E8
Device \Driver\NetBT \Device\NetbiosSmb 8A090980
Device \Driver\USBSTOR \Device\000000c5 89EF17E8
Device \Driver\USBSTOR \Device\000000b8 89EF17E8
Device \Driver\USBSTOR \Device\000000b9 89EF17E8

AttachedDevice \Driver\Tcpip \Device\Udp nltdi.sys (NetLimiter Driver/Locktime Software)
AttachedDevice \Driver\Tcpip \Device\RawIp nltdi.sys (NetLimiter Driver/Locktime Software)

Device \Driver\USBSTOR \Device\000000c9 89EF17E8
Device \Driver\usbuhci \Device\USBFDO-0 8A51C6F0
Device \Driver\usbuhci \Device\USBFDO-1 8A51C6F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A0A1980
Device \Driver\usbuhci \Device\USBFDO-2 8A51C6F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A0A1980
Device \Driver\USBSTOR \Device\000000ba 89EF17E8
Device \Driver\usbuhci \Device\USBFDO-3 8A51C6F0
Device \Driver\usbehci \Device\USBFDO-4 8A52C558
Device \Driver\Ftdisk \Device\FtControl 8B11A1E8
Device \Driver\USBSTOR \Device\000000cb 89EF17E8
Device \Driver\a9b1dgpx \Device\Scsi\a9b1dgpx1 8A558980
Device \Driver\a9b1dgpx \Device\Scsi\a9b1dgpx1Port2Path0Target0Lun0 8A558980
Device \Driver\USBSTOR \Device\000000bf 89EF17E8
Device \FileSystem\Fastfat \Fat 8A263980

AttachedDevice \FileSystem\Fastfat \Fat symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\Cdfs \Cdfs 8A0C25D8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x43 0xD6 0x44 0x1E ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x23 0x5E 0x26 0x51 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0E 0x1F 0x27 0xB7 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x7E 0x7A 0x54 0x18 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xD5 0x98 0x0A 0xDD ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x44 0x85 0xFE 0x16 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x43 0xD6 0x44 0x1E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x23 0x5E 0x26 0x51 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x30 0x50 0x80 0xBA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x7E 0x7A 0x54 0x18 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xD5 0x98 0x0A 0xDD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x44 0x85 0xFE 0x16 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 365305825
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1818786362
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x43 0xD6 0x44 0x1E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x23 0x5E 0x26 0x51 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFD 0xB5 0x50 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x7E 0x7A 0x54 0x18 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xD5 0x98 0x0A 0xDD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x44 0x85 0xFE 0x16 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x43 0xD6 0x44 0x1E ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x23 0x5E 0x26 0x51 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFD 0xB5 0x50 0x18 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x7E 0x7A 0x54 0x18 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xD5 0x98 0x0A 0xDD ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x44 0x85 0xFE 0x16 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\3da21691-e39d-4da6-8a4b-b43877bcb1b7@FlushCacheFiles ?????????????????????????????q????????V?????????????????6????????????????n????????F??????e??????????????? F?????????????????????????? ??????????????????????????????????&?????????????????????????8?????????????????Windows Media Audio Decoder???????N?????????D???{22E24591-49D0-11D2-BB50-006008320064}??????????????? ??????????????????????????????????????????p???????p???????????????????p???????????????????????????????????????? ??????????????????????????????????&?????????????????????????$?????????????????AC3 Parser Filter?????N?????????D???{280A3020-86CF-11D1-ABE6-00A0C905F375}??????????????? ????????????????????,???????????????????N?????????D????2?????????????????????`????????????????????`?p???????????????????p?????????????????????????????? ??????????????????????????????????&???????????????????????WMT Format Conversion???{2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26}??????????????? ????????????????????? ????????????????????`?p?????????????????`?p?????????????????????? ??????????????????????????????????&??????????????????

---- EOF - GMER 1.0.15 ----


-----------------------------------------------------------------------------------------------------
Thank you for you help thus far Ron, I am very grateful.

I noted that my recycle bin icon on my desktop is now a blank/placeholder icon instead of the usual recycle bin icon, and that Internet Explorer's icon has arrived on my desktop but was never there before (I removed it years ago).

Morgan
-----------------------------------------------------------------------------------------------------

Attached Thumbnails

  • windows-no-disk-error.gif

  • 0

#6
RKinner
Posted 07 March 2011 - 10:59 AM

RKinner

    Malware Expert

  • Expert
  • 24,623 posts
  • MVP
I would uninstall the following:
J2SE Runtime Environment 5.0 Update 6 - obsolete and thus dangerous to keep
Azureus - P2P
GetRight - Has caused problems in the past - reinstall later if you must
JDownloader - - reinstall later if you must
Second Copy (7.0) - Seems to be redundant if you have Norton Ghost - parts of it were eaten by combofix so it will need to be reinstalled later if you really need it.
Adobe Reader 7.1.0 - obsolete and thus dangerous to keep
Folder Size for Windows - broken per the event logs.
Canon Camera Access Library - broken per the event logs.

Your error is sometimes caused by remnants of a Norton/Symantec A-V. I assume you can reinstall Norton Ghost so uninstall it, download, save and run the norton removal tool
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
then reinstall ghost. See if that helps.

MBRCheck is not happy with the mbr on some of your drives. Run it again then hit Enter. Select 1 to [1] Dump the MBR of a physical disk to file. Then 0 then save it to c:\mbr0.txt

Repeat for drives 3, 4, 5 using file names mbr3.txt, mbr4.txt, mbr5.txt. Once done, go to http://virustotal.com and submit each file and see what they say about the file. If you get any reports that something was detected then copy and paste the report into your next reply. Also attach the file. (It's not a real text file so you can read it with notepad).

Combofix is reporting these as broken:

S3 MSSQL$MORGAN;MSSQL$MORGAN;c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sMORGAN --> c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sMORGAN [?]
S3 SQLAgent$MORGAN;SQLAgent$MORGAN;c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe -i MORGAN --> c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe -i MORGAN [?]

I'm not sure what they are. We can remove them with Combofix:

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

Driver::
MSSQL$MORGAN
SQLAgent$MORGAN




******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.





I assume you are still getting your focus changed when you click p with Windows Explorer and that you really mean Windows Explorer and not Internet Explorer (the browser).

download ShellExView.

http://www.nirsoft.n...s/shexview.html

Use this download:
http://www.nirsoft.n...xview_setup.exe

Once you get it installed, run it and look in the third or fourth column from the RIGHT. It should say MICROSOFT. Click once or twice on MICROSOFT so that items with NO are at the top.
Select all of the NO items and then click on the red led looking icon in the upper left. This should disable all of the non-microsoft additions to Explorer. Reboot and see if you still get the refocus.

Ron
  • 0

#7
clearly
Posted 07 March 2011 - 04:47 PM

clearly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Ron,

Thank you so much for your continuing help.

Uninstallation
I uninstalled some of the software you recommended for uninstallation. J2SE Runtime Environment 5.0 Update 6 - it can't find the original .msi file and so will not uninstall. Second Copy I use to copy files between hard drives and as my file backup. It seems to be working fine, I'm not sure what exactly ComboFix "ate". Norton Ghost is used as a system restore. They are not redundant and both have saved my bacon on several occasions. I uninstalled Norton Ghost, rebooted, ran the Norton Removal Tool, rebooted, and reinstalled Norton Ghost.

MBRCheck
I dumped all the physical drives to text files, they submitted with no problems/viruses to http://virustotal.com. I was surprised because I did note the problems found on the MBR of my external hard drives in the original scan.

ComboFix
MSSQL$Morgan is my SQL Server service (Microsoft database software) and SQLAgent$Morgan is my SQL Server Agent service. I use these for business and they are working fine. I therefore did not run ComboFix with the custom script to kill the drivers. Should I run ComboFix again anyway without the custom script?

ShellExView
I installed and disabled all non-Microsoft shell extensions and rebooted. The shift in focus still occurs if I have an open increment of Windows Explorer (explorer.exe) and I type a lowercase "p" in any other application. If I try type a lowercase "p" within Windows Explorer, for example in the address bar, nothing is typed. It is as if I did not press the key at all - for example, highlighted text is not replaced.

Thank you for your time and effort with this mystery. You are very generous with your assistance.

Best regards,
Morgan
  • 0

#8
RKinner
Posted 07 March 2011 - 07:01 PM

RKinner

    Malware Expert

  • Expert
  • 24,623 posts
  • MVP
No need to run Combofix again if your SQL thing is working.

These three files:
c:\windows\copyfstq.exe - Part of Resume Copy
c:\windows\dropcpyr.dll - Part of Total Copy
c:\windows\system\VI30AUT.DLL - Part of FrontPage98

were removed by Combofix. I think all three are false positives. These have been moved to something like C:\Combofix\Quarantined\c\windows\ and now have a .vir added as an extension. Exact details are in a file C:\QooBox\ComboFix-quarantined-files.txt so if you find that file and open it then copy and paste I can make Combofix put the files back.



I have found a keyboard test program. It's shareware but they let you use it for 30 days without buying it so let's see what happens when you press a p key.

http://www.4shared.c...rd_Test_22.html

This site makes you wait 30 seconds or so for the download link to appear but once it does it downloads normally. Click on the Download Now -No Viruses Detected Button.

Install it and Continue. You will get a picture of a keyboard. Click on the Filter System Keys box. Press your p key (on the keyboard). At the top it should report
Windows Key Code: 80 (X50)
BIOS Key Code: 25 (X19)
Lang Code: 00000409
Last Key Down: P
Last Key Up: P

What do you get?

Leave the test program up and open up an explorer window then come back to the test program and try it again. Is there any change?

There is a hidden system file called desktop.ini on your desktop.

To make hidden files visible:


* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.

Open the desktop.ini file on your desktop and copy and paste the text into a reply.

Please download and unzip Icesword to its own folder on your desktop


Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.

I'm mostly interested in the WH Keyboard section but do save the logs for the other sections.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the file name and path. These tend to be multiple iterations of the same path. I'm just interested in different paths.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present. These tend to be multiple iterations of the same path. I'm just interested in different paths so just copy the first instance of each different path.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

For your Java:

Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

First go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE) Beside the one that won't uninstall I see: Java™ 6 Update 23

Now delete the folder C:\Program Files\Java

Get the latest at:

http://javadl.sun.co...?BundleId=41723

Save it to your PC then close all browsers and install it. IF you now try to uninstall the one that wouldn't install it might just tell you it is gone and ask if you want to remove it from the uninstall list. Tell it yes.

Ron
  • 0

#9
clearly
Posted 08 March 2011 - 04:44 AM

clearly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Ron,

Thank you for your patience and support.

------------------------------------------
ComboFix
------------------------------------------
Here is the ComboFix quarantine log

2011-03-06 21:18:01 . 2011-03-06 21:18:01 2,326 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{991B1E79-12B6-40C3-A081-1FC47C6F2F37}.reg.dat
2011-03-06 21:17:53 . 2011-03-06 21:17:53 650 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-QlbCtrl.reg.dat
2011-03-06 21:17:53 . 2011-03-06 21:17:53 684 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MobileConnect.reg.dat
2011-03-06 21:17:51 . 2011-03-06 21:17:51 332 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-WgaLogon.reg.dat
2011-03-06 21:17:46 . 2011-03-06 21:17:47 160 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Picasa Media Detector.reg.dat
2011-03-06 21:17:46 . 2011-03-06 21:17:46 119 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Resume copy.reg.dat
2011-03-06 21:06:21 . 2011-03-06 21:06:21 11,553 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-03-06 20:52:45 . 2011-03-06 20:52:45 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2008-08-03 10:38:03 . 2008-08-03 10:38:03 79,937 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{991B1E79-12B6-40C3-A081-1FC47C6F2F37}\Setup.dat.vir
2008-08-03 10:38:00 . 2008-03-04 05:03:42 187,416 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{991B1E79-12B6-40C3-A081-1FC47C6F2F37}\Setup.exe.vir
2008-08-03 10:38:00 . 2005-09-26 18:21:22 56,102 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{991B1E79-12B6-40C3-A081-1FC47C6F2F37}\Setup.ico.vir
2008-08-03 10:38:00 . 2008-03-12 11:50:42 98,304 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{991B1E79-12B6-40C3-A081-1FC47C6F2F37}\_Setup.dll.vir
2007-06-02 15:09:57 . 2007-06-02 15:09:57 94,636 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\dropcpyr.dll.vir
2007-06-02 15:09:57 . 2007-06-02 15:09:57 73,728 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\copyfstq.exe.vir
2007-02-01 01:04:29 . 2004-10-28 01:21:01 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000009_.tmp.dll.vir
2007-02-01 01:04:29 . 2004-08-04 08:00:00 132,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000005_.tmp.dll.vir
2007-02-01 01:03:06 . 2005-04-28 19:31:11 37,888 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000002_.tmp.dll.vir
2007-02-01 01:02:36 . 2004-08-04 08:00:00 111,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000004_.tmp.dll.vir
2007-01-29 17:21:25 . 2011-03-06 20:55:27 34,060 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2007-01-29 17:21:25 . 2011-03-06 20:55:33 34,060 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2006-08-18 08:37:27 . 2004-08-04 08:00:00 983,552 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000006_.tmp.dll.vir
2004-08-04 08:00:00 . 2004-08-04 08:00:00 96,768 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000003_.tmp.dll.vir
2004-08-04 08:00:00 . 2004-08-04 08:00:00 611,328 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000007_.tmp.dll.vir
2004-08-04 08:00:00 . 2004-08-04 08:00:00 1,835,904 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000008_.tmp.dll.vir
2004-08-04 08:00:00 . 2004-08-04 08:00:00 111,104 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000011_.tmp.dll.vir
2004-08-04 08:00:00 . 2004-08-04 08:00:00 132,096 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000012_.tmp.dll.vir
2004-08-04 08:00:00 . 2004-08-04 08:00:00 721,920 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000013_.tmp.dll.vir
2004-08-04 08:00:00 . 2005-04-28 19:31:11 37,888 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\_000019_.tmp.dll.vir
1998-05-24 22:00:00 . 1998-05-24 22:00:00 84,225 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system\VI30AUT.DLL.vir

------------------------------------------
Keyboard test software
------------------------------------------
When I press a lowercase "p" in the software and there is no increment of explorer open, I get the same results as you.
Windows Key Code: 80 (0x50)
BIOS Key Code: 25 (0x19)
Lang Code: 00000409
Last Key Down: P
Last Key Up: P
When there is an increment of explorer open, focus shifts to explorer when I press lowercase "p".
Nothing is registered at all in the keyboard software. For example, when I open the software and have an open increment of explorer, then press the lowercase "p", I get the defaults upon start (no change):
Windows Key Code: 0 (0x0)
BIOS Key Code: 0 (0x0)
Lang Code: 00000409
Last Key Down: N/A
Last Key Up: N/A

------------------------------------------
Hidden desktop.ini
------------------------------------------
Ron, I don't see this file. I always apply the changes to Folder Options that you described anyway. I double-checked that everything you suggested was as it is and my settings are as you suggested. I just don't see this file. I looked in the Desktop folder for each user under c:\document and settings and still found no desktop.ini or any other hidden file.

------------------------------------------
Icesword
------------------------------------------
Processes
Process:

System Idle Process
System
C:\Program Files\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Documents and Settings\Administrator\Desktop\IceSword122en\IceSword.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\HPQ\IAM\Bin\asghost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Autorun Eater\billy.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ESRI\License\arcgis9x\lmgrd.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\services.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\smss.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

Win32 Services
Started Service:

Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:AntiVirSchedulerService Display Name:Avira AntiVir Scheduler
Service Name:AntiVirService Display Name:Avira AntiVir Guard
Service Name:ArcGIS License Manager Display Name:ArcGIS License Manager
Service Name:ASChannel Display Name:Local Communication Channel
Service Name:AudioSrv Display Name:Windows Audio
Service Name:Automatic LiveUpdate Scheduler Display Name:Automatic LiveUpdate Scheduler
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:brmfrmps Display Name:Brother Popup Suspend service for Resource manager
Service Name:Brother XP spl Service Display Name:BrSplService
Service Name:btwdins Display Name:Bluetooth Service
Service Name:CryptSvc Display Name:CryptSvc
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:dmserver Display Name:Logical Disk Manager
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:helpsvc Display Name:Help and Support
Service Name:HidServ Display Name:HID Input Service
Service Name:hpqwmiex Display Name:hpqwmiex
Service Name:IISADMIN Display Name:IIS Admin
Service Name:JavaQuickStarterService Display Name:Java Quick Starter
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LightScribeService Display Name:LightScribeService Direct Disc Labeling Service
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:MSDTC Display Name:Distributed Transaction Coordinator
Service Name:MSMQ Display Name:Message Queuing
Service Name:MSMQTriggers Display Name:Message Queuing Triggers
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:nlsvc Display Name:NetLimiter
Service Name:Norton Ghost Display Name:Norton Ghost
Service Name:NtLmSsp Display Name:NT LM Security Support Provider
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RemoteRegistry Display Name:Remote Registry
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SentinelProtectionServer Display Name:Sentinel Protection Server
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:SMTPSVC Display Name:Simple Mail Transfer Protocol (SMTP)
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:VMCService Display Name:Vodafone Mobile Connect Service
Service Name:W32Time Display Name:Windows Time
Service Name:W3SVC Display Name:World Wide Web Publishing
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration

Startup
Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MsmqIntCert
regsvr32 /s mqrt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Program Files\Common Files\Java\Java Update\jusched.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PTHOSTTR
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPEnh
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hpWirelessAssistant
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CognizanceTS
rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Cpqset
C:\Program Files\HPQ\Default Settings\cpqset.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard
C:\WINDOWS\Sminst\Recguard.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Reminder
C:\WINDOWS\Creator\Remind_XP.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Scheduler
C:\WINDOWS\SMINST\Scheduler.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IndexSearch
C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SetDefPrt
C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ControlCenter2.0
C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMAXPnP
C:\Program Files\Analog Devices\Core\smax4pnp.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray
C:\WINDOWS\system32\igfxtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds
C:\WINDOWS\system32\hkcmd.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Persistence
C:\WINDOWS\system32\igfxpers.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avgnt
"C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HP Software Update
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Autorun Eater
C:\Program Files\Autorun Eater\oldmcdonald.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Norton Ghost 12.0
"C:\Program Files\Norton Ghost\Agent\VProTray.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Second Copy
"C:\Program Files\SecCopy\SecCopy.exe" /InitialWait=10

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\NetMeter\NetMeter.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
Adobe Gamma.lnk
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Remark£º)

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
desktop.ini

SSDT
The Kmodule field appears to be what you are looking for - it contains the path and filename. Entries in red had the value of "Unknown" or "sptd.sys" for the KModule field.

Message Hooks
Distinct Process Paths for WH_KEYBOARD entries were:
C:\WINDOWS\explorer.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

------------------------------------------
Java
------------------------------------------
I followed all your instructions and now have the latest (Java 6 Update 24) Java installed (I was on Java 6 Update 23 and an update was scheduled for tomorrow/the 9th of the month). The old Java (J2SE Runtime Environment 5.0 Update 6) still won't uninstall and unfortunately there was no offer to remove it from the Add/Remove Programs list.

------------------------------------------
Windows - No Disk error
------------------------------------------
I am still getting these. They occur shortly after I've logged in after startup, while the usual startup programs are still initialising. In fact, until I click continue, the process of loading up startup progams is "on hold" and any progams that I ask to run during this time will all suddenly open at once after I click continue. I'm attaching a screengrab of the popup but I don't think it's any different to before.
Previously, this error could (and more than likely will still) occur at times other than startup. Such as when I ran ComboFix. As I recall I reported over 50 popups at that time.

Thanks for all your help Ron. I'm sorry this is not bearing fruit more quickly. I hope this response sheds some light on things.

Best,
Morgan

Attached Thumbnails

  • windows-no-disk-error-2.gif

  • 0

#10
RKinner
Posted 08 March 2011 - 09:43 AM

RKinner

    Malware Expert

  • Expert
  • 24,623 posts
  • MVP
Actually I find this sort of problem a lot of fun so don't apologize. I like to solve weird things. Get tired just killing the same old malware every time.

This looks promising:

C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

The file is used by HP keyboards to create a popup onscreen volume (and other things) control.

It's full name is:
C:\Program Files\HPQ\Shared\HpqToaster.exe

Find it and right click on it and rename it to C:\Program Files\HPQ\Shared\HpqToaster.bak then reboot.

IF that makes it go away then change it back to what it was and uninstall

HP Quick Launch Buttons 6.00 D2

and see if that is the problem.

I found this article on your error:
http://www.consuming...processing.html

Since it is repeatable at boot: I would first try Start, Run, msconfig, OK then uncheck everything in Startup, Apply, then move to the Services tab, check the Hide Microsoft Services button then uncheck all that remain then OK and reboot. See if the error still happens. If not it was one of the programs you just unchecked so go back into msconfig and check all of the services and OK and reboot. IF it comes back then uncheck half of the services and OK and reboot. See if you can narrow it down to a particular service or startup program.

Ron
  • 0

Advertisements

#11
clearly
Posted 08 March 2011 - 11:48 AM

clearly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Ron,

Thanks for your help. I'm glad I can provide weird things to keep you entertained!

Unfortunately renaming the HpqToaster.exe file and rebooting did not help with the "p" focus problem. Upon rebooting there was also no popup of the "Windows - No Disk" error! I uninstalled that HP software anyway because I hate bundled OEM software that comes with new systems anyway.

As this error is not repeatable, I have not tried deselecting Startup and Services items and rebooting. I read the article you linked to and looked at Disk Management. Immediately I got the "Windows - NO disc" error. I found one entry that was blank and I believe it to one of my flash/thumb/jump drives that was not plugged in. I plugged in both my jump drives and re-opened Disk Management. The blank entry was gone. I decided to change the drive letter assignment of my one cd-rom drive which is actually a virtual drive used by my image mounting software. Upon rebooting, there has been no "Windows - No Disk" popup. I'm not convinced this is gone, so I'm going to reboot again. I suppose the next step would be re-assigning all my external drive letter associations, rebooting, then re-assigning the drives back to their original letters so that my shortcuts and backup software works as usual.

Thank you very much.
Morgan
  • 0

#12
RKinner
Posted 08 March 2011 - 12:08 PM

RKinner

    Malware Expert

  • Expert
  • 24,623 posts
  • MVP
Win one, lose one. OK. We can try the same thing with msconfig for your p problem and see if it is a program that we can turn off in msconfig. IF not does it still happen in Safe mode?
  • 0

#13
clearly
Posted 08 March 2011 - 04:45 PM

clearly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Ron,

Good news! The "p" problem seems to be resolved. I thought I'd try safe mode first before the msconfig trial-and-error method. It seems the very act of booting into safe mode then booting back to normal windows has fixed the problem? I rebooted again and still "p" is working fine.

I've seen no Windows - No Disk errors since I last wrote, so holding thumbs on that one.

However, I did receive a Microsoft Error Reporting popup after I booted into normal windows after the safe mode boot. It contained four errors. I'm attaching a screen grab and the eight files that the four errors refer to. The best I can see these relate to a Microsoft Update.

Which reminds me that I've had intermittent problems with an automatic Windows Update that never quite installs properly but every now and then appears as an icon in my system tray "downloading updates... 9%". I've had an issue like this once before and read that it was common. I resolved that by disabling the notification via windowsupdate.com. Perhaps this is the same thing recurring or another update that never downloads or installs correctly.

The main problem of the "p" focus shift seems resolved. I'm going to make sure to reboot a few times in the next 24 hours to test.

Thank you so much for your patient help. I really do hope this "p" problem has gone away although it would be useful to know what exactly caused this, both for the future and for others.
Morgan

Attached Thumbnails

  • microsoft-errors.gif

Attached Files


  • 0

#14
RKinner
Posted 08 March 2011 - 08:35 PM

RKinner

    Malware Expert

  • Expert
  • 24,623 posts
  • MVP
Very strange about the p.

I think your update problem is a microsoft mess up. It clearly says it applies to Visual Studio 7 but you appear to only have Visual Studio 6. Don't know why MS thinks you need it but the installer is apparently smart enough to know that something is wrong.

I'm at the library now. We are on our way to a lecture which starts in 10 minutes. Will look into it more tonight.

Ron
  • 0

#15
clearly
Posted 09 March 2011 - 01:59 AM

clearly

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi Ron,

I forgot to add an important part to my last post. Whenever I bring up the shut down/restart menu (Start > Shut Down), the option to "Install updates and shut down" is selected by default. Selecting this appears to be installing Microsoft updates while shutting down "do not turn off your computer..." but clearly these updates never install, because once I'm back in Windows the same option still exists on the shut down/restart menu. This is what originally drove me to disable an update on windowsupdate.com and the option did disappear from the shut down/restart menu for some months. But now it's back. As I said, I'm not sure if this is the same update that's back to haunt me or a new update.

I just checked windowsupdate.com and there are 4 high-priority updates waiting, yet one is already downloaded. It seems to match the problem update.

Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2416447)
Download size: 0 KB , 0 minutes (Downloaded; ready to install)
A security issue has been identified that could allow an attacker to compromise your Windows-based system that is running the Microsoft .NET Framework and gain access to information. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer
http://go.microsoft..../?LinkId=202365

When viewing my Automatic Updates history on windowsupdate.com there is a list of my automatic update history. I could only extract it as an .xps file which Internet Explorer opened after some delay (attached).

Thank you,
Morgan

Attached Files


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP