Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Remove Spyware Warning on desktop


  • This topic is locked This topic is locked

#1
scewter

scewter

    Member

  • Member
  • PipPip
  • 96 posts
After starting WinXP I get a large warning on my desktop which says:
WARNING
YOUR'RE IN DANGER!

It has below it a dialog box with what appears to be scan results for infected files. It also says to remove all spyware.

I'm unable to run Avast Antivirus. A dialog box appears in the lower right that says Avast is infected. Cannot shut the computer down normally - have to pull the power plug.

Have not tried to do anything else at this time. Thought it best to seek help.

Soooooo....

:D

thnx in advance
  • 0

Advertisements


#2
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,719 posts

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome back to Geeks to Go. :D

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Scan with RogueKiller:

Please download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next reply.
  • 0

#3
scewter

scewter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Dakeyras, thnx for the help.

Here's what I've done, per your direction;

1. Downloaded RogueKiller to desktop.
2. Attempted to run 6-9 times, kept getting blocked.
3. Renamed file winlogon.exe, and then was able to run it.
4. Quickly received the following message (see image attached).
5. Waited approx 15 minutes or more, but did not receive any additioanl prompts.
6. typed 1 at the flashing cursor, entered and got the following report:

RogueKiller V4.2.1Windows XP (5.1.2600 Service Pack 3) 32 bits version

PJ
Mode: Date : 03/10/2011 12:43:25

2
[APPDT/TMP/DESKTOP] iKjFoPc06300.exe -- c:\documents and settings\all users\application data\ikjfopc06300\ikjfopc06300.exe -> KILLED
[HIDDEN] iKjFoPc06300.exe -- C:\Documents and Settings\All Users\Application Data\iKjFoPc06300\iKjFoPc06300.exe -> KILLED

2
[APPDT/TMP/DESKTOP] HKCU\[...]\RunOnce : iKjFoPc06300 (C:\Documents and Settings\All Users\Application Data\iKjFoPc06300\iKjFoPc06300.exe) -> FOUND
[APPDT/TMP/DESKTOP] HKUS\S-1-5-21-3760575758-2530229408-2328892859-1006[...]\RunOnce : iKjFoPc06300 (C:\Documents and Settings\All Users\Application Data\iKjFoPc06300\iKjFoPc06300.exe) -> FOUND
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 1001-search.info
127.0.0.1 www.1001-search.info
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
[...]

: << RKreport[1].txt >>
RKreport[1].txt

Awaiting further instructions at this point.

thnx again.

Attached Thumbnails

  • IMG_7072_1.jpg

Edited by scewter, 10 March 2011 - 12:07 PM.

  • 0

#4
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,719 posts
Hi. :D

Dakeyras, thnx for the help.

You're welcome!

Re the problems with RogueKiller, just encountered similar myself when testing it, I will inform the developer...In the mean time lets take a different approach as follows shall we.

Download/run Rkill:

Please download Rkill from one of the following links and save to your Desktop:

(If one fails to work delete it and download/try another):

One, Two,Three, Four or Five

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: A logfile will have been created, it can be located at the root of your installed Hard-Drive. EG: C:\rkill.txt.

Scan with OTL:

Please download OTL and save it to your Desktop.

Alternate downloads are here and here.

  • Double-click on OTL.exe to start OTL.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.
When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any further symptoms and or problems encountered?
  • Rkill Log.
  • Both OTL logs. <-- Post them individually please, IE: one Log per post/reply.

  • 0

#5
scewter

scewter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Okay, here's the first of three posts following your instructions.

(Note - tried to perform a quote from one line of your last post, not sure how?)

Computer seems to be running better - but have not really checked it out. Have not even shut it down since running RogueKiller and posting the results earlier today. Have not shut it down/restarted it at all since starting this repair - not sure if that is required between scans (Rkill & OTL).

Here's the results of the Rkill operation:


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/10/2011 at 20:46:32.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 03/10/2011 at 20:46:47.
  • 0

#6
scewter

scewter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Second of three.

Results of the OTL scan - OTL.txt:

OTL logfile created on: 3/10/2011 8:53:44 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\PJ\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.68 Gb Total Space | 1.80 Gb Free Space | 5.34% Space Free | Partition Type: NTFS
Drive J: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive K: | 7.47 Gb Total Space | 4.67 Gb Free Space | 62.52% Space Free | Partition Type: FAT32
Drive P: | 488.27 Gb Total Space | 352.65 Gb Free Space | 72.22% Space Free | Partition Type: NTFS
Drive S: | 371.09 Gb Total Space | 295.86 Gb Free Space | 79.73% Space Free | Partition Type: NTFS
Drive T: | 72.14 Gb Total Space | 63.53 Gb Free Space | 88.06% Space Free | Partition Type: NTFS

Computer Name: PENNY | User Name: PJ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\PJ\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\PJ\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\Alwil Software\Avast5\snxhk.dll (AVAST Software)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (SPF4) -- C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe (Sunbelt Software, Inc.)
SRV - (SbPF.Launcher) -- C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe (Sunbelt Software, Inc.)
SRV - (hasplms) -- C:\WINDOWS\System32\hasplms.exe (Aladdin Knowledge Systems Ltd.)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (Viewpoint Manager Service) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (AdobeActiveFileMonitor5.0) -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe ()
SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)
SRV - (AdobeActiveFileMonitor) -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe ()
SRV - (APC UPS Service) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe (American Power Conversion Corporation)
SRV - (IAANTMon) -- C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe (Intel Corporation)
SRV - (EPSONStatusAgent2) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (SEIKO EPSON CORPORATION)


========== Driver Services (SafeList) ==========

DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (OlyCamComm) -- C:\WINDOWS\SYSTEM32\DRIVERS\OlyCamComm.sys (OLYMPUS IMAGING CORP.)
DRV - (SbFw) -- C:\WINDOWS\SYSTEM32\DRIVERS\SbFw.sys (Sunbelt Software, Inc.)
DRV - (sbhips) -- C:\WINDOWS\system32\drivers\sbhips.sys (Sunbelt Software, Inc.)
DRV - (SBFWIMCL) -- C:\WINDOWS\SYSTEM32\DRIVERS\SbFwIm.sys (Sunbelt Software, Inc.)
DRV - (FTDIBUS) -- C:\WINDOWS\SYSTEM32\DRIVERS\ftdibus.sys (FTDI Ltd.)
DRV - (FTSER2K) -- C:\WINDOWS\SYSTEM32\DRIVERS\ftser2k.sys (FTDI Ltd.)
DRV - (aksfridge) -- C:\WINDOWS\SYSTEM32\DRIVERS\aksfridge.sys (Aladdin Knowledge Systems Ltd.)
DRV - (Hardlock) -- C:\WINDOWS\SYSTEM32\DRIVERS\hardlock.sys (Aladdin Knowledge Systems Ltd.)
DRV - (dsunidrv) -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys (Gteko Ltd.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (timounter) -- C:\WINDOWS\system32\DRIVERS\timntr.sys (Acronis)
DRV - (tifsfilter) -- C:\WINDOWS\SYSTEM32\DRIVERS\tifsfilt.sys (Acronis)
DRV - (snapman) -- C:\WINDOWS\system32\DRIVERS\snapman.sys (Acronis)
DRV - (EUCR) -- C:\WINDOWS\SYSTEM32\DRIVERS\EUCR6SK.sys (ENE Technology Inc.)
DRV - (ZSMC301b) Vimicro USB PC Camera (ZC0301PL) -- C:\WINDOWS\SYSTEM32\DRIVERS\usbVM31b.sys (VM)
DRV - (eusk3usb) -- C:\WINDOWS\SYSTEM32\DRIVERS\eusk3usb.sys (EUTRON)
DRV - (eusk2par) -- C:\WINDOWS\SYSTEM32\DRIVERS\eusk2par.sys (EUTRON)
DRV - (MagicTune) -- C:\WINDOWS\system32\drivers\MTictwl.sys ()
DRV - (epppdt) -- C:\WINDOWS\SYSTEM32\DRIVERS\epppdt.sys (SEIKO EPSON CORPORATION)
DRV - (epppdtpr) -- C:\WINDOWS\SYSTEM32\DRIVERS\epppdtpr.sys (SEIKO EPSON CORPORATION)
DRV - (ati2mtag) -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (b57w2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\b57xp32.sys (Broadcom Corporation)
DRV - (senfilt) -- C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys (Sensaura)
DRV - (cdrbsdrv) -- C:\WINDOWS\System32\drivers\CDRBSDRV.SYS (B.H.A Corporation)
DRV - (SPCP825K) -- C:\WINDOWS\SYSTEM32\DRIVERS\SPCP825K.sys (SUNPLUS TECHNOLOGY Co., LTD.)
DRV - (incdrm) -- C:\WINDOWS\System32\drivers\incdrm.sys (Ahead Software AG)
DRV - (VNUSB) -- C:\WINDOWS\SYSTEM32\DRIVERS\VNUSB.sys (OLYMPUS OPTICAL CO.,LTD.)
DRV - (DgiVecp) -- C:\WINDOWS\SYSTEM32\DRIVERS\DGIVECP.SYS (DeviceGuys, Inc.)
DRV - (Sentinel) -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS (Rainbow Technologies, Inc.)
DRV - (Sntnlusb) -- C:\WINDOWS\SYSTEM32\DRIVERS\SNTNLUSB.SYS (Rainbow Technologies Inc.)
DRV - (omci) -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys (Dell Computer Corporation)
DRV - (HCF_MSFT) -- C:\WINDOWS\SYSTEM32\DRIVERS\HCF_MSFT.sys (Conexant)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/mywaybiz
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://by103fd.bay10...3ff12192890a209
IE - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/10 16:44:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/10 16:44:11 | 000,000,000 | ---D | M]

[2010/09/10 16:44:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\PJ\Application Data\Mozilla\Extensions
[2010/10/01 18:59:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\PJ\Application Data\Mozilla\Firefox\Profiles\rj0t53qj.default\extensions
[2010/10/01 18:59:47 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\PJ\Application Data\Mozilla\Firefox\Profiles\rj0t53qj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/09/10 16:44:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2008/08/26 17:24:52 | 000,259,874 | R--- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 1001-search.info
O1 - Hosts: 127.0.0.1 www.1001-search.info
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 9024 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE (Vimicro)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Olympus ib] File not found
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006..\RunOnce: [iKjFoPc06300] C:\Documents and Settings\All Users\Application Data\iKjFoPc06300\iKjFoPc06300.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} http://download.micr...42/wmsp9dmo.cab (Reg Error: Key error.)
O16 - DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} http://www.docs.co.c...t/IrcViewer.cab (CompositeView Control)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/download/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo1.walgre...eensActivia.cab (Snapfish Activia)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebo...otoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {89F1C7A1-B54C-406D-8CD6-901D277F6388} http://www.docs.co.c...rcResultSet.cab (Interactive Client Result Set Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterf...ds/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} http://onlinedesigne...p/view22rte.cab (View22RTE Class)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcaf...,21/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.159.64.23 24.178.162.3 97.81.22.195
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\PJ\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\PJ\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 07:26:23 | 000,000,309 | R--- | M] () - J:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{7b3af236-03ad-11e0-b736-001111648dc5}\Shell\AutoRun\command - "" = J:\SETUP.EXE
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/10 20:42:41 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\PJ\Desktop\OTL.exe
[2011/03/10 12:43:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PJ\Desktop\RK_Quarantine
[2011/03/07 22:02:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\iKjFoPc06300
[2011/02/26 12:21:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PJ\My Documents\Irenes brain
[2011/02/26 12:11:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\PJ\Local Settings\Application Data\Xenocode
[2010/02/25 17:55:38 | 098,181,416 | ---- | C] (Apple Inc.) -- C:\Program Files\iTunesSetup.exe
[2009/11/12 21:15:45 | 004,938,616 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Silverlight.exe
[2009/11/05 11:12:40 | 003,218,761 | ---- | C] (Craft Edge ) -- C:\Program Files\SetupSureCutsALot_2_005.exe
[2005/08/21 21:21:20 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL
[2005/03/26 11:56:17 | 000,036,963 | ---- | C] (Cypress Semiconductor) -- C:\Program Files\Common Files\SM1updtr.dll
[1980/01/01 01:00:00 | 000,151,552 | ---- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/10 20:40:42 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\PJ\Desktop\OTL.exe
[2011/03/10 20:39:40 | 001,006,747 | ---- | M] () -- C:\Documents and Settings\PJ\Desktop\rkill.exe
[2011/03/10 20:20:00 | 000,000,256 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2011/03/10 20:14:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/10 14:30:10 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/03/10 12:19:18 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/10 12:18:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2011/03/10 12:18:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2011/03/10 12:18:24 | 2145,554,432 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/10 12:13:34 | 000,907,776 | ---- | M] () -- C:\Documents and Settings\PJ\Desktop\winlogon.exe
[2011/03/08 20:10:20 | 805,306,368 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2011/03/08 08:28:20 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp
[2011/03/08 07:56:40 | 001,987,808 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/26 19:21:27 | 000,441,344 | ---- | M] () -- C:\Documents and Settings\PJ\My Documents\PJs Calendar.bcc
[2011/02/26 19:14:03 | 000,002,261 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Calendar Creator.lnk
[2011/02/26 12:16:35 | 000,341,347 | ---- | M] () -- C:\Documents and Settings\PJ\My Documents\irenes happy face.jpg
[2011/02/19 16:44:35 | 000,000,082 | ---- | M] () -- C:\WINDOWS\MPLAYER.INI
[2011/02/09 04:37:18 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/10 20:42:09 | 001,006,747 | ---- | C] () -- C:\Documents and Settings\PJ\Desktop\rkill.exe
[2011/03/10 12:21:30 | 000,907,776 | ---- | C] () -- C:\Documents and Settings\PJ\Desktop\winlogon.exe
[2011/03/07 22:38:52 | 001,228,854 | ---- | C] () -- C:\fsqwr.bmp
[2011/02/26 12:16:34 | 000,341,347 | ---- | C] () -- C:\Documents and Settings\PJ\My Documents\irenes happy face.jpg
[2011/02/01 13:56:21 | 000,191,924 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/12/05 11:26:13 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/12/05 11:09:21 | 000,049,152 | ---- | C] () -- C:\WINDOWS\amcap.exe
[2009/12/05 11:09:21 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\RunSetup.dll
[2009/12/05 11:09:21 | 000,024,576 | ---- | C] () -- C:\WINDOWS\RunSetup.dll
[2008/08/28 17:00:10 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/08/28 15:49:56 | 000,006,408 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/06/29 13:12:00 | 016,535,022 | ---- | C] () -- C:\Program Files\CDSInstaller.exe
[2008/02/12 22:35:49 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2007/02/20 14:12:47 | 000,001,157 | ---- | C] () -- C:\WINDOWS\checkip.dat
[2006/05/26 18:22:20 | 000,000,082 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2006/03/30 22:17:04 | 000,001,375 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/02/13 13:23:54 | 000,311,296 | R--- | C] () -- C:\WINDOWS\EMCRI_AX.dll
[2006/01/15 20:12:16 | 000,049,637 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2006/01/15 20:12:16 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2006/01/15 20:12:16 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2006/01/15 20:12:16 | 000,015,652 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2006/01/15 20:12:16 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2006/01/15 20:12:16 | 000,011,413 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2006/01/15 20:12:16 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2006/01/15 20:12:16 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2006/01/15 20:12:16 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2006/01/15 20:12:16 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2006/01/15 20:12:16 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2006/01/15 20:12:16 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2006/01/15 20:12:16 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2006/01/15 20:12:16 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2006/01/15 20:11:46 | 000,000,052 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2006/01/15 20:07:39 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPSP2400.ini
[2006/01/12 17:09:14 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\DXFLib.dll
[2006/01/12 17:08:06 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\opcode.dll
[2005/11/25 14:31:10 | 000,012,062 | ---- | C] () -- C:\WINDOWS\System32\drivers\MTiCtwl.sys
[2005/11/25 14:03:04 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\Gif89.dll
[2005/08/21 21:21:20 | 000,748,160 | ---- | C] () -- C:\WINDOWS\System32\CO2C40EN.DLL
[2005/08/21 21:21:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\eztw32.dll
[2005/08/21 21:21:20 | 000,024,410 | ---- | C] () -- C:\WINDOWS\System32\OLE2PROX.DLL
[2005/08/06 13:23:03 | 000,053,248 | ---- | C] () -- C:\WINDOWS\runepson.exe
[2005/08/06 13:23:03 | 000,000,018 | ---- | C] () -- C:\WINDOWS\EpsC40UX.ini
[2005/03/27 12:46:30 | 000,000,223 | ---- | C] () -- C:\WINDOWS\HP PrecisionScan Pro.INI
[2005/03/05 19:59:36 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\setupnt.dll
[2005/02/23 14:01:39 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2005/02/05 19:19:23 | 000,000,036 | ---- | C] () -- C:\WINDOWS\IGInst.ini
[2005/01/02 14:16:03 | 000,000,243 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2005/01/01 21:47:10 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/01/01 12:47:28 | 000,000,032 | ---- | C] () -- C:\WINDOWS\concentr.ini
[2005/01/01 12:21:17 | 000,000,047 | ---- | C] () -- C:\WINDOWS\webica.ini
[2004/12/31 23:48:19 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\PJ\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/12/31 23:31:50 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/12/31 22:04:32 | 000,071,749 | ---- | C] () -- C:\WINDOWS\hcextoutput.dll
[2004/12/31 22:04:32 | 000,000,823 | ---- | C] () -- C:\WINDOWS\tsc.ini
[2004/12/31 21:40:19 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2004/12/31 13:57:05 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
[2004/12/31 13:53:00 | 000,000,165 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2004/12/31 12:34:29 | 000,000,207 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2004/12/31 12:31:08 | 000,000,045 | ---- | C] () -- C:\WINDOWS\EPSP825.ini
[2004/11/15 09:57:06 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/11/15 09:51:33 | 000,164,864 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE
[2004/11/15 09:47:52 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2004/11/15 09:45:37 | 000,028,779 | ---- | C] () -- C:\WINDOWS\System32\javaw.exe
[2004/11/15 09:45:37 | 000,024,681 | ---- | C] () -- C:\WINDOWS\System32\java.exe
[2004/11/15 09:38:04 | 000,002,048 | --S- | C] () -- C:\WINDOWS\BOOTSTAT.DAT
[2004/11/15 09:37:26 | 000,434,126 | ---- | C] () -- C:\WINDOWS\System32\PERFH009.DAT
[2004/11/15 09:37:26 | 000,068,412 | ---- | C] () -- C:\WINDOWS\System32\PERFC009.DAT
[2004/11/15 09:26:14 | 000,000,517 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 14:13:12 | 000,000,780 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/10 14:08:08 | 001,987,808 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 14:03:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 14:02:16 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 11:08:26 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.BIN
[2004/08/10 11:08:26 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\OEMBIOS.DAT
[2004/08/04 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\MLANG.DAT
[2004/08/04 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\PERFI009.DAT
[2004/08/04 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\DSSEC.DAT
[2004/08/04 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\MIB.BIN
[2004/08/04 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\PERFD009.DAT
[2004/08/04 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\SECUPD.DAT
[2004/08/04 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 06:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\NOISE.DAT
[2004/07/19 17:01:02 | 000,045,056 | ---- | C] () -- C:\WINDOWS\SETPWRCG.EXE
[2004/07/10 18:55:38 | 000,252,416 | ---- | C] () -- C:\WINDOWS\System32\wsiShared.dll
[2004/05/26 16:09:26 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\DSRIRREM.EXE
[2003/08/12 10:59:04 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\zip.exe
[2003/08/12 10:58:40 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\lttls13n.dll
[2003/08/12 10:58:32 | 000,708,608 | ---- | C] () -- C:\WINDOWS\System32\ltcry13n.dll
[2003/08/12 10:58:22 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2001/05/24 04:38:38 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HPNVRRes.dll
[2001/01/24 08:31:18 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\prntfix.exe
[2000/09/13 21:03:00 | 000,000,182 | ---- | C] () -- C:\WINDOWS\System32\EBPPORT.DAT
[2000/04/14 16:50:02 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll
[1999/07/23 13:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 10:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll
[1980/01/01 01:00:00 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe
[1980/01/01 01:00:00 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll

< End of report >
  • 0

#7
scewter

scewter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
..and the third of three. The Extra.txt:

OTL Extras logfile created on: 3/10/2011 8:53:44 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\PJ\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.68 Gb Total Space | 1.80 Gb Free Space | 5.34% Space Free | Partition Type: NTFS
Drive J: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive K: | 7.47 Gb Total Space | 4.67 Gb Free Space | 62.52% Space Free | Partition Type: FAT32
Drive P: | 488.27 Gb Total Space | 352.65 Gb Free Space | 72.22% Space Free | Partition Type: NTFS
Drive S: | 371.09 Gb Total Space | 295.86 Gb Free Space | 79.73% Space Free | Partition Type: NTFS
Drive T: | 72.14 Gb Total Space | 63.53 Gb Free Space | 88.06% Space Free | Partition Type: NTFS

Computer Name: PENNY | User Name: PJ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"1947:TCP" = 1947:TCP:*:Enabled:HASP SRM
"1947:UDP" = 1947:UDP:*:Enabled:HASP SRM

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{1399D872-7481-4468-84F4-089E82D3DD19}" = Calendar Creator
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1C04D433-2EDF-4AFB-B31B-C0B13065092F}" = MagicTune3.5_Client
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F51A0CA-2BDD-474E-BB90-C7FA8EA78F52}" = ImageMixer VCD/DVD2 for OLYMPUS
"{1FEAF48F-650A-4A2B-8E5D-CD244E80FC72}" =
"{219B0DA4-8F1A-499D-8795-4A07C632521E}" =
"{225DA7CB-C773-4F68-8068-184C4082C2F1}" = Scrapbook Factory Deluxe
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24341152-C86D-4714-B924-1D5699CC9029}" =
"{25569723-DC5A-4467-A639-79535BF01B71}" = Adobe Help Center 2.1
"{2CCDF1DD-7022-4361-A627-331C98757CAA}" = SHARP OZ/ZQ-590A PC Software
"{2DB17450-C3CA-11D4-B786-00C0DF227F4A}" = VBA (3821h)
"{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}" = Cypress USB Mass Storage Driver Installation
"{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3B0F52AC-EF5C-4831-B221-06C782E41280}" = Quicken 2008
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{41E496B5-47F4-11D6-9BBB-00E0987BB2CD}" = Vimicro USB PC Camera (ZC0301PL)
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{5752327A-660D-4907-B8F5-D3F39D047F3C}" = Solid 4.0
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5A0C892E-FD1C-4203-941E-0956AED20A6A}" = APC PowerChute Personal Edition
"{5B782FFA-6A95-480D-8E0A-0954A14693D6}" =
"{644B991F-B109-4360-9DA3-40CDAD13961C}" =
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B36DEBF-27D0-4B1E-858D-D397091C6C7D}" = HP Precisionscan Pro 3.1
"{6F1543A5-D822-48F4-B05E-07CD4E2357E9}" = Wood Wizard
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{748F4870-8350-11D3-B0BF-080009FB4A19}" = HP Share-to-Web
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AEC1844-D580-4D5D-8A1C-6DB7BDEDC2C9}" = RENESIS® Player Windows Thumbnail Plugin
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes
"{82B1150E-9B37-49FC-83EB-D52197D900D0}" = Sunbelt Personal Firewall
"{83ED1E80-A1B7-4226-BCF1-AC4A88151A6B}" = Microsoft Streets & Trips 2006
"{851C67EF-068A-4060-9EF5-2E3DDCD68382}" = Adobe Photoshop Elements 3.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{901A0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Outlook 2002
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Application Accelerator
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A61C60EE-AFC4-4D77-A763-1908A09F2761}" = Default
"{A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}" = Adobe Photoshop Elements 5.0
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9E80F99-6295-4605-A609-675E78D63250}" = EPSON RAW Print
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B67217AF-5F33-4114-8DDD-5891092CFD7E}" = P.I.M. II Plug-In
"{BA820A24-704B-428D-9904-71A10DAC1372}" = OLYMPUS Master
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4CBAD7E-DF4A-4FEC-AC17-8BC709AFB844}" =
"{CA83357B-931E-44DC-AD43-9996FEEB8116}" = Acronis True Image
"{CC2C40CE-62A8-4BC2-9FB1-FD8794DE3C1A}" = ClickArt Fonts 3
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar
"{DE114695-AE58-4B66-8E0F-2505188602FB}_is1" = Uninstall Startup Inspector
"{E9363145-9671-11BB-3E2E-C804D976375F}" = Chief Architect X1
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F2F4C144-7D1A-47C4-9D53-395A57B0CD64}" = Family Tree Maker 2006
"{F51D9393-BB14-4566-99BF-D6ED63AEFCD7}" = Natural Color
"{FB91E774-867B-4567-ACE7-8144EF036068}" = Olympus Digital Wave Player
"00BD1CD47675C125126C80095FCC12CFA4D311DB" = Windows Driver Package - FTDI CDM Driver Package (06/27/2007 2.02.04)
"A622B79B943ECA1F0AECF1FF5BE13D458F345EBB" = Windows Driver Package - FTDI CDM Driver Package (06/27/2007 2.02.04)
"AddressBook" =
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop Elements 5" = Adobe Photoshop Elements 5.0
"AncestryView" = AncestryView
"ATI Display Driver" = ATI Display Driver
"avast5" = avast! Free Antivirus
"Branding" =
"CK Creative Clips and Fonts for Home, Family & Pets" = CK Creative Clips and Fonts for Home, Family & Pets
"CK Creative Clips and Fonts for Special Occasions" = CK Creative Clips and Fonts for Special Occasions
"CK Creative Clips and Fonts for Vacations" = CK Creative Clips and Fonts for Vacations
"CK Creative Clips and Fonts for Winter Memories" = CK Creative Clips and Fonts for Winter Memories
"CK McCormick Creative Clips & fonts" = CK McCormick Creative Clips & fonts
"CK Water Fun All" = CK Water Fun All
"Connection Manager" =
"Create-A-Face 3.2_is1" = Create-A-Face 3.2
"Creative Lettering Super Combo" = Creative Lettering Super Combo
"Cricut DesignStudio" = Cricut DesignStudio
"DirectAnimation" =
"DirectDrawEx" =
"DXM_Runtime" =
"E77704EF5E71F4F18CADFBFA68595AFE036D5D97" = Windows Driver Package - OLYMPUS IMAGING CORP. Camera Communication Driver Package (09/09/2009 1.0.0.0)
"EPSON Printer and Utilities" = EPSON Printer Software
"EPSON1394D3Printer" = EPSON 1394.3 Printer Devices
"F6DC63F2DBAE55EF9988A79DF50F3AF52275237C" = Windows Driver Package - SafeNet, Inc. (SNTNLUSB) USB (03/09/2006 7.3.0.0)
"Fontcore" =
"Google Updater" = Google Updater
"ICW" =
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"IE40" =
"IE4Data" =
"IE5BAKEX" =
"ie7" = Windows Internet Explorer 7
"IEData" =
"InkMonitor" = Ink Monitor
"InspireGraphics" = Inspire Graphics
"InstallShield Uninstall Information" =
"InstallShield_{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"InstallShield_{5752327A-660D-4907-B8F5-D3F39D047F3C}" = Solid 4.0
"InstallShield_{6F1543A5-D822-48F4-B05E-07CD4E2357E9}" = Wood Wizard
"InstallShield_{BA820A24-704B-428D-9904-71A10DAC1372}" = OLYMPUS Master
"LD Supreme 3" = LD Supreme 3
"LD Teaching Delights" = LD Teaching Delights
"LDF Bubbles" = LDF Bubbles
"LDF Falling Leaves" = LDF Falling Leaves
"LDF Owie" = LDF Owie
"LDF Smooch" = LDF Smooch
"LDF Sombrero Fillable Alphabet" = LDF Sombrero Fillable Alphabet
"LDF Splash" = LDF Splash
"LDF States" = LDF States
"Lettering Delights Supreme Download" = Lettering Delights Supreme Download
"Little Lettering Delights Kids" = Little Lettering Delights Kids
"Little Lettering Delights Occasions" = Little Lettering Delights Occasions
"Little Lettering Delights Season CD" = Little Lettering Delights Season CD
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaMonkey_is1" = MediaMonkey 3.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Interactive Training" =
"MobileOptionPack" =
"Mozilla Firefox (3.6.9)" = Mozilla Firefox (3.6.9)
"MRW!UninstallKey" = InCD EasyWrite Reader
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSI30a-KB884016" =
"MSI30-Beta1" =
"MSI30-Beta2" =
"MSI30-KB884016" =
"MSI30-RC1" =
"MSI30-RC2" =
"MSI31-Beta" =
"MSI31-RC1" =
"MsJavaVM" =
"MyDefrag v4.3.1_is1" = MyDefrag v4.3.1
"NetMeeting" =
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OutlookExpress" =
"PCHealth" =
"Rainbow Sentinel Driver" = Sentinel System Driver
"RealJukebox 1.0" =
"RealPlayer 6.0" = RealPlayer
"RegistryBooster 2_is1" = Uniblue RegistryBooster 2
"Samsung ML-1740 Series" = Samsung ML-1740 Series
"SchedulingAgent" =
"Silent Package Run-Time Sample" = EPSON SPR2400 Reference Guide
"SM1FX_AT" = USB Storage Adapter FX (SM1)
"SpyEraser_is1" = Uniblue SpyEraser
"Sure Cuts A Lot 2_is1" = Sure Cuts A Lot 2.008
"Sure Cuts A Lot_is1" = Sure Cuts A Lot 1.016
"SYSTEMCARE_025B3ECB-F8A1-45ff-BABC-140E08C7D8C5_is1" = Uniblue PowerSuite
"The Essential Jillustration Collection Vol 1" = The Essential Jillustration Collection Vol 1
"The Font Thing" = The Font Thing
"UDPixel" = UDPixel.exe
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Windows Live Toolbar" = Windows Live Toolbar
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/6/2010 5:52:34 PM | Computer Name = PENNY | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module renesisws.dll, version 2.0.0.0, fault address 0x000f21e7.

Error - 10/15/2010 5:07:44 PM | Computer Name = PENNY | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application winword.exe, version 10.0.6866.0, faulting module
mso.dll, version 10.0.6858.0, fault address 0x000035ea.

Error - 11/8/2010 12:37:16 AM | Computer Name = PENNY | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module renesisws.dll, version 2.0.0.0, fault address 0x000f21e7.

Error - 11/8/2010 12:37:23 AM | Computer Name = PENNY | Source = Application Error | ID = 1000
Description = Faulting application DRWTSN32.EXE, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 12/14/2010 10:20:24 PM | Computer Name = PENNY | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.17091, faulting
module mshtml.dll, version 7.0.6000.17092, fault address 0x000c5bb5.

Error - 12/23/2010 12:23:46 PM | Computer Name = PENNY | Source = Application Error | ID = 1000
Description = Faulting application cafonts3.exe, version 5.1.1.1185, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 12/23/2010 12:23:59 PM | Computer Name = PENNY | Source = Application Error | ID = 1000
Description = Faulting application cafonts3.exe, version 5.1.1.1185, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 2/8/2011 9:55:52 PM | Computer Name = PENNY | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application winword.exe, version 10.0.6866.0, faulting module
winword.exe, version 10.0.6866.0, fault address 0x002294a6.

Error - 2/8/2011 9:56:11 PM | Computer Name = PENNY | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application winword.exe, version 10.0.6866.0, faulting module
winword.exe, version 10.0.6866.0, fault address 0x002294a6.

Error - 2/8/2011 9:56:32 PM | Computer Name = PENNY | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application winword.exe, version 10.0.6866.0, faulting module
winword.exe, version 10.0.6866.0, fault address 0x002294a6.

[ System Events ]
Error - 3/10/2011 1:20:59 PM | Computer Name = PENNY | Source = Service Control Manager | ID = 7034
Description = The Acronis Scheduler2 Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 3/10/2011 1:20:59 PM | Computer Name = PENNY | Source = Service Control Manager | ID = 7031
Description = The Google Software Updater service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 900000 milliseconds:
Restart the service.

Error - 3/10/2011 1:21:00 PM | Computer Name = PENNY | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM
Service service to connect.

Error - 3/10/2011 1:21:00 PM | Computer Name = PENNY | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1053

Error - 3/10/2011 1:21:00 PM | Computer Name = PENNY | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service iPod Service
with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error - 3/10/2011 1:21:00 PM | Computer Name = PENNY | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the iPod Service service
to connect.

Error - 3/10/2011 1:21:00 PM | Computer Name = PENNY | Source = Service Control Manager | ID = 7000
Description = The iPod Service service failed to start due to the following error:
%%1053

Error - 3/10/2011 1:21:59 PM | Computer Name = PENNY | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 3/10/2011 1:22:59 PM | Computer Name = PENNY | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Apple Mobile Device service
to connect.

Error - 3/10/2011 1:22:59 PM | Computer Name = PENNY | Source = Service Control Manager | ID = 7000
Description = The Apple Mobile Device service failed to start due to the following
error: %%1053


< End of report >
  • 0

#8
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,719 posts
Hi and thanks for the update! :D

Hard-Drive Free Space Advice:

Drive C: | 33.68 Gb Total Space | 1.80 Gb Free Space | 5.34% Space Free | Partition Type: NTFS

This is considered dangerously low. A Hard-Drive requires a bare minimum of 15% available free space to be able to function correctly, but at least 25% is better in my humble opinion.

I advise you choose to uninstall some software you do not need and or move any documents/files/pictures etc to a form of removable media. This is just my advice as the lack of current Hard-Drive space will be impacting on overall system performance. Plus eventually any type of system maintenance will prove to be problematic.

Next:

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Adobe Reader 8.1.2 <-- Older versions can be exploited, we will update this in due course.
Java 2 Runtime Environment, SE v1.4.2_03 <-- Older versions can be exploited, we will update this in due course.
Uniblue RegistryBooster 2 <-- Registry cleaning applications rarely do any good and have the potential to leave a machine unbootible.
Viewpoint Manager <-- Anything Viewpoint related has undersirible characteristics.
ViewpointMediaPlayer

To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double-click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but select No to the portion that asks you to add ERUNT to the Start-Up folder.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Custom OTL Script:

  • Double-click OTL.exe to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:OTL
SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [Olympus ib] File not found
O4 - HKU\S-1-5-21-3760575758-2530229408-2328892859-1006..\RunOnce: [iKjFoPc06300] C:\Documents and Settings\All Users\Application Data\iKjFoPc06300\iKjFoPc06300.exe ()
O16 - DPF: {0000000A-9980-0010-8000-00AA00389B71} http://download.micr...42/wmsp9dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcaf...,21/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O33 - MountPoints2\{7b3af236-03ad-11e0-b736-001111648dc5}\Shell\AutoRun\command - "" = J:\SETUP.EXE
[2011/03/07 22:02:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\iKjFoPc06300
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011/03/08 08:28:20 | 001,228,854 | ---- | M] () -- C:\fsqwr.bmp

:Files 
ipconfig /flushdns /c 
%systemroot%\prefetch\*.* 

:Reg 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000

:Commands
[Purity]
[ResetHosts]
[EmptyFlash]
[EmptyTemp]
[CreateRestorePoint]
[Reboot]
  • Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
  • Then click the red Run Fix button.
  • Let the program run unhindered.
  • If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform a full scan. <-- Select all presently installed Hard-Drives/Partitions etc.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check(tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • OTL Log from the Custom Script.
  • Malwarebytes Anti-Malware Log.

  • 0

#9
scewter

scewter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
First of two posts.

Computer seems to be running well. Thnx for the comment regarding C drive space. Have not been paying attention to this. Spent some time deleting old programs which gave me more free space. The C drive on this computer has the OS and all other software. I've got a second HDD that hold all the data files.

Per your direction, deleted the programs, backed up the registry and ran the custom script with OTL. Here's the log file:

All processes killed
========== OTL ==========
Service HidServ stopped successfully!
Service HidServ deleted successfully!
File File not found not found.
Service AppMgmt stopped successfully!
Service AppMgmt deleted successfully!
File File not found not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{BA52B914-B692-46c4-B683-905236F6F655} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA52B914-B692-46c4-B683-905236F6F655}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-3760575758-2530229408-2328892859-1006\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_USERS\S-1-5-21-3760575758-2530229408-2328892859-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-3760575758-2530229408-2328892859-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Olympus ib deleted successfully.
Registry value HKEY_USERS\S-1-5-21-3760575758-2530229408-2328892859-1006\Software\Microsoft\Windows\CurrentVersion\RunOnce\\iKjFoPc06300 not found.
File C:\Documents and Settings\All Users\Application Data\iKjFoPc06300\iKjFoPc06300.exe not found.
Starting removal of ActiveX control {0000000A-9980-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\wmsp9dmo.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0000000A-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000000A-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
C:\WINDOWS\Downloaded Program Files\McGDMgr.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Starting removal of ActiveX control Microsoft XML Parser for Java Reg Error: Value error.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java Reg Error: Value error.\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java Reg Error: Value error.\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7b3af236-03ad-11e0-b736-001111648dc5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b3af236-03ad-11e0-b736-001111648dc5}\ not found.
File J:\SETUP.EXE not found.
Folder C:\Documents and Settings\All Users\Application Data\iKjFoPc06300\ not found.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\System32\SET57.tmp deleted successfully.
C:\WINDOWS\System32\SET63.tmp deleted successfully.
C:\WINDOWS\System32\setb5.tmp deleted successfully.
C:\fsqwr.bmp moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\PJ\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\PJ\Desktop\cmd.txt deleted successfully.
C:\WINDOWS\prefetch\ADOBEUPDATER.EXE-27A3E5C5.pf moved successfully.
C:\WINDOWS\prefetch\AGENTSVR.EXE-260B72BD.pf moved successfully.
C:\WINDOWS\prefetch\ALG.EXE-275708CF.pf moved successfully.
C:\WINDOWS\prefetch\APCSYSTRAY.EXE-2BA90DB8.pf moved successfully.
C:\WINDOWS\prefetch\AVAST.SETUP-1120D71A.pf moved successfully.
C:\WINDOWS\prefetch\AVASTUI.EXE-2D58DFD5.pf moved successfully.
C:\WINDOWS\prefetch\CMD.EXE-034B0549.pf moved successfully.
C:\WINDOWS\prefetch\DEFRAG.EXE-2858C7E2.pf moved successfully.
C:\WINDOWS\prefetch\DEVDTCT2.EXE-1BCC25EA.pf moved successfully.
C:\WINDOWS\prefetch\DFRGNTFS.EXE-38C3807C.pf moved successfully.
C:\WINDOWS\prefetch\DIFXINSTALL32.EXE-1984B98D.pf moved successfully.
C:\WINDOWS\prefetch\DISPLAY.EXE-2B6EBE0B.pf moved successfully.
C:\WINDOWS\prefetch\DLLHOST.EXE-14573387.pf moved successfully.
C:\WINDOWS\prefetch\DUMPREP.EXE-0AF2BF67.pf moved successfully.
C:\WINDOWS\prefetch\ERUNT-SETUP.EXE-1C825B2B.pf moved successfully.
C:\WINDOWS\prefetch\ERUNT.EXE-23218E37.pf moved successfully.
C:\WINDOWS\prefetch\EXPLORER.EXE-02121B1A.pf moved successfully.
C:\WINDOWS\prefetch\EXPLORER.EXE-2C8CE74A.pf moved successfully.
C:\WINDOWS\prefetch\EXPLORER.EXE-2EA9D3C1.pf moved successfully.
C:\WINDOWS\prefetch\FXSSVC.EXE-140862E7.pf moved successfully.
C:\WINDOWS\prefetch\GOOGLECRASHHANDLER.EXE-024AD864.pf moved successfully.
C:\WINDOWS\prefetch\GOOGLEUPDATE.EXE-160E1F62.pf moved successfully.
C:\WINDOWS\prefetch\GOOGLEUPDATER.EXE-1D8A4379.pf moved successfully.
C:\WINDOWS\prefetch\GOOGLEUPDATERSERVICE.EXE-2F4A2F77.pf moved successfully.
C:\WINDOWS\prefetch\GRPCONV.EXE-375690AD.pf moved successfully.
C:\WINDOWS\prefetch\HELPSVC.EXE-1C192440.pf moved successfully.
C:\WINDOWS\prefetch\IAANTMON.EXE-3B9742E1.pf moved successfully.
C:\WINDOWS\prefetch\IDRIVER.EXE-242AF138.pf moved successfully.
C:\WINDOWS\prefetch\IEXPLORE.EXE-2318D670.pf moved successfully.
C:\WINDOWS\prefetch\IEXPLORE.EXE-2D97EBE6.pf moved successfully.
C:\WINDOWS\prefetch\IKERNEL.EXE-182CAA81.pf moved successfully.
C:\WINDOWS\prefetch\IMAPI.EXE-201490BB.pf moved successfully.
C:\WINDOWS\prefetch\IPCONFIG.EXE-05D7908C.pf moved successfully.
C:\WINDOWS\prefetch\IPODSERVICE.EXE-37043579.pf moved successfully.
C:\WINDOWS\prefetch\IS-70KG9.TMP-180C535D.pf moved successfully.
C:\WINDOWS\prefetch\ITUNES.EXE-14FD3AEE.pf moved successfully.
C:\WINDOWS\prefetch\ITUNESPHOTOPROCESSOR.EXE-1FFAF76D.pf moved successfully.
C:\WINDOWS\prefetch\JAVAW.EXE-22140141.pf moved successfully.
C:\WINDOWS\prefetch\JAVAWS.EXE-2ECF7EE3.pf moved successfully.
C:\WINDOWS\prefetch\KILLRBPROCESS.EXE-27024E63.pf moved successfully.
C:\WINDOWS\prefetch\KILLSE.EXE-0455B26D.pf moved successfully.
C:\WINDOWS\prefetch\LAUNCHU3.EXE-09AB4AF2.pf moved successfully.
C:\WINDOWS\prefetch\LAUNCHU3.EXE-193C4D18.pf moved successfully.
C:\WINDOWS\prefetch\LAUNCHU3.EXE-209CBEEF.pf moved successfully.
C:\WINDOWS\prefetch\layout.ini moved successfully.
C:\WINDOWS\prefetch\LOGON.SCR-24ADF392.pf moved successfully.
C:\WINDOWS\prefetch\LOGONUI.EXE-312BE1BF.pf moved successfully.
C:\WINDOWS\prefetch\MDM.EXE-13735E69.pf moved successfully.
C:\WINDOWS\prefetch\MRT.EXE-161A5291.pf moved successfully.
C:\WINDOWS\prefetch\MRTSTUB.EXE-31893B82.pf moved successfully.
C:\WINDOWS\prefetch\MSI7.TMP-05840CEA.pf moved successfully.
C:\WINDOWS\prefetch\MSI8.TMP-0DE006C1.pf moved successfully.
C:\WINDOWS\prefetch\MSID.TMP-3751528C.pf moved successfully.
C:\WINDOWS\prefetch\MSIE.TMP-17AD8B26.pf moved successfully.
C:\WINDOWS\prefetch\MSIEXEC.EXE-330626DC.pf moved successfully.
C:\WINDOWS\prefetch\MSIF.TMP-221E031A.pf moved successfully.
C:\WINDOWS\prefetch\MSNTBUP.EXE-05EA1CAC.pf moved successfully.
C:\WINDOWS\prefetch\MSN_SL.EXE-2BF0761D.pf moved successfully.
C:\WINDOWS\prefetch\MTSAXINSTALLER.EXE-0CA7D990.pf moved successfully.
C:\WINDOWS\prefetch\NOTEPAD.EXE-2F2D61E1.pf moved successfully.
C:\WINDOWS\prefetch\NTOSBOOT-B00DFAAD.pf moved successfully.
C:\WINDOWS\prefetch\OTL.EXE-035CF47B.pf moved successfully.
C:\WINDOWS\prefetch\OUTLOOK.EXE-3034BD3F.pf moved successfully.
C:\WINDOWS\prefetch\PHOTOSHOPELEMENTSDEVICECONNEC-12EF2FAF.pf moved successfully.
C:\WINDOWS\prefetch\PHOTOSHOPELEMENTSFILEAGENT.EX-2C68956D.pf moved successfully.
C:\WINDOWS\prefetch\PHOTOSHOPELEMENTSORGANIZER.EX-13BC389B.pf moved successfully.
C:\WINDOWS\prefetch\PXSETUP.EXE-11D59E0F.pf moved successfully.
C:\WINDOWS\prefetch\QTTASK.EXE-1876A1A1.pf moved successfully.
C:\WINDOWS\prefetch\REALPLAY.EXE-05411014.pf moved successfully.
C:\WINDOWS\prefetch\REALSCHED.EXE-0948A6AF.pf moved successfully.
C:\WINDOWS\prefetch\REGSVR32.EXE-396DEA2C.pf moved successfully.
C:\WINDOWS\prefetch\RSTRUI.EXE-05C31B56.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-3F06F4F4.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-4320D12E.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-530E1D09.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-5645E36A.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-629869A4.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-67D4CC67.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-69B1316D.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-6E8D4657.pf moved successfully.
C:\WINDOWS\prefetch\RUNONCE.EXE-01CA3A2F.pf moved successfully.
C:\WINDOWS\prefetch\SBPFCL.EXE-3030507E.pf moved successfully.
C:\WINDOWS\prefetch\SBPFLNCH.EXE-2B0719A1.pf moved successfully.
C:\WINDOWS\prefetch\SBPFSVC.EXE-23507161.pf moved successfully.
C:\WINDOWS\prefetch\SET38.TMP-28F57969.pf moved successfully.
C:\WINDOWS\prefetch\SET6C.TMP-1F1FB676.pf moved successfully.
C:\WINDOWS\prefetch\SET6F.TMP-05788858.pf moved successfully.
C:\WINDOWS\prefetch\SET72.TMP-1A9D7F7E.pf moved successfully.
C:\WINDOWS\prefetch\SET84.TMP-2947B0B1.pf moved successfully.
C:\WINDOWS\prefetch\SETUPX86.EXE-0DCCBC0C.pf moved successfully.
C:\WINDOWS\prefetch\SF.BIN-27950ED2.pf moved successfully.
C:\WINDOWS\prefetch\SF.BIN-2BAF6148.pf moved successfully.
C:\WINDOWS\prefetch\SKYPENAMES.EXE-150E8F7C.pf moved successfully.
C:\WINDOWS\prefetch\SM1BG.EXE-266B31DF.pf moved successfully.
C:\WINDOWS\prefetch\SOFTWAREUPDATE.EXE-1709A272.pf moved successfully.
C:\WINDOWS\prefetch\STREETS.EXE-18338833.pf moved successfully.
C:\WINDOWS\prefetch\SVCHOST.EXE-2D5FBD18.pf moved successfully.
C:\WINDOWS\prefetch\TASKMGR.EXE-06144C13.pf moved successfully.
C:\WINDOWS\prefetch\U3INTRODUCTION.EXE-29733EFD.pf moved successfully.
C:\WINDOWS\prefetch\UNINS000.EXE-1755EFEF.pf moved successfully.
C:\WINDOWS\prefetch\UNINS000.EXE-2571FD2B.pf moved successfully.
C:\WINDOWS\prefetch\UNINS000.EXE-39FC1D54.pf moved successfully.
C:\WINDOWS\prefetch\UPDATE.EXE-26701FD6.pf moved successfully.
C:\WINDOWS\prefetch\UPDATE.EXE-35942EBF.pf moved successfully.
C:\WINDOWS\prefetch\USERINIT.EXE-0743FDA9.pf moved successfully.
C:\WINDOWS\prefetch\VERCLSID.EXE-28F52AD2.pf moved successfully.
C:\WINDOWS\prefetch\VIEWMGR.EXE-0F5AF60C.pf moved successfully.
C:\WINDOWS\prefetch\VIEWMGRINSTALLER.EXE-063E8957.pf moved successfully.
C:\WINDOWS\prefetch\VIEWPOINTSERVICE.EXE-1082C90D.pf moved successfully.
C:\WINDOWS\prefetch\VMGRREMOK.EXE-2DD7E09E.pf moved successfully.
C:\WINDOWS\prefetch\VMPREMOV.EXE-19AFD44D.pf moved successfully.
C:\WINDOWS\prefetch\VM_STI.EXE-35CA4F28.pf moved successfully.
C:\WINDOWS\prefetch\WGATRAY.EXE-350D4455.pf moved successfully.
C:\WINDOWS\prefetch\WINDOWS-KB890830-V3.17-DELTA.-30857C3A.pf moved successfully.
C:\WINDOWS\prefetch\WINWORD.EXE-0614BEA2.pf moved successfully.
C:\WINDOWS\prefetch\WMIPRVSE.EXE-0D449B4F.pf moved successfully.
C:\WINDOWS\prefetch\WUAUCLT.EXE-1360D60A.pf moved successfully.
C:\WINDOWS\prefetch\_IU14D2N.TMP-11BF2E63.pf moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\"DisableMonitoring"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\\"DisableMonitoring"|dword:00000000 /E : value set successfully!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 41 bytes

User: LocalService

User: NetworkService

User: PJ
->Flash cache emptied: 2222799 bytes

Total Flash Files Cleaned = 2.00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 50962 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 900617 bytes

User: PJ
->Temp folder emptied: 641017595 bytes
->Temporary Internet Files folder emptied: 263279093 bytes
->Java cache emptied: 245023 bytes
->FireFox cache emptied: 48264826 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 93054841 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 91318450 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 16271291 bytes

Total Files Cleaned = 1,101.00 mb

Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

OTL by OldTimer - Version 3.2.22.3 log created on 03122011_132529

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\_avast5_\Webshlock.txt not found!
C:\WINDOWS\temp\hlktmp moved successfully.

Registry entries deleted on Reboot...
  • 0

#10
scewter

scewter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Second of two;

Ran the Malwarebytes scan. Had to run two as I neglected to check the "T" partition before the first scan. Here're the results of the two scans:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6036

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/12/2011 4:13:34 PM
mbam-log-2011-03-12 (16-13-34).txt

Scan type: Full scan (C:\|P:\|S:\|)
Objects scanned: 454595
Time elapsed: 2 hour(s), 16 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\pj\desktop\rk_quarantine\ikjfopc06300.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\PJ\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


Here's the second scan:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6036

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/12/2011 4:25:54 PM
mbam-log-2011-03-12 (16-25-54).txt

Scan type: Full scan (T:\|)
Objects scanned: 176304
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

Advertisements


#11
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,719 posts
Hi. :D

Computer seems to be running well. Thnx for the comment regarding C drive space.

Good and you're welcome!

There appears to be a problem with System Restore:-

Error starting restore point: System Restore is disabled.

This is most likely due to malware, which we will address shortly.

To err on the side of caution I would like for your good self to create another independent Registry backup then proceed to my ComboFix instructions afterwards, thank you.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

Click on Start >> Run...(or the Windows key and R together) to bring up the Run box and and copy and paste in:

"C:\Program Files\ERUNT\ERUNT.EXE" %SystemRoot%\ERDNT\scewter -backup

and click on OK.

Note: If you have uninstalled ERUNT since we last used it, please inform myself before proceeding any further.

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs <-- Click on this link.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activity and asks to reboot the system, please allow this to be done.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper


When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.

  • 0

#12
scewter

scewter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Before I perform those steps, I will say I had intentionally disabled the restore function on this computer quite awhile ago. Part of my overall backup plan for this computer - I image the drives periodically. Did not want/desire large file volumes of system restore when I had no intention of using them anyway. Probably ripe for another discussion regarding the wisdom of that - but anyway with that in mind does that change your recc procedures you just posted?

Thnx, and I'll await your response before proceeding.
  • 0

#13
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,719 posts
Hi. :D


Fair play what you mentioned and I do appreciate why you have intentionally disabled System Restore but not a wise move really in the great scheme of things. So please enable it for the duration of the Malware Removal process...

Please carry out the following:

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn On System Restore.
  • Click Apply, and then click OK.
Next carry out this:

  • Click on Start >> All Programs >> Accessories >> System Tools >> System Restore.
  • Check Create a restore point and click on Next.
  • Under Restore Point Description, type in GTG Backup and click on Create.
  • When informed Restore point created, click on Close.
  • You now have a restore point as a backup.
Next:

When completed the above, proceed to my Erunt, then ComboFix instructions when ready, thank you.
  • 0

#14
scewter

scewter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Okay, will do.

Forgot to mention that ERUNT is still installed on the computer. Any changes to the process?

Still trying to figure how to do the "quote box" you do in your posts.
  • 0

#15
scewter

scewter

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
OK, here's the results.

I attempted to enable System Restore, but found it was already enabled. Strange, because yesterday it was disabled. Created a new restore point anyway per your directions.

Also made a new backup of the registry.

Ran ComboFix, and here's the log file:

ComboFix 11-03-12.01 - PJ 03/13/2011 13:51:02.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1580 [GMT -4:00]
Running from: c:\documents and settings\PJ\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *Disabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Java
c:\program files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
c:\windows\patch.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-13 to 2011-03-13 )))))))))))))))))))))))))))))))
.
.
2011-03-12 18:25 . 2011-03-12 18:25 -------- d-----w- C:\_OTL
2011-03-08 03:02 . 2011-03-11 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\iKjFoPc06300
2011-02-26 17:11 . 2011-02-26 17:11 -------- d-----w- c:\documents and settings\PJ\Local Settings\Application Data\Xenocode
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2004-08-04 11:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 11:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-04 11:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 11:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 08:47 . 2010-09-10 17:11 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2010-09-10 17:11 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2010-09-10 17:11 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2010-09-10 17:11 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:40 . 2010-09-10 17:11 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-13 08:39 . 2010-09-10 17:11 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-13 08:37 . 2010-09-10 17:11 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2010-09-10 17:11 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-13 08:37 . 2010-09-10 17:11 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-07 14:09 . 2004-08-04 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-04 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:09 . 2010-08-20 19:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2004-08-04 11:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2004-08-04 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2004-08-04 11:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2004-08-04 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 23:08 . 2010-08-20 19:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-04 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 11:00 389120 ----a-w- c:\windows\system32\html.iec
2010-02-25 22:56 . 2010-02-25 22:55 98181416 ----a-w- c:\program files\iTunesSetup.exe
2009-11-13 02:15 . 2009-11-13 02:15 4938616 ----a-w- c:\program files\Silverlight.exe
2009-11-05 16:12 . 2009-11-05 16:12 3218761 ----a-w- c:\program files\SetupSureCutsALot_2_005.exe
2008-06-29 18:12 . 2008-06-29 18:12 16535022 ----a-w- c:\program files\CDSInstaller.exe
2003-08-27 19:19 . 2005-03-26 16:56 36963 ------w- c:\program files\Common Files\SM1updtr.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-17 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-02-05 180269]
"BigDogPath"="c:\windows\VM_STI.EXE" [2005-02-28 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-11-29 221295]
NaturalColorLoad.lnk - c:\program files\SEC\Natural Color\NaturalColorLoad.exe [2005-11-25 155715]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk]
backup=c:\windows\pss\Device Detector 2.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^PJ^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2005-12-27 15:32 118784 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis True Image Monitor]
2005-12-27 15:32 988736 ----a-w- c:\program files\Acronis\TrueImage\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 18:52 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C40 Series]
2002-04-10 07:04 74240 ----a-w- c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_S10IC2.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2004-03-23 18:16 135168 ----a-w- c:\program files\Intel\Intel Application Accelerator\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
2001-04-10 20:26 237642 ----a-w- c:\progra~1\EPSON\INKMON~1\InkMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
2003-08-27 19:20 94208 ----a-r- c:\windows\SM1bg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-06-30 19:33 1388544 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-02-05 15:02 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PhotoshopElementsDeviceConnect"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM
.
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [9/10/2010 1:11 PM 294608]
R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\SYSTEM32\DRIVERS\eusk2par.sys [12/15/2007 8:02 PM 24786]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SbFw;SbFw;c:\windows\SYSTEM32\DRIVERS\SbFw.sys [9/10/2010 1:18 PM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\SYSTEM32\DRIVERS\sbhips.sys [6/21/2008 4:54 AM 66600]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [9/10/2010 1:11 PM 17744]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [10/31/2008 7:24 AM 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [10/31/2008 7:24 AM 1365288]
R3 EUCR;ENE USB Mass Storage;c:\windows\SYSTEM32\DRIVERS\EUCR6SK.sys [2/13/2006 2:23 PM 42240]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\SYSTEM32\DRIVERS\SbFwIm.sys [9/10/2010 1:18 PM 65576]
S2 gupdate1c9b1b792ea9b30;Google Update Service (gupdate1c9b1b792ea9b30);c:\program files\Google\Update\GoogleUpdate.exe [3/31/2009 12:16 AM 133104]
S3 epppdt;EPSON 1394.3 Class;c:\windows\SYSTEM32\DRIVERS\epppdt.sys [6/18/2006 5:41 PM 31269]
S3 epppdtpr;EPSON 1394.3 Printer Class;c:\windows\SYSTEM32\DRIVERS\epppdtpr.sys [6/18/2006 5:41 PM 14457]
S3 eusk3usb;SmartKey 3 USB;c:\windows\SYSTEM32\DRIVERS\eusk3usb.sys [12/15/2007 8:02 PM 45534]
S3 OlyCamComm;OLYMPUS USB Communication Device;c:\windows\SYSTEM32\DRIVERS\OlyCamComm.sys [12/9/2010 9:48 PM 21648]
S3 SPCP825K;Sunplus Serial port driver;c:\windows\system32\DRIVERS\SPCP825K.sys --> c:\windows\system32\DRIVERS\SPCP825K.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-13 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]
.
2011-03-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-17 03:23]
.
2011-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 04:15]
.
2011-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-31 04:15]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: Microsoft XML Parser for Java
DPF: {0C5CF442-582B-4357-B116-765DA99CAA8C} - hxxp://www.docs.co.clay.mn.us/AppXtender/client/IrcViewer.cab
DPF: {89F1C7A1-B54C-406D-8CD6-901D277F6388} - hxxp://www.docs.co.clay.mn.us/AppXtender/client/IrcResultSet.cab
FF - ProfilePath - c:\documents and settings\PJ\Application Data\Mozilla\Firefox\Profiles\rj0t53qj.default\
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-HP Metrics - c:\program files\HP\Personal Printing Solutions Product Research\HP Product Research.exe
MSConfigStartUp-MediaFace Integration - c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe
MSConfigStartUp-PCMService - c:\program files\Dell\Media Experience\PCMService.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
AddRemove-Create-A-Face 3.2_is1 - c:\program files\Create-A-Face 3.2\unins000.exe
AddRemove-InspireGraphics - c:\inspire\IGUninst.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-13 14:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1244)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1848)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\windows\system32\hasplms.exe
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\wscntfy.exe
c:\program files\Sunbelt Software\Personal Firewall\SbPFCl.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2011-03-13 14:07:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-13 18:07
.
Pre-Run: 5,369,683,968 bytes free
Post-Run: 5,393,686,528 bytes free
.
- - End Of File - - 32DADFD0C8282036B55F3FDD4DDB2383
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP