Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows XP Recovery virus

Started by Symmetrix , May 18 2011 12:42 PM

  • Please log in to reply

#1
Symmetrix
Posted 18 May 2011 - 12:42 PM

Symmetrix

    Member

  • Member
  • PipPip
  • 76 posts
Hello, got this fake tool on my computer. I am using Windows XP Pro. Used Rkill, then TDSS killer, then used malware bytes all with updates. Then used Unhide to display missing desktop icons. Seems to have disabled the virus but many desktop icons and programs showing empty under program files. Ran these programs several times in normal mode but the files are not coming back. I know they are there through add/remove programs. Maybe some remainder is left. Here is the OTL log:
OTL logfile created on: 5/18/2011 2:24:24 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\CAD Operator\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 55.00 Mb Available Physical Memory | 11.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 63.00% Paging File free
Paging file location(s): c:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 19.00 Gb Free Space | 51.00% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive F: | 1.90 Gb Total Space | 1.89 Gb Free Space | 99.22% Space Free | Partition Type: FAT32

Computer Name: DRAFT_STATION3 | User Name: CAD Operator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/18 14:16:01 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\CAD Operator\My Documents\Downloads\OTL.exe
PRC - [2011/05/18 13:31:15 | 001,191,216 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2011/05/18 13:31:12 | 002,151,128 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2011/04/14 12:25:41 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/05/14 12:44:46 | 000,501,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/16 18:28:22 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe


========== Modules (SafeList) ==========

MOD - [2011/05/18 14:16:01 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\CAD Operator\My Documents\Downloads\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon)
SRV - [2011/05/18 13:31:12 | 002,151,128 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011/05/17 19:35:19 | 003,275,864 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_8832f4b.dll -- (Akamai)


========== Driver Services (SafeList) ==========

DRV - [2011/05/18 13:32:45 | 000,015,232 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/08/12 08:15:20 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/03/25 06:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2008/04/13 14:36:41 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2008/01/24 19:36:16 | 004,127,488 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/04 02:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/03 18:32:24 | 000,010,880 | ---- | M] (Aureal, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\admjoy.sys -- (admjoy)
DRV - [2004/02/23 23:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/12/10 03:21:16 | 000,004,224 | R--- | M] (ABIT Computer Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AC2003.sys -- (AC2003)
DRV - [2001/08/23 15:00:00 | 000,022,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)
DRV - [2001/08/17 16:11:42 | 000,029,696 | ---- | M] (CNet Technology, Inc. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DM9PCI5.SYS -- (DM9102) DAVICOM 9102(A)
DRV - [2001/08/17 08:19:14 | 000,747,392 | ---- | M] (Aureal, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\adm8830.sys -- (wdm_au8830) Aureal Vortex 8830 Audio Driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Web Search..."
FF - prefs.js..browser.search.defaulturl: "http://www.google.co...-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://msn.com"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.72.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: [email protected]:2.5.3
FF - prefs.js..keyword.URL: "http://gamebox.my-qu...spx?srch=ku&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 53495
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\MySpace\Toolbar\1.0.72.0\ [2010/02/28 10:42:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/30 13:51:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 13:51:45 | 000,000,000 | ---D | M]

[2008/08/27 13:22:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Extensions
[2011/04/30 09:47:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Firefox\Profiles\apubkm20.default\extensions
[2011/03/03 18:57:10 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Firefox\Profiles\apubkm20.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/13 20:55:44 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Firefox\Profiles\apubkm20.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/04/22 07:49:36 | 000,000,000 | ---D | M] (Ghostery) -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Firefox\Profiles\apubkm20.default\extensions\[email protected]
[2008/12/09 20:06:44 | 000,002,158 | ---- | M] () -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Firefox\Profiles\apubkm20.default\searchplugins\MySpace.xml
[2010/04/10 12:13:12 | 000,001,594 | ---- | M] () -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Firefox\Profiles\apubkm20.default\searchplugins\web-search.xml
[2011/04/30 13:51:48 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/14 10:08:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/12/15 16:09:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
File not found (No name found) --
[2009/03/20 21:53:12 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/04/14 12:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2007/04/25 00:25:00 | 000,061,475 | ---- | M] (Earth Resource Mapping) -- C:\Program Files\Mozilla Firefox\plugins\NCScnet.dll
[2007/04/25 00:32:00 | 001,384,482 | ---- | M] (Earth Resource Mapping) -- C:\Program Files\Mozilla Firefox\plugins\NCSEcw.dll
[2007/04/25 00:24:00 | 000,147,491 | ---- | M] (Earth Resource Mapping) -- C:\Program Files\Mozilla Firefox\plugins\NCSUtil.dll
[2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007/04/25 00:45:00 | 000,610,304 | ---- | M] (Earth Resource Mapping) -- C:\Program Files\Mozilla Firefox\plugins\NP_NCS6.dll
[2007/04/25 00:45:00 | 000,069,632 | ---- | M] (Earth Resource Mapping) -- C:\Program Files\Mozilla Firefox\plugins\NP_NCSPB6.dll
[2007/04/25 00:46:00 | 000,094,208 | ---- | M] (Earth Resource Mapping) -- C:\Program Files\Mozilla Firefox\plugins\NP_NCSTB6.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2009/05/02 11:37:54 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (Autodesk DWF) - {F03966D3-8EA0-47b4-BBE0-85BFE6CBC8AC} - C:\Program Files\Autodesk\Autodesk DWF Writer\DWF Addin\DWFIEAddin.dll (Autodesk, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft Limited)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akama...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/b...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} http://aerial.leepa....plugins/NCS.cab (Reg Error: Key error.)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://www.nick.com/.../GrooveAX27.cab (Groove Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.74.166 68.87.68.166
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\CAD Operator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\CAD Operator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/12/03 20:30:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{94b60511-4540-11d9-b812-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{94b60511-4540-11d9-b812-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{94b60511-4540-11d9-b812-806d6172696f}\Shell\AutoRun\command - "" = D:\autoplay.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/18 00:16:03 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\CAD Operator\Desktop\TDSSKiller.exe
[2011/05/17 08:07:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\CAD Operator\Recent
[2010/02/09 17:22:52 | 000,823,296 | ---- | C] (Crystal Dew World) -- C:\Program Files\CrystalCPUID.exe
[2006/02/27 13:48:50 | 000,090,112 | R--- | C] ( ) -- C:\WINDOWS\System32\SCCD3X02.DLL
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/18 14:21:35 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/05/18 13:36:03 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/18 13:34:42 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/18 13:34:42 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/05/18 13:29:36 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/05/18 08:08:46 | 000,012,664 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/18 08:08:35 | 000,007,883 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/05/18 08:08:34 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/18 08:08:26 | 536,399,872 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/18 08:08:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/18 00:19:04 | 000,502,095 | ---- | M] () -- C:\Documents and Settings\CAD Operator\Desktop\unhide.exe
[2011/05/18 00:14:22 | 000,000,150 | ---- | M] () -- C:\Documents and Settings\CAD Operator\Desktop\rk-proxy.reg
[2011/05/18 00:12:43 | 000,000,801 | ---- | M] () -- C:\Documents and Settings\CAD Operator\Desktop\Shortcut to iExplore.lnk
[2011/05/17 09:07:01 | 000,000,450 | ---- | M] () -- C:\WINDOWS\tasks\EasyShare Registration Task.job
[2011/05/17 07:48:57 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\17358628
[2011/05/13 13:21:28 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\CAD Operator\Desktop\TDSSKiller.exe
[2011/05/09 13:22:35 | 000,003,268 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/18 13:34:42 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/18 13:34:42 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/05/18 00:19:05 | 000,502,095 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Desktop\unhide.exe
[2011/05/18 00:14:22 | 000,000,150 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Desktop\rk-proxy.reg
[2011/05/18 00:12:43 | 000,000,801 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Desktop\Shortcut to iExplore.lnk
[2011/05/17 08:04:30 | 536,399,872 | -HS- | C] () -- C:\hiberfil.sys
[2011/05/17 07:48:57 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\17358628
[2011/04/11 08:56:32 | 000,014,746 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Application Data\E6A2.322
[2011/04/11 08:56:24 | 000,002,384 | -HS- | C] () -- C:\Documents and Settings\CAD Operator\Local Settings\Application Data\6umds8y8841yn3rbmki0sbvbk5so35gq
[2011/04/11 08:56:24 | 000,002,384 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\6umds8y8841yn3rbmki0sbvbk5so35gq
[2010/08/03 03:15:59 | 000,163,840 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/12/18 11:56:15 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/11/07 09:06:29 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Application Data\$_hpcst$.hpc
[2009/08/09 13:34:24 | 001,698,035 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Application Data\ijango_toolbar_installer.exe
[2009/08/03 15:06:59 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\DWFPortMon3.dll
[2009/05/04 23:19:12 | 000,117,248 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009/05/04 23:19:12 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/05/04 23:19:12 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/05/04 23:19:12 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/04/29 23:09:31 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/03/03 12:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2008/11/18 07:39:06 | 000,000,285 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2008/11/18 07:37:59 | 000,000,022 | ---- | C] () -- C:\WINDOWS\FLASHKSK.INI
[2008/11/18 07:37:55 | 000,021,504 | ---- | C] () -- C:\WINDOWS\LXBRSET.EXE
[2008/11/18 07:37:55 | 000,004,608 | ---- | C] () -- C:\WINDOWS\DelShell.exe
[2008/05/28 22:28:53 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2008/03/25 21:18:55 | 000,002,889 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2008/03/25 21:17:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/09/04 19:41:43 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/06/30 14:11:15 | 000,000,130 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/27 13:48:48 | 000,131,072 | R--- | C] () -- C:\WINDOWS\System32\SCCD3X01.DLL
[2006/01/18 22:21:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mtstack16.INI
[2005/11/22 22:18:06 | 000,000,139 | ---- | C] () -- C:\WINDOWS\msicpl.ini
[2005/11/22 22:00:56 | 000,135,168 | R--- | C] () -- C:\WINDOWS\System32\WinSys.exe
[2005/11/22 22:00:56 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\memtest.dll
[2005/11/22 22:00:56 | 000,036,864 | R--- | C] () -- C:\WINDOWS\System32\msiuins.exe
[2005/11/22 22:00:55 | 000,039,372 | R--- | C] () -- C:\WINDOWS\System32\drivers\vgauti.sys
[2005/11/22 22:00:55 | 000,039,372 | R--- | C] () -- C:\WINDOWS\System32\drivers\msicpl.sys
[2005/11/22 21:20:05 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2005/11/22 21:17:15 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\BGData.bin
[2005/11/22 21:15:34 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/11/22 21:15:34 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2005/01/21 14:55:10 | 000,000,120 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2005/01/21 14:47:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2004/12/23 16:15:58 | 000,000,078 | ---- | C] () -- C:\WINDOWS\TONKA.INI
[2004/12/22 17:53:26 | 000,001,191 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2004/12/22 11:53:01 | 000,002,496 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2004/12/22 09:26:40 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\Ffpage.dll
[2004/12/21 18:16:27 | 000,055,202 | ---- | C] () -- C:\WINDOWS\War3Unin.dat
[2004/12/21 17:44:28 | 000,003,268 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2004/12/03 20:36:28 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/12/03 20:25:19 | 000,022,720 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/12/03 12:03:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/12/03 12:02:07 | 000,173,080 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 08:00:00 | 000,432,356 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 08:00:00 | 000,067,312 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/08/23 15:00:00 | 000,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys

========== LOP Check ==========

[2009/11/23 14:09:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autodesk
[2010/08/20 21:35:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
[2009/11/23 13:33:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CAD Operator\Application Data\Autodesk
[2009/12/12 14:28:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CAD Operator\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/07/21 19:36:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CAD Operator\Application Data\Elluminate
[2009/11/17 10:35:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CAD Operator\Application Data\Skinux
[2009/05/04 21:49:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CAD Operator\Application Data\SoundSpectrum
[2011/05/18 14:21:35 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2011/05/17 09:07:01 | 000,000,450 | ---- | M] () -- C:\WINDOWS\Tasks\EasyShare Registration Task.job

========== Purity Check ==========



< End of report >
  • 0

Advertisements

#2
RKinner
Posted 21 May 2011 - 10:28 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
It may be too late if you have run a program which cleared your temp files. Your bug supposedly stores the shortcuts it removes in %Temp%\smtmp and a temp file clearer will clean this off.

Let's see if it is still there.

Right click on the clock and run task Manager. File, New Task (Run) and type in: cmd then hit enter.

Type:
cd  %Temp%

dir /a smtmp
and hit Enter after each line. Does it find it?



If the folder is gone then there is a small possibility that you can use an undelete program to find the folder.
http://pcsupport.abo...ry-programs.htm

If you haven't erased the folder yet the following OTL script may help. It will also remove some of the files added by the bug plus some deadwood.

Copy the text in the code box by highlighting and Ctrl + c 


:Services
HidServ
ACDaemon

:OTL
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon)
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
[2010/06/14 10:08:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/12/15 16:09:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 53495
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/b...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} http://aerial.leepa....plugins/NCS.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O33 - MountPoints2\{94b60511-4540-11d9-b812-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{94b60511-4540-11d9-b812-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{94b60511-4540-11d9-b812-806d6172696f}\Shell\AutoRun\command - "" = D:\autoplay.exe
[2011/05/17 07:48:57 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\17358628
[2011/04/11 08:56:32 | 000,014,746 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Application Data\E6A2.322
[2011/04/11 08:56:24 | 000,002,384 | -HS- | C] () -- C:\Documents and Settings\CAD Operator\Local Settings\Application Data\6umds8y8841yn3rbmki0sbvbk5so35gq
[2011/04/11 08:56:24 | 000,002,384 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\6umds8y8841yn3rbmki0sbvbk5so35gq

:files
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
   
:Commands
[RESETHOSTS]
[purity]
[Reboot]
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select either the Use SafeList or All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on Combofix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus at this time :!:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply
Posted Image

Ron
  • 0

#3
Symmetrix
Posted 23 May 2011 - 07:33 AM

Symmetrix

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
Thanks for the reply. The files were there because I read from other topics on this virus where they were. Here are the logs as requested. One other odd thing, maybe not part of this and may need to be in an other forum, I am getting an audible alarm like a de-do sound when running certain programs typical watching youtube video's. I do alot with music and bands and am always watching clips, concerts and video's. As of late practically always this alarm goes off after several seconds. Anyway here are the logs:

OTL Extras logfile created on: 5/22/2011 2:49:31 PM - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\CAD Operator\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 121.00 Mb Available Physical Memory | 24.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free
Paging file location(s): c:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 19.03 Gb Free Space | 51.07% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: DRAFT_STATION3 | User Name: CAD Operator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.scr [@ = AutoCADLTScriptFile] -- C:\WINDOWS\notepad.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
InternetShortcut [print] -- rundll32.exe C:\WINDOWS\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1034:TCP" = 1034:TCP:*:Enabled:Akamai NetSession Interface
"5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Games\Halo\halo.exe" = C:\Program Files\Microsoft Games\Halo\halo.exe:*:Enabled:Halo
"C:\Program Files\Warcraft III\Warcraft III.exe" = C:\Program Files\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III -- (Blizzard Entertainment)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- (Eastman Kodak Company)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}" = QuickTime
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 23
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{2E376AD9-5C49-4F7D-A0BA-6A44E8FA5A3B}" = Next Generation Visualisations
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{5783F2D7-0209-0409-0000-0060B0CE6BBA}" = AutoCAD LT 2004
"{5D5B9E6A-344C-4976-95AB-ABBDC648E5DA}" = Microsoft IntelliType Pro 5.2
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{6E5FDE4A-7008-48DA-ADFE-D337865A2DBA}" = Autodesk Architectural 2004 Object Enabler
"{7148F0A8-6813-11D6-A77B-00B0D0142060}" = Java 2 Runtime Environment, SE v1.4.2_06
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8D20B4D7-3422-4099-9332-39F27E617A6F}" = Autodesk Design Review 2011
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{8F5C2A7E-DE9E-4642-AD0F-E29FE903422A}" = Autodesk DWF Writer 4.0
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"3DGroove" = 3D Groove Playback Engine
"Ad-Aware" = Ad-Aware
"Adobe Acrobat 4.0" = Adobe Acrobat 4.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Akamai" = Akamai NetSession Interface
"Autodesk Design Review 2011" = Autodesk Design Review 2011
"Autodesk Express Viewer" = Autodesk Express Viewer
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2010-10-10
"CutePDF Writer Installation" = CutePDF Writer 2.7
"Game Maker 8.0" = Game Maker 8.0
"Google Updater" = Google Updater
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.5.1 (Standard)
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 4.0.1 (x86 en-US)" = Mozilla Firefox 4.0.1 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"MySpaceToolbar" = MySpace Toolbar
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"WildTangent CDA" = WildTangent Web Driver
"WinASO Registry Optimizer 4.6.1_is1" = WinASO Registry Optimizer 4.6.1
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.1.0.366
"Image Web Server IE Plugin" = Image Web Server 8.1 IE Plugins (Build:3,4,0,242)
"Warcraft III" = Warcraft III: All Products

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/14/2011 11:28:32 AM | Computer Name = DRAFT_STATION3 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3989, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x0000100b.

Error - 2/15/2011 8:43:44 AM | Computer Name = DRAFT_STATION3 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3989, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x0000100b.

Error - 2/20/2011 6:35:24 PM | Computer Name = DRAFT_STATION3 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3989, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x0000100b.

Error - 2/23/2011 5:47:49 PM | Computer Name = DRAFT_STATION3 | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2/28/2011 11:07:34 PM | Computer Name = DRAFT_STATION3 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3989, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x0000100b.

Error - 3/27/2011 9:46:44 AM | Computer Name = DRAFT_STATION3 | Source = Application Error | ID = 1000
Description = Faulting application defender.exe, version 1.3.1.1, faulting module
kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

Error - 4/11/2011 8:57:15 AM | Computer Name = DRAFT_STATION3 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4095, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x0000100b.

Error - 4/12/2011 8:29:31 AM | Computer Name = DRAFT_STATION3 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4095, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x0000100b.

Error - 5/18/2011 1:34:11 PM | Computer Name = DRAFT_STATION3 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 2.0.1.4120, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/18/2011 1:34:22 PM | Computer Name = DRAFT_STATION3 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 2.0.1.4120, faulting
module xul.dll, version 2.0.1.4120, fault address 0x009becbc.

[ System Events ]
Error - 5/17/2011 8:34:14 AM | Computer Name = DRAFT_STATION3 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
PCIIde

Error - 5/17/2011 11:09:28 PM | Computer Name = DRAFT_STATION3 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 5/17/2011 11:10:06 PM | Computer Name = DRAFT_STATION3 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
PCIIde

Error - 5/18/2011 8:12:08 PM | Computer Name = DRAFT_STATION3 | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 5/18/2011 8:50:53 PM | Computer Name = DRAFT_STATION3 | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 5/18/2011 8:50:54 PM | Computer Name = DRAFT_STATION3 | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 5/18/2011 8:50:55 PM | Computer Name = DRAFT_STATION3 | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 5/18/2011 8:55:21 PM | Computer Name = DRAFT_STATION3 | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 5/18/2011 8:55:22 PM | Computer Name = DRAFT_STATION3 | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.

Error - 5/18/2011 8:55:57 PM | Computer Name = DRAFT_STATION3 | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\D.


< End of report >

OTL logfile created on: 5/22/2011 2:49:31 PM - Run 4
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\CAD Operator\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 121.00 Mb Available Physical Memory | 24.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 65.00% Paging File free
Paging file location(s): c:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 19.03 Gb Free Space | 51.07% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: DRAFT_STATION3 | User Name: CAD Operator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/18 14:16:01 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\CAD Operator\My Documents\Downloads\OTL.exe
PRC - [2011/05/18 13:31:15 | 001,191,216 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2011/05/18 13:31:12 | 002,151,128 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2011/04/14 12:25:41 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/07/10 14:49:24 | 000,323,584 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/16 18:28:22 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe


========== Modules (SafeList) ==========

MOD - [2011/05/18 14:16:01 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\CAD Operator\My Documents\Downloads\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/05/18 13:31:12 | 002,151,128 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011/05/17 19:35:19 | 003,275,864 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_8832f4b.dll -- (Akamai)


========== Driver Services (SafeList) ==========

DRV - [2011/05/18 13:32:45 | 000,015,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/08/12 08:15:20 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/03/25 06:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2008/04/13 14:36:41 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
DRV - [2008/01/24 19:36:16 | 004,127,488 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/04 02:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/03 18:32:24 | 000,010,880 | ---- | M] (Aureal, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\admjoy.sys -- (admjoy)
DRV - [2004/02/23 23:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)
DRV - [2003/12/10 03:21:16 | 000,004,224 | R--- | M] (ABIT Computer Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AC2003.sys -- (AC2003)
DRV - [2001/08/23 15:00:00 | 000,022,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)
DRV - [2001/08/17 16:11:42 | 000,029,696 | ---- | M] (CNet Technology, Inc. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DM9PCI5.SYS -- (DM9102) DAVICOM 9102(A)
DRV - [2001/08/17 08:19:14 | 000,747,392 | ---- | M] (Aureal, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\adm8830.sys -- (wdm_au8830) Aureal Vortex 8830 Audio Driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.co...-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://msn.com"
FF - prefs.js..keyword.URL: "http://www.google.co...lient&hl=en&q="

FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\MySpace\Toolbar\1.0.72.0\ [2010/02/28 10:42:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/30 13:51:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 13:51:45 | 000,000,000 | ---D | M]

[2008/08/27 13:22:24 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Extensions
[2011/04/30 09:47:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Firefox\Profiles\apubkm20.default\extensions
[2011/03/03 18:57:10 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Firefox\Profiles\apubkm20.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/13 20:55:44 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Firefox\Profiles\apubkm20.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/04/22 07:49:36 | 000,000,000 | ---D | M] (Ghostery) -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Firefox\Profiles\apubkm20.default\extensions\[email protected]
[2008/12/09 20:06:44 | 000,002,158 | ---- | M] () -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Firefox\Profiles\apubkm20.default\searchplugins\MySpace.xml
[2010/04/10 12:13:12 | 000,001,594 | ---- | M] () -- C:\Documents and Settings\CAD Operator\Application Data\Mozilla\Firefox\Profiles\apubkm20.default\searchplugins\web-search.xml
[2011/05/22 14:10:32 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
[2009/03/20 21:53:12 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/04/14 12:26:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2007/04/25 00:25:00 | 000,061,475 | ---- | M] (Earth Resource Mapping) -- C:\Program Files\Mozilla Firefox\plugins\NCScnet.dll
[2007/04/25 00:32:00 | 001,384,482 | ---- | M] (Earth Resource Mapping) -- C:\Program Files\Mozilla Firefox\plugins\NCSEcw.dll
[2007/04/25 00:24:00 | 000,147,491 | ---- | M] (Earth Resource Mapping) -- C:\Program Files\Mozilla Firefox\plugins\NCSUtil.dll
[2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007/04/25 00:45:00 | 000,610,304 | ---- | M] (Earth Resource Mapping) -- C:\Program Files\Mozilla Firefox\plugins\NP_NCS6.dll
[2007/04/25 00:45:00 | 000,069,632 | ---- | M] (Earth Resource Mapping) -- C:\Program Files\Mozilla Firefox\plugins\NP_NCSPB6.dll
[2007/04/25 00:46:00 | 000,094,208 | ---- | M] (Earth Resource Mapping) -- C:\Program Files\Mozilla Firefox\plugins\NP_NCSTB6.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/22 14:10:49 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O3 - HKLM\..\Toolbar: (Autodesk DWF) - {F03966D3-8EA0-47b4-BBE0-85BFE6CBC8AC} - C:\Program Files\Autodesk\Autodesk DWF Writer\DWF Addin\DWFIEAddin.dll (Autodesk, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft Limited)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akama...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://www.nick.com/.../GrooveAX27.cab (Groove Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.74.166 68.87.68.166
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\CAD Operator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\CAD Operator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/12/03 20:30:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/22 14:10:30 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/05/18 00:16:03 | 001,407,280 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\CAD Operator\Desktop\TDSSKiller.exe
[2011/05/17 08:07:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\CAD Operator\Recent
[2010/02/09 17:22:52 | 000,823,296 | ---- | C] (Crystal Dew World) -- C:\Program Files\CrystalCPUID.exe
[2006/02/27 13:48:50 | 000,090,112 | R--- | C] ( ) -- C:\WINDOWS\System32\SCCD3X02.DLL
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/22 14:36:02 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/22 14:13:06 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/05/22 14:13:03 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/05/22 14:12:56 | 000,012,664 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/22 14:12:56 | 000,007,883 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/05/22 14:12:53 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/22 14:12:37 | 536,399,872 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/22 14:12:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/22 14:10:49 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/05/21 13:22:17 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/21 13:22:17 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/05/18 20:50:38 | 000,000,139 | ---- | M] () -- C:\WINDOWS\msicpl.ini
[2011/05/18 00:19:04 | 000,502,095 | ---- | M] () -- C:\Documents and Settings\CAD Operator\Desktop\unhide.exe
[2011/05/18 00:12:43 | 000,000,801 | ---- | M] () -- C:\Documents and Settings\CAD Operator\Desktop\Shortcut to iExplore.lnk
[2011/05/17 09:07:01 | 000,000,450 | ---- | M] () -- C:\WINDOWS\tasks\EasyShare Registration Task.job
[2011/05/13 13:21:28 | 001,407,280 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\CAD Operator\Desktop\TDSSKiller.exe
[2011/05/09 13:22:35 | 000,003,268 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/04/30 13:51:52 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\CAD Operator\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/04/30 13:51:52 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/22 14:10:49 | 000,001,879 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Autodesk Design Review.lnk
[2011/05/22 14:10:49 | 000,001,877 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Kodak EasyShare.lnk
[2011/05/22 14:10:49 | 000,001,705 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AutoCAD LT 2004.lnk
[2011/05/22 14:10:49 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2011/05/22 14:10:49 | 000,001,467 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Full Tilt Poker.lnk
[2011/05/22 14:10:49 | 000,000,844 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/22 14:10:49 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/05/22 14:10:48 | 000,001,897 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
[2011/05/22 14:10:48 | 000,001,802 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk
[2011/05/22 14:10:48 | 000,001,789 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/05/22 14:10:48 | 000,000,945 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk
[2011/05/22 14:10:48 | 000,000,942 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat Reader 4.0.lnk
[2011/05/22 14:10:48 | 000,000,927 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2011/05/22 14:10:48 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/05/22 14:10:48 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2011/05/22 14:10:45 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2011/05/22 14:10:45 | 000,001,808 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft ActiveSync.lnk
[2011/05/22 14:10:45 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2011/05/22 14:10:45 | 000,000,798 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Acrobat_com.lnk
[2011/05/22 14:10:45 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/05/22 14:10:45 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2011/05/18 13:34:42 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/18 13:34:42 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011/05/18 00:19:05 | 000,502,095 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Desktop\unhide.exe
[2011/05/18 00:12:43 | 000,000,801 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Desktop\Shortcut to iExplore.lnk
[2011/05/17 08:04:30 | 536,399,872 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/03 03:15:59 | 000,163,840 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/12/18 11:56:15 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/11/07 09:06:29 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Application Data\$_hpcst$.hpc
[2009/08/09 13:34:24 | 001,698,035 | ---- | C] () -- C:\Documents and Settings\CAD Operator\Application Data\ijango_toolbar_installer.exe
[2009/08/03 15:06:59 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\DWFPortMon3.dll
[2009/05/04 23:19:12 | 000,117,248 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009/05/04 23:19:12 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/05/04 23:19:12 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/05/04 23:19:12 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/04/29 23:09:31 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/03/03 12:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2008/11/18 07:39:06 | 000,000,285 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2008/11/18 07:37:59 | 000,000,022 | ---- | C] () -- C:\WINDOWS\FLASHKSK.INI
[2008/11/18 07:37:55 | 000,021,504 | ---- | C] () -- C:\WINDOWS\LXBRSET.EXE
[2008/11/18 07:37:55 | 000,004,608 | ---- | C] () -- C:\WINDOWS\DelShell.exe
[2008/05/28 22:28:53 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2008/03/25 21:18:55 | 000,002,889 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2008/03/25 21:17:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/09/04 19:41:43 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/06/30 14:11:15 | 000,000,130 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/27 13:48:48 | 000,131,072 | R--- | C] () -- C:\WINDOWS\System32\SCCD3X01.DLL
[2006/01/18 22:21:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mtstack16.INI
[2005/11/22 22:18:06 | 000,000,139 | ---- | C] () -- C:\WINDOWS\msicpl.ini
[2005/11/22 22:00:56 | 000,135,168 | R--- | C] () -- C:\WINDOWS\System32\WinSys.exe
[2005/11/22 22:00:56 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\memtest.dll
[2005/11/22 22:00:56 | 000,036,864 | R--- | C] () -- C:\WINDOWS\System32\msiuins.exe
[2005/11/22 22:00:55 | 000,039,372 | R--- | C] () -- C:\WINDOWS\System32\drivers\vgauti.sys
[2005/11/22 22:00:55 | 000,039,372 | R--- | C] () -- C:\WINDOWS\System32\drivers\msicpl.sys
[2005/11/22 21:20:05 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2005/11/22 21:17:15 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\BGData.bin
[2005/11/22 21:15:34 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/11/22 21:15:34 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2005/01/21 14:55:10 | 000,000,120 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2005/01/21 14:47:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2004/12/23 16:15:58 | 000,000,078 | ---- | C] () -- C:\WINDOWS\TONKA.INI
[2004/12/22 17:53:26 | 000,001,191 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2004/12/22 11:53:01 | 000,002,496 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2004/12/22 09:26:40 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\Ffpage.dll
[2004/12/21 18:16:27 | 000,055,202 | ---- | C] () -- C:\WINDOWS\War3Unin.dat
[2004/12/21 17:44:28 | 000,003,268 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2004/12/03 20:36:28 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/12/03 20:25:19 | 000,022,720 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/12/03 12:03:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/12/03 12:02:07 | 000,173,080 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 08:00:00 | 000,432,356 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 08:00:00 | 000,067,312 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/08/23 15:00:00 | 000,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys

< End of report >

ComboFix 11-05-22.01 - CAD Operator 05/23/2011 8:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.333 [GMT -4:00]
Running from: c:\documents and settings\CAD Operator\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\CAD Operator\Application Data\ijango_toolbar_installer.exe
c:\documents and settings\CAD Operator\g2mdlhlpx.exe
c:\documents and settings\CAD Operator\WINDOWS
c:\windows\system32\drivers\kpgjryqt.sys
c:\windows\system32\Temp
c:\windows\system32\Temp\DWFmonitor3.inf
c:\windows\system32\Temp\DWFPortMon3.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_iqgnt
.
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-22 18:10 . 2011-05-22 18:10 -------- d-----w- C:\_OTL
2011-04-30 17:51 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-30 17:51 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-30 17:51 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-30 17:51 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-30 17:51 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-30 17:51 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-30 17:51 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-30 17:51 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-16 17:20 . 2009-04-30 03:09 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-09 17:35 . 2010-02-09 21:22 823296 ----a-w- c:\program files\CrystalCPUID.exe
2007-04-25 04:25 . 2008-06-11 21:48 61475 ----a-w- c:\program files\mozilla firefox\plugins\NCScnet.dll
2007-04-25 04:32 . 2008-06-11 21:48 1384482 ----a-w- c:\program files\mozilla firefox\plugins\NCSEcw.dll
2007-04-25 04:24 . 2008-06-11 21:48 147491 ----a-w- c:\program files\mozilla firefox\plugins\NCSUtil.dll
2011-04-14 16:26 . 2011-04-30 17:51 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-28 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-30 4603904]
"nwiz"="nwiz.exe" [2004-09-30 921600]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-09-30 86016]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-05-18 1191216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1036:TCP"= 1036:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/29/2009 10:36 PM 64288]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 8:00 AM 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15 AM 2151128]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 5:52 PM 135664]
S3 AC2003;AC2003;c:\windows\system32\drivers\AC2003.sys [11/22/2005 9:15 PM 4224]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 5:52 PM 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 8:15 AM 15232]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [12/3/2004 12:06 PM 747392]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 17:31]
.
2011-05-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-22 01:46]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:52]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:52]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\CAD Operator\Application Data\Mozilla\Firefox\Profiles\apubkm20.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://msn.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-23 09:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2096)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-05-23 09:15:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-23 13:14
ComboFix2.txt 2009-05-05 03:23
.
Pre-Run: 20,359,598,080 bytes free
Post-Run: 20,354,297,856 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 30D6816038099D17871B947435F6AADB

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6644

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/23/2011 8:42:45 AM
mbam-log-2011-05-23 (08-42-45).txt

Scan type: Full scan (C:\|)
Objects scanned: 218816
Time elapsed: 1 hour(s), 25 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\cad operator\my documents\downloads\shopathome_toolbar.exe (Adware.ShopAtHome) -> Quarantined and deleted successfully.

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-23 09:16:11
-----------------------------
09:16:11.953 OS Version: Windows 5.1.2600 Service Pack 3
09:16:11.953 Number of processors: 2 586 0x401
09:16:11.953 ComputerName: DRAFT_STATION3 UserName: CAD Operator
09:16:16.078 Initialize success
09:16:37.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-a
09:16:37.796 Disk 0 Vendor: WDC_WD400BB-00GFA0 09.01B09 Size: 38166MB BusType: 3
09:16:39.921 Disk 0 MBR read successfully
09:16:39.921 Disk 0 MBR scan
09:16:39.921 Disk 0 Windows XP default MBR code
09:16:42.093 Disk 0 scanning sectors +78140160
09:16:42.265 Disk 0 scanning C:\WINDOWS\system32\drivers
09:16:59.578 Service scanning
09:17:01.125 Disk 0 trace - called modules:
09:17:01.140 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys
09:17:01.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82d26ab8]
09:17:01.140 3 CLASSPNP.SYS[f85d8fd7] -> nt!IofCallDriver -> \Device\00000066[0x82dd11a8]
09:17:01.140 5 ACPI.sys[f844f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-a[0x82d27d98]
09:17:01.140 Scan finished successfully
09:17:37.968 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
09:17:37.968 The log file has been saved successfully to "C:\aswMBR.txt"


THings seem to be back to normal other then the alarm and while exploring my files, seems to be running a bit slow. All the files are back too!
  • 0

#4
RKinner
Posted 23 May 2011 - 08:37 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

You do not have the latest Java.
First go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
Java™ 6 Update 23
J2SE Runtime Environment 5.0 Update 2
2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 2
Java™ 6 Update 5
Java™ 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_06

Get the latest at:

http://javadl.sun.co...?BundleId=41723

Save it to your PC then close all browsers and install it. Do not let it install the yahoo toolbar or other foistware.

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

DirLook::
C:\Program Files\Common
%user%\library

File::
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys --> c:\windows\system32\drivers\samhid.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

Driver::
samhid
SetupNTGLM7X

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to Combofix and let go. Combofix should start on its own.

Post the new log.


1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. (In Vista, next select Windows Logs) Right click on System and Clear Log, No (we don't want to save the old log), OK. Repeat for Application. Reboot. The disk check will run and will probably take an hour or more to finish.

Start, Run, sfc /scannow, OK

SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.

Start, Run, sigverif, OK

Press Start. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP