Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Avira scanner didn't finish the job


  • This topic is locked This topic is locked

#1
MikeF2

MikeF2

    New Member

  • Member
  • Pip
  • 8 posts
This is the right kind of tech forum -- no bandwidth-consuming graphics, no uselessly fancy layout, just good old-fashioned help. Glad I found it, and kudos to the gurus here.

I've caught some kind of malware. The only easily observable symptoms are that two DOS windows pop up with the title "c:\winnt\system32\svchost.exe", each window blank. I was surfing the web the first time it happened, in a user account, not admin, and I hadn't even clicked on a link that I was aware of; they just popped up. I immediately closed them, manually updated my Avira personal (8.2.0.354, the last version that runs on Win2000), and scanned; Avira found and deleted 3 malware files. Unfortunately, I can't report their names because I use the free Avira and it doesn't keep a record of them as far as I know, and although one of them was a Trojan (had the TR at the beginning), I didn't write them down at the time Avira reported them. However, they all had to do with Java, so I uninstalled Java from my system.

Anyhow, I then rebooted, but the same two DOS windows popped up. After a short period (maybe 20 seconds or so) one of them closed itself, but the other stayed open. This time I booted into safe mode as administrator, ran Avira again, and it caught three files again, but different ones; although I can't report the names of the first two, the last one was "JAVA/Fester.A" which was located in a Sun folder in Documents and Settings, so I then deleted that folder and all subdirectories for both admin and user accounts. I then ran an updated Spybot which only found a Doubleclick tracker (big woop) and then BitDefender's online scan, which found nothing.

However, the DOS windows are still popping up when I reboot into my user account, so I'm still infected somewhere. (The windows have never popped up when I log into the admin account.)

=====================
Here's my OTL log:
=====================

OTL logfile created on: 05/28/2011 2:50:56 AM - Run 3
OTL by OldTimer - Version 3.2.23.0 Folder = O:\x_DelViruses
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 5.00.3315.1000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

2.00 Gb Total Physical Memory | 1.74 Gb Available Physical Memory | 86.88% Memory free
5.89 Gb Paging File | 5.72 Gb Available in Paging File | 97.12% Paging File free
Paging file location(s): C:\pagefile.sys 80 80Y:\pagefile.sys 4000 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 10.00 Gb Total Space | 2.85 Gb Free Space | 28.49% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 9.28 Gb Free Space | 92.74% Space Free | Partition Type: NTFS
Drive E: | 10.00 Gb Total Space | 9.36 Gb Free Space | 93.58% Space Free | Partition Type: NTFS
Drive F: | 6.00 Gb Total Space | 4.71 Gb Free Space | 78.56% Space Free | Partition Type: NTFS
Drive G: | 6.00 Gb Total Space | 1.71 Gb Free Space | 28.46% Space Free | Partition Type: NTFS
Drive H: | 6.00 Gb Total Space | 4.99 Gb Free Space | 83.25% Space Free | Partition Type: NTFS
Drive I: | 6.00 Gb Total Space | 5.97 Gb Free Space | 99.45% Space Free | Partition Type: NTFS
Drive J: | 6.00 Gb Total Space | 5.96 Gb Free Space | 99.42% Space Free | Partition Type: NTFS
Drive K: | 10.00 Gb Total Space | 9.58 Gb Free Space | 95.81% Space Free | Partition Type: NTFS
Drive L: | 20.00 Gb Total Space | 16.32 Gb Free Space | 81.60% Space Free | Partition Type: NTFS
Drive M: | 15.00 Gb Total Space | 14.37 Gb Free Space | 95.83% Space Free | Partition Type: NTFS
Drive N: | 9.24 Gb Total Space | 2.25 Gb Free Space | 24.31% Space Free | Partition Type: NTFS
Drive O: | 465.65 Gb Total Space | 8.72 Gb Free Space | 1.87% Space Free | Partition Type: FAT32
Unable to calculate disk information.
Drive Y: | 9.99 Gb Total Space | 6.09 Gb Free Space | 60.91% Space Free | Partition Type: FAT32

Computer Name: LONGYUAN | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/28 02:23:06 | 000,580,096 | ---- | M] (OldTimer Tools) -- O:\x_DelViruses\OTL.exe
PRC - [2011/05/05 21:05:47 | 000,912,344 | ---- | M] (Mozilla Corporation) -- K:\InternetPersonal\Firefox3\firefox.exe
PRC - [2008/11/21 23:01:04 | 000,068,865 | ---- | M] (Avira GmbH) -- K:\Management\OS&fileMgmt\Security\Avira\AntiVir PersonalEdition Classic\sched.exe
PRC - [2008/06/12 14:28:45 | 000,266,497 | ---- | M] (Avira GmbH) -- K:\Management\OS&fileMgmt\Security\Avira\AntiVir PersonalEdition Classic\avgnt.exe
PRC - [2003/06/18 22:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2003/06/18 22:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\WinMgmt.exe
PRC - [2003/06/18 22:05:04 | 000,061,712 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\stisvc.exe
PRC - [2003/06/18 22:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\hidserv.exe


========== Modules (SafeList) ==========

MOD - [2011/05/28 02:23:06 | 000,580,096 | ---- | M] (OldTimer Tools) -- O:\x_DelViruses\OTL.exe
MOD - [2007/04/18 23:26:00 | 001,474,560 | ---- | M] () -- C:\WINNT\system32\nview.dll
MOD - [2003/06/18 22:05:04 | 000,021,776 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wsock32.dll
MOD - [2003/06/18 22:05:04 | 000,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lz32.dll
MOD - [2002/07/24 06:00:00 | 000,016,144 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\serwvdrv.dll
MOD - [2002/07/24 06:00:00 | 000,013,072 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\umdmxfrm.dll
MOD - [2002/07/24 06:00:00 | 000,011,536 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\netrap.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/05/27 22:37:39 | 000,356,435 | ---- | M] (Sysinternals - www.sysinternals.com) [On_Demand | Stopped] -- C:\Documents and Settings\Administrator\Local Settings\Temp\LHEWRS.exe -- (LHEWRS)
SRV - [2008/11/21 23:01:04 | 000,068,865 | ---- | M] (Avira GmbH) [Auto | Running] -- K:\Management\OS&fileMgmt\Security\Avira\AntiVir PersonalEdition Classic\sched.exe -- (AntiVirScheduler)
SRV - [2008/11/21 23:00:47 | 000,151,297 | ---- | M] (Avira GmbH) [Disabled | Stopped] -- K:\Management\OS&fileMgmt\Security\Avira\AntiVir PersonalEdition Classic\avguard.exe -- (AntiVirService)
SRV - [2005/10/19 01:31:52 | 000,749,568 | ---- | M] (Wacom Technology, Corp.) [Disabled | Stopped] -- C:\WINNT\system32\Tablet.exe -- (TabletService)
SRV - [2003/06/18 22:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt)
SRV - [2003/06/18 22:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand | Stopped] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/18 22:05:04 | 000,061,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\stisvc.exe -- (StiSvc)
SRV - [2003/06/18 22:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\hidserv.exe -- (HidServ)


========== Driver Services (SafeList) ==========

DRV - [2009/05/28 03:53:45 | 000,075,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINNT\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/05/28 03:53:34 | 000,062,040 | ---- | M] (Avira GmbH) [File_System | On_Demand | Stopped] -- K:\Management\OS&fileMgmt\Security\Avira\AntiVir PersonalEdition Classic\avgntflt.sys -- (avgntflt)
DRV - [2009/05/28 03:53:34 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- K:\Management\OS&fileMgmt\Security\Avira\AntiVir PersonalEdition Classic\avgio.sys -- (avgio)
DRV - [2007/03/01 10:34:22 | 000,028,352 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINNT\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2006/03/16 16:15:10 | 000,202,560 | ---- | M] (CH Products) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\chdrvr01.sys -- (chdrvr01)
DRV - [2006/03/15 00:51:00 | 000,243,712 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\yk50x86.sys -- (yukonw2k)
DRV - [2005/12/22 08:41:52 | 000,003,744 | ---- | M] (CH Products) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\chdrvr02.sys -- (chdrvr02)
DRV - [2005/12/22 08:41:44 | 000,009,024 | ---- | M] (CH Products) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\chdrvr03.sys -- (chdrvr03)
DRV - [2005/07/28 08:18:40 | 000,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2004/07/08 12:58:10 | 000,015,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mpe.sys -- (MPE)
DRV - [2003/10/31 05:22:36 | 000,078,988 | ---- | M] (VIA Technologies inc,.ltd) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\viasraid.sys -- (viasraid)
DRV - [2003/09/18 11:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\pfc.sys -- (Pfc)
DRV - [2003/07/01 14:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/06/18 22:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2003/06/18 22:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmio.sys -- (dmio)
DRV - [2003/06/18 22:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
DRV - [2003/06/18 22:05:04 | 000,049,776 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\usbhub20.sys -- (usbhub20)
DRV - [2003/06/18 22:05:04 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
DRV - [2003/06/18 22:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINNT\System32\drivers\efs.sys -- (EFS)
DRV - [2003/06/18 22:05:04 | 000,009,808 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2003/06/18 22:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\diskperf.sys -- (Diskperf)
DRV - [2003/06/18 22:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmload.sys -- (dmload)
DRV - [2003/06/18 02:48:00 | 000,009,038 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\Drivers\viausb.sys -- (viafilter)
DRV - [2002/07/24 06:00:00 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
DRV - [2002/07/24 06:00:00 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)
DRV - [2002/07/17 07:53:02 | 000,016,877 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINNT\System32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2002/07/02 00:08:08 | 000,701,404 | R--- | M] (ESS Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\es56hpi.sys -- (Edspport)
DRV - [2001/04/08 23:45:00 | 000,008,138 | ---- | M] (Wacom Technology Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\Drivers\PenClass.sys -- (PenClass)
DRV - [1999/10/15 00:35:04 | 000,214,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\emu10K1.sys -- (emu10k) Creative SB Live! Basic (WDM)
DRV - [1999/10/07 01:38:10 | 000,004,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ctljystk.sys -- (ctljystk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1085031214-1614895754-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://catalog.wustl.edu/"
FF - prefs.js..extensions.enabledItems: [email protected]:2.1.6
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.50
FF - prefs.js..extensions.enabledItems: {e001c731-5e37-4538-a5cb-8168736a2360}:0.9.9.93

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: K:\InternetPersonal\Firefox3\components [2011/05/27 14:39:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: K:\InternetPersonal\Firefox3\plugins [2011/05/13 18:00:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\SeaMonkey 2.0.5\extensions\\Components: K:\InternetPersonal\Seamonkey\components [2011/04/27 15:21:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\SeaMonkey 2.0.5\extensions\\Plugins: K:\InternetPersonal\Seamonkey\plugins [2011/04/27 15:21:21 | 000,000,000 | ---D | M]

[2010/06/18 23:21:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/06/18 23:21:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/03/04 21:04:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}
[2011/05/28 01:41:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0qdvn26u.default\extensions
[2011/04/29 21:04:12 | 000,000,000 | ---D | M] ("BetterPrivacy") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0qdvn26u.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2011/05/28 01:41:43 | 000,000,000 | ---D | M] (BitDefender QuickScan) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0qdvn26u.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2011/04/29 21:04:13 | 000,000,000 | ---D | M] (Zotero) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0qdvn26u.default\extensions\[email protected]
[2011/02/11 10:32:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\SeaMonkey\Profiles\kcziedvp.default\extensions
[2011/02/11 10:21:59 | 000,000,000 | ---D | M] (JavaScript Debugger) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\SeaMonkey\Profiles\kcziedvp.default\extensions\{f13b157f-b174-47e7-a34d-4815ddfdfeb8}
[2011/02/11 10:21:59 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\SeaMonkey\Profiles\kcziedvp.default\extensions\[email protected]

O1 HOSTS File: ([2002/07/24 06:00:00 | 000,000,734 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [NvCplDaemon] C:\WINNT\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINNT\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINNT\System32\nwiz.exe ()
O4 - HKLM..\Run: [PtiuPbmd] C:\WINNT\System32\ptipbm.dll (Promise Technology,Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [1999/12/18 08:36:08 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\CookDing\Start Menu\Programs\Startup\igfxtray.exe (Yqhgjibiiu Kyfwt)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetIcon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 177
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 95 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1085031214-1614895754-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = B5 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1085031214-1614895754-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 8388608
O7 - HKU\S-1-5-21-1085031214-1614895754-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 0
O7 - HKU\S-1-5-21-1085031214-1614895754-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1085031214-1614895754-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = [binary data]
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - File not found
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - File not found
O29 - HKLM SecurityProviders - (msnsspc.dll) - File not found
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2007/12/19 03:32:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/28 01:41:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\QuickScan
[2011/05/27 22:34:53 | 000,000,000 | ---D | C] -- C:\!KillBox
[2011/05/13 18:08:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\MPlayer
[2011/05/13 15:40:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\WMV9 VCM
[2011/05/13 15:36:29 | 000,276,840 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\wmv8ds32.ax
[2011/05/13 15:36:29 | 000,264,552 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\wmvds32.ax
[2011/05/13 15:36:29 | 000,264,528 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\mpg4ds32.ax
[2011/05/13 15:36:29 | 000,227,960 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\msadds32.ax
[2011/05/13 15:36:29 | 000,076,120 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\msscds32.ax
[3 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/28 02:49:41 | 000,088,723 | ---- | M] () -- C:\WINNT\System32\nvapps.xml
[2011/05/28 02:32:06 | 000,377,132 | -H-- | M] () -- C:\WINNT\ShellIconCache
[2011/05/28 01:57:00 | 000,000,000 | ---- | M] () -- C:\WINNT\TempFile
[2011/05/28 01:39:19 | 000,314,816 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Avira AntiVir Personal report file.pdf
[2011/05/26 15:25:07 | 000,000,435 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\SAS7_000.DAT
[2011/05/26 15:23:43 | 000,000,116 | ---- | M] () -- C:\WINNT\NeroDigital.ini
[2011/05/19 10:38:25 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_21c.dat
[2011/05/13 16:51:37 | 000,000,861 | ---- | M] () -- C:\WINNT\asfbinwin.INI
[2011/05/13 15:20:00 | 000,000,021 | ---- | M] () -- C:\WINNT\asfbin.ini
[2011/05/13 08:28:53 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_224.dat
[2011/05/10 17:14:50 | 000,000,550 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/05/02 21:08:07 | 000,000,669 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\avidemux252.lnk
[3 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/28 01:55:44 | 000,377,132 | -H-- | C] () -- C:\WINNT\ShellIconCache
[2011/05/28 01:39:16 | 000,314,816 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Avira AntiVir Personal report file.pdf
[2011/05/19 10:38:25 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_21c.dat
[2011/05/13 15:20:00 | 000,000,021 | ---- | C] () -- C:\WINNT\asfbin.ini
[2011/05/13 14:01:40 | 000,000,861 | ---- | C] () -- C:\WINNT\asfbinwin.INI
[2011/05/13 08:28:53 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_224.dat
[2011/05/02 21:08:07 | 000,000,669 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\avidemux252.lnk
[2011/04/18 04:31:42 | 000,197,744 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ConduitInstaller.exe
[2011/03/27 13:43:08 | 000,096,768 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Bloson.exe
[2011/03/21 05:36:30 | 000,026,456 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\bloson.bmp
[2010/11/13 04:14:46 | 000,062,648 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\toolbar3.bmp
[2010/11/12 04:09:56 | 000,195,108 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\lateral3.bmp
[2010/11/12 03:44:14 | 000,193,744 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\lateral1.bmp
[2010/11/12 03:10:58 | 000,193,744 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\lateral2.bmp
[2010/07/28 13:24:25 | 000,002,560 | ---- | C] () -- C:\WINNT\System32\pavedius.dll
[2010/07/28 13:24:24 | 000,003,072 | ---- | C] () -- C:\WINNT\hasp_windows.dll
[2010/07/28 09:15:58 | 000,033,019 | ---- | C] () -- C:\WINNT\System32\CoreAAC-uninstall.exe
[2010/07/17 00:40:16 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_20c.dat
[2010/07/17 00:38:17 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_208.dat
[2010/05/15 14:55:08 | 000,000,598 | ---- | C] () -- C:\WINNT\System32\secushr.dat
[2010/05/15 14:54:15 | 000,000,025 | ---- | C] () -- C:\WINNT\libem.INI
[2010/04/15 13:09:54 | 000,011,616 | R--- | C] () -- C:\WINNT\System32\drivers\SECDRV.SYS
[2010/03/01 09:17:56 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_300.dat
[2009/09/26 12:09:30 | 000,000,046 | ---- | C] () -- C:\WINNT\TP-LINK ADSL Modem_Router Utility.INI
[2009/07/02 13:18:54 | 000,168,448 | ---- | C] () -- C:\WINNT\System32\unrar.dll
[2009/07/02 13:18:54 | 000,000,038 | ---- | C] () -- C:\WINNT\avisplitter.ini
[2009/07/02 13:18:53 | 002,402,304 | ---- | C] () -- C:\WINNT\System32\x264vfw.dll
[2009/07/02 13:18:53 | 000,819,200 | ---- | C] () -- C:\WINNT\System32\xvidcore.dll
[2009/07/02 13:18:52 | 000,180,224 | ---- | C] () -- C:\WINNT\System32\xvidvfw.dll
[2009/07/02 13:18:51 | 000,085,504 | ---- | C] () -- C:\WINNT\System32\ff_vfw.dll
[2009/06/26 16:20:17 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_204.dat
[2009/02/26 22:48:30 | 000,116,224 | ---- | C] () -- C:\WINNT\System32\pdfcmnnt.dll
[2009/02/12 17:33:28 | 000,000,168 | ---- | C] () -- C:\WINNT\Clipbook.INI
[2008/10/02 10:32:38 | 000,000,754 | ---- | C] () -- C:\WINNT\WORDPAD.INI
[2008/09/19 15:57:34 | 003,596,288 | ---- | C] () -- C:\WINNT\System32\qt-dx331.dll
[2008/09/19 15:54:18 | 000,012,288 | ---- | C] () -- C:\WINNT\System32\DivXWMPExtType.dll
[2008/02/27 14:15:24 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/21 06:05:23 | 000,081,920 | ---- | C] () -- C:\WINNT\asr32311.dll
[2008/02/15 01:24:07 | 000,000,000 | ---- | C] () -- C:\WINNT\Textart.INI
[2008/02/12 02:06:52 | 000,000,285 | ---- | C] () -- C:\WINNT\EReg072.dat
[2008/01/14 05:41:49 | 000,000,116 | ---- | C] () -- C:\WINNT\NeroDigital.ini
[2007/12/19 03:35:58 | 000,000,664 | ---- | C] () -- C:\WINNT\System32\d3d9caps.dat
[2007/12/19 03:35:36 | 000,000,008 | ---- | C] () -- C:\WINNT\System32\nvModes.dat
[2002/07/24 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINNT\System32\mlang.dat
[2002/07/24 06:00:00 | 000,300,378 | ---- | C] () -- C:\WINNT\System32\perfh009.dat
[2002/07/24 06:00:00 | 000,272,492 | ---- | C] () -- C:\WINNT\System32\perfi009.dat
[2002/07/24 06:00:00 | 000,217,359 | ---- | C] () -- C:\WINNT\System32\dssec.dat
[2002/07/24 06:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[2002/07/24 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINNT\System32\mib.bin
[2002/07/24 06:00:00 | 000,038,036 | ---- | C] () -- C:\WINNT\System32\perfc009.dat
[2002/07/24 06:00:00 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[2002/07/24 06:00:00 | 000,028,270 | ---- | C] () -- C:\WINNT\System32\perfd009.dat
[2002/07/24 06:00:00 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[2002/07/24 06:00:00 | 000,000,023 | ---- | C] () -- C:\WINNT\welcome.ini
[1999/12/18 10:58:32 | 000,000,435 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\SAS7_000.DAT
[1999/12/18 09:39:09 | 000,000,000 | ---- | C] () -- C:\WINNT\WT12sptlEN.INI
[1999/12/18 09:19:38 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\PFP120JPR.{PB
[1999/12/18 09:19:38 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\PFP120JCM.{PB
[1999/12/18 08:45:37 | 000,000,026 | ---- | C] () -- C:\WINNT\SPSETUP.INI
[1999/12/18 07:25:51 | 000,112,688 | ---- | C] () -- C:\WINNT\System32\shw32.dll
[1999/12/18 07:25:51 | 000,039,095 | ---- | C] () -- C:\WINNT\iccsigs.dat
[1999/12/18 07:06:35 | 000,000,207 | ---- | C] () -- C:\WINNT\ODBC.INI
[1999/12/18 06:20:17 | 000,204,800 | ---- | C] () -- C:\WINNT\System32\IVIresizeW7.dll
[1999/12/18 06:20:17 | 000,200,704 | ---- | C] () -- C:\WINNT\System32\IVIresizeA6.dll
[1999/12/18 06:20:17 | 000,192,512 | ---- | C] () -- C:\WINNT\System32\IVIresizeP6.dll
[1999/12/18 06:20:17 | 000,192,512 | ---- | C] () -- C:\WINNT\System32\IVIresizeM6.dll
[1999/12/18 06:20:17 | 000,188,416 | ---- | C] () -- C:\WINNT\System32\IVIresizePX.dll
[1999/12/18 06:20:17 | 000,020,480 | ---- | C] () -- C:\WINNT\System32\IVIresize.dll
[1999/12/18 06:17:37 | 000,831,600 | ---- | C] () -- C:\WINNT\System32\Ctaa1.dat
[1999/12/18 06:17:37 | 000,122,880 | ---- | C] () -- C:\WINNT\System32\cddvdint.dll
[1999/12/18 06:09:51 | 000,354,816 | ---- | C] () -- C:\WINNT\System32\psisdecd.dll
[1999/12/18 05:38:22 | 000,623,616 | ---- | C] () -- C:\WINNT\System32\CMCplDlg.dll
[1999/12/18 05:38:22 | 000,063,488 | ---- | C] () -- C:\WINNT\System32\CMCplSvr.dll
[1999/12/18 05:29:24 | 000,000,130 | ---- | C] () -- C:\WINNT\System32\tablet.dat
[1999/12/18 03:41:00 | 000,000,335 | ---- | C] () -- C:\WINNT\nsreg.dat
[1999/12/18 03:40:57 | 000,118,784 | ---- | C] () -- C:\WINNT\GREUninstall.exe
[1999/12/18 03:40:56 | 000,006,581 | ---- | C] () -- C:\WINNT\mozver.dat
[1999/12/18 02:00:01 | 000,013,824 | ---- | C] () -- C:\WINNT\System32\CopyPath.exe
[1999/12/17 05:42:13 | 000,167,936 | R--- | C] () -- C:\WINNT\essspk.exe
[1999/12/17 05:42:13 | 000,049,152 | R--- | C] () -- C:\WINNT\remvess.exe
[1999/12/17 05:22:53 | 001,626,112 | ---- | C] () -- C:\WINNT\System32\nwiz.exe
[1999/12/17 05:22:52 | 001,703,936 | ---- | C] () -- C:\WINNT\System32\nvwdmcpl.dll
[1999/12/17 05:22:52 | 001,474,560 | ---- | C] () -- C:\WINNT\System32\nview.dll
[1999/12/17 05:22:52 | 001,019,904 | ---- | C] () -- C:\WINNT\System32\nvwimg.dll
[1999/12/17 05:22:52 | 000,581,632 | ---- | C] () -- C:\WINNT\System32\nvhwvid.dll
[1999/12/17 05:22:52 | 000,466,944 | ---- | C] () -- C:\WINNT\System32\nvshell.dll
[1999/12/17 05:22:52 | 000,286,720 | ---- | C] () -- C:\WINNT\System32\nvnt4cpl.dll
[1999/12/17 05:22:51 | 001,339,392 | ---- | C] () -- C:\WINNT\System32\nvdspsch.exe
[1999/12/17 05:22:51 | 000,442,368 | ---- | C] () -- C:\WINNT\System32\nvappbar.exe
[1999/12/17 05:22:51 | 000,212,992 | ---- | C] () -- C:\WINNT\System32\nvapi.dll
[1999/12/17 05:22:49 | 000,425,984 | ---- | C] () -- C:\WINNT\System32\keystone.exe
[1999/12/16 13:13:23 | 000,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI
[1999/12/16 13:12:58 | 000,245,688 | ---- | C] () -- C:\WINNT\System32\FNTCACHE.DAT
[1999/12/16 06:40:44 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\vusetup.dll
[1999/12/16 05:52:13 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[1999/12/16 05:51:43 | 000,015,012 | ---- | C] () -- C:\WINNT\System32\emptyregdb.dat
[1999/09/25 04:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 04:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys

< End of report >
  • 0

Advertisements


#2
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi, MikeF2! Welcome to GeeksToGo! My nick name is Render and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :)

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:
  • Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
  • Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

Sorry for the delay.

If you have since resolved the original problem you were having, I would appreciate you letting me know. If not please perform the following steps below so I can have a look at the current condition of your machine.

Step 1

We need to run an OTL Fix

  • Please right click on Posted Image on your desktop and click on Run as administrator.
  • Under the Custom Scans/Fixes box copy and paste this (text in bold) in:

    :OTL
    SRV - [2011/05/27 22:37:39 | 000,356,435 | ---- | M] (Sysinternals - www.sysinternals.com) [On_Demand | Stopped] -- C:\Documents and Settings\Administrator\Local Settings\Temp\LHEWRS.exe -- (LHEWRS)
    O4 - Startup: C:\Documents and Settings\CookDing\Start Menu\Programs\Startup\igfxtray.exe (Yqhgjibiiu Kyfwt)

    :Files
    C:\Documents and Settings\Administrator\Local Settings\Temp\LHEWRS.exe
    ipconfig /flushdns /c

    :Reg

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]

  • Click on Posted Image button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click on Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

Step 2

  • Please download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.

    Posted Image
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply.

Step 3

Posted Image OTL Custom Scan

  • Double click on the Posted Image icon to run it.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top, make sure Stadard output is selected.
  • Select Scan all users
  • Under the Extra Registry section, check Use SafeList
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scans/Fixes box copy and paste this in:

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /mp /s
    hklm\software\clients\startmenuinternet|command /rs
    CREATERESTOREPOINT

  • Click the Posted Image button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

When completed the above, please post back the following in the order asked for:
  • OTL fix log
  • aswMBR log
  • OTL scan log
  • Extras log

  • 0

#3
MikeF2

MikeF2

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OK, done. Note: When I right-click OTL, I do NOT have an option to "run as administrator" (yes, I triple-checked). So I logged into my administrator account and used OTL there. Still no right-click option to "run as administrator", but since I was in the administrator account, I figured it would be the same thing. So I cut-and-pasted your script into the box at the bottom of OTL. I was asked to reboot, which I did. There was nothing else that didn't conform to your instructions.

Here are the logs, in the order requested. Thanks a ton for your help. I realize I'm not done until you say so, but at least the DOS windows aren't popping up anymore upon reboot.

----------------
+++++++++++
OTL FIX LOG
+++++++++++
----------------

All processes killed
========== OTL ==========
Service LHEWRS stopped successfully!
Service LHEWRS deleted successfully!
C:\Documents and Settings\Administrator\Local Settings\Temp\LHEWRS.exe moved successfully.
C:\Documents and Settings\CookDing\Start Menu\Programs\Startup\igfxtray.exe moved successfully.
========== FILES ==========
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\LHEWRS.exe not found.
< ipconfig /flushdns /c >
Windows 2000 IP Configuration
Successfully flushed the DNS Resolver Cache.
O:\x_DelViruses\cmd.bat deleted successfully.
O:\x_DelViruses\cmd.txt deleted successfully.
========== REGISTRY ==========
========== COMMANDS ==========
C:\WINNT\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 8951005 bytes
->Temporary Internet Files folder emptied: 356263 bytes
->FireFox cache emptied: 76501611 bytes
->Flash cache emptied: 1026 bytes

User: All Users

User: Bert
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: CookDing
->Temp folder emptied: 4147155 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 54764014 bytes
->Flash cache emptied: 63104 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: SYSTEM
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1838435 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 18436 bytes
RecycleBin emptied: shell32.dll unable to determine bytes removed.

Total Files Cleaned = 140.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Bert

User: CookDing
->Flash cache emptied: 0 bytes

User: Default User

User: SYSTEM

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.23.0 log created on 06032011_000822

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



----------------
+++++++++++
aswMBR LOG
+++++++++++
----------------

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-06-03 00:32:59
-----------------------------
00:32:59.906 OS Version: Windows 5.0.2195 Service Pack 4
00:32:59.906 Number of processors: 2 586 0x302
00:32:59.906 ComputerName: LONGYUAN UserName: Administrator
00:33:00.000 Initialize success
00:33:01.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\viamraid1Port2Path0Target0Lun0
00:33:01.859 Disk 0 Vendor: VIA_SATA ____ Size: 0MB BusType: 1
00:33:01.859 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\UlSata1Port3Path0Target0Lun0
00:33:01.859 Disk 1 Vendor: WDC_WD36 27.0 Size: 0MB BusType: 1
00:33:01.859 Disk 2 \Device\Harddisk2\DR2 -> \Device\Scsi\UlSata1Port3Path0Target2Lun0
00:33:01.859 Disk 2 Vendor: WDC_WD50 12.0 Size: 0MB BusType: 1
00:33:01.859 Disk 0 MBR read successfully
00:33:01.859 Disk 0 MBR scan
00:33:01.859 Disk 0 Windows XP default MBR code
00:33:01.859 Disk 0 scanning C:\WINNT\system32\drivers
00:33:03.546 Service scanning
00:33:04.375 Disk 0 trace - called modules:
00:33:04.375 ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll viamraid.sys
00:33:04.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfa5f9730]
00:33:04.375 3 CLASSPNP.SYS[f6430c60] -> nt!IofCallDriver -> \Device\Scsi\viamraid1Port2Path0Target0Lun0[0xfafce030]
00:33:04.375 Scan finished successfully
00:33:39.718 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
00:33:39.718 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"



-------------------
+++++++++++++
OTL SCAN LOG
+++++++++++++
-------------------

OTL logfile created on: 06/03/2011 12:40:29 AM - Run 4
OTL by OldTimer - Version 3.2.23.0 Folder = O:\x_DelViruses
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 5.00.3315.1000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

2.00 Gb Total Physical Memory | 1.80 Gb Available Physical Memory | 89.91% Memory free
5.89 Gb Paging File | 5.76 Gb Available in Paging File | 97.80% Paging File free
Paging file location(s): C:\pagefile.sys 80 80Y:\pagefile.sys 4000 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 10.00 Gb Total Space | 3.21 Gb Free Space | 32.10% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 9.28 Gb Free Space | 92.74% Space Free | Partition Type: NTFS
Drive E: | 10.00 Gb Total Space | 9.38 Gb Free Space | 93.75% Space Free | Partition Type: NTFS
Drive F: | 6.00 Gb Total Space | 4.71 Gb Free Space | 78.56% Space Free | Partition Type: NTFS
Drive G: | 6.00 Gb Total Space | 1.71 Gb Free Space | 28.46% Space Free | Partition Type: NTFS
Drive H: | 6.00 Gb Total Space | 4.99 Gb Free Space | 83.25% Space Free | Partition Type: NTFS
Drive I: | 6.00 Gb Total Space | 5.97 Gb Free Space | 99.45% Space Free | Partition Type: NTFS
Drive J: | 6.00 Gb Total Space | 5.96 Gb Free Space | 99.42% Space Free | Partition Type: NTFS
Drive K: | 10.00 Gb Total Space | 9.59 Gb Free Space | 95.81% Space Free | Partition Type: NTFS
Drive L: | 20.00 Gb Total Space | 16.32 Gb Free Space | 81.60% Space Free | Partition Type: NTFS
Drive M: | 15.00 Gb Total Space | 14.37 Gb Free Space | 95.83% Space Free | Partition Type: NTFS
Drive N: | 9.24 Gb Total Space | 2.25 Gb Free Space | 24.31% Space Free | Partition Type: NTFS
Drive O: | 465.65 Gb Total Space | 9.53 Gb Free Space | 2.05% Space Free | Partition Type: FAT32
Unable to calculate disk information.
Drive Y: | 9.99 Gb Total Space | 6.09 Gb Free Space | 60.91% Space Free | Partition Type: FAT32

Computer Name: LONGYUAN | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/28 02:23:06 | 000,580,096 | ---- | M] (OldTimer Tools) -- O:\x_DelViruses\OTL.exe
PRC - [2008/11/21 23:01:04 | 000,068,865 | ---- | M] (Avira GmbH) -- K:\Management\OS&fileMgmt\Security\Avira\AntiVir PersonalEdition Classic\sched.exe
PRC - [2008/06/12 14:28:45 | 000,266,497 | ---- | M] (Avira GmbH) -- K:\Management\OS&fileMgmt\Security\Avira\AntiVir PersonalEdition Classic\avgnt.exe
PRC - [2003/06/18 22:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2003/06/18 22:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\WinMgmt.exe
PRC - [2003/06/18 22:05:04 | 000,061,712 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\stisvc.exe
PRC - [2003/06/18 22:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\hidserv.exe


========== Modules (SafeList) ==========

MOD - [2011/05/28 02:23:06 | 000,580,096 | ---- | M] (OldTimer Tools) -- O:\x_DelViruses\OTL.exe
MOD - [2007/04/18 23:26:00 | 001,474,560 | ---- | M] () -- C:\WINNT\system32\nview.dll
MOD - [2007/04/18 23:26:00 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINNT\system32\nvwddi.dll
MOD - [2003/06/18 22:05:04 | 000,021,776 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wsock32.dll
MOD - [2003/06/18 22:05:04 | 000,010,000 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\lz32.dll
MOD - [2002/07/24 06:00:00 | 000,016,144 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\serwvdrv.dll
MOD - [2002/07/24 06:00:00 | 000,013,072 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\umdmxfrm.dll
MOD - [2002/07/24 06:00:00 | 000,011,536 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\netrap.dll


========== Win32 Services (SafeList) ==========

SRV - [2008/11/21 23:01:04 | 000,068,865 | ---- | M] (Avira GmbH) [Auto | Running] -- K:\Management\OS&fileMgmt\Security\Avira\AntiVir PersonalEdition Classic\sched.exe -- (AntiVirScheduler)
SRV - [2008/11/21 23:00:47 | 000,151,297 | ---- | M] (Avira GmbH) [Disabled | Stopped] -- K:\Management\OS&fileMgmt\Security\Avira\AntiVir PersonalEdition Classic\avguard.exe -- (AntiVirService)
SRV - [2005/10/19 01:31:52 | 000,749,568 | ---- | M] (Wacom Technology, Corp.) [Disabled | Stopped] -- C:\WINNT\system32\Tablet.exe -- (TabletService)
SRV - [2003/06/18 22:05:04 | 000,196,706 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\wbem\WinMgmt.exe -- (WinMgmt)
SRV - [2003/06/18 22:05:04 | 000,147,728 | ---- | M] (VERITAS Software Corp.) [On_Demand | Stopped] -- C:\WINNT\System32\dmadmin.exe -- (dmadmin)
SRV - [2003/06/18 22:05:04 | 000,061,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\stisvc.exe -- (StiSvc)
SRV - [2003/06/18 22:05:04 | 000,019,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINNT\system32\hidserv.exe -- (HidServ)


========== Driver Services (SafeList) ==========

DRV - [2009/05/28 03:53:45 | 000,075,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINNT\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/05/28 03:53:34 | 000,062,040 | ---- | M] (Avira GmbH) [File_System | On_Demand | Stopped] -- K:\Management\OS&fileMgmt\Security\Avira\AntiVir PersonalEdition Classic\avgntflt.sys -- (avgntflt)
DRV - [2009/05/28 03:53:34 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- K:\Management\OS&fileMgmt\Security\Avira\AntiVir PersonalEdition Classic\avgio.sys -- (avgio)
DRV - [2007/03/01 10:34:22 | 000,028,352 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINNT\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2006/03/16 16:15:10 | 000,202,560 | ---- | M] (CH Products) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\chdrvr01.sys -- (chdrvr01)
DRV - [2006/03/15 00:51:00 | 000,243,712 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\yk50x86.sys -- (yukonw2k)
DRV - [2005/12/22 08:41:52 | 000,003,744 | ---- | M] (CH Products) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\chdrvr02.sys -- (chdrvr02)
DRV - [2005/12/22 08:41:44 | 000,009,024 | ---- | M] (CH Products) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\chdrvr03.sys -- (chdrvr03)
DRV - [2005/07/28 08:18:40 | 000,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\hardlock.sys -- (Hardlock)
DRV - [2004/07/08 12:58:10 | 000,015,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mpe.sys -- (MPE)
DRV - [2003/10/31 05:22:36 | 000,078,988 | ---- | M] (VIA Technologies inc,.ltd) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\viasraid.sys -- (viasraid)
DRV - [2003/09/18 11:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\pfc.sys -- (Pfc)
DRV - [2003/07/01 14:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\viaagp1.sys -- (viaagp1)
DRV - [2003/06/18 22:05:04 | 000,369,104 | ---- | M] (VERITAS Software Corp.) [Kernel | Disabled | Stopped] -- C:\WINNT\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2003/06/18 22:05:04 | 000,137,936 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmio.sys -- (dmio)
DRV - [2003/06/18 22:05:04 | 000,060,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\parallel.sys -- (Parallel)
DRV - [2003/06/18 22:05:04 | 000,049,776 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\usbhub20.sys -- (usbhub20)
DRV - [2003/06/18 22:05:04 | 000,032,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\uhcd.sys -- (uhcd)
DRV - [2003/06/18 22:05:04 | 000,027,440 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINNT\System32\drivers\efs.sys -- (EFS)
DRV - [2003/06/18 22:05:04 | 000,009,808 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2003/06/18 22:05:04 | 000,007,728 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\diskperf.sys -- (Diskperf)
DRV - [2003/06/18 22:05:04 | 000,007,312 | ---- | M] (VERITAS Software Corp.) [Kernel | Boot | Running] -- C:\WINNT\System32\drivers\dmload.sys -- (dmload)
DRV - [2003/06/18 02:48:00 | 000,009,038 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\System32\Drivers\viausb.sys -- (viafilter)
DRV - [2002/07/24 06:00:00 | 000,021,712 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\rca.sys -- (RCA)
DRV - [2002/07/24 06:00:00 | 000,009,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\netdtect.sys -- (NetDetect)
DRV - [2002/07/17 07:53:02 | 000,016,877 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINNT\System32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2002/07/02 00:08:08 | 000,701,404 | R--- | M] (ESS Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\es56hpi.sys -- (Edspport)
DRV - [2001/04/08 23:45:00 | 000,008,138 | ---- | M] (Wacom Technology Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\Drivers\PenClass.sys -- (PenClass)
DRV - [1999/10/15 00:35:04 | 000,214,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\emu10K1.sys -- (emu10k) Creative SB Live! Basic (WDM)
DRV - [1999/10/07 01:38:10 | 000,004,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ctljystk.sys -- (ctljystk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1085031214-1614895754-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://catalog.wustl.edu/"
FF - prefs.js..extensions.enabledItems: [email protected]:2.1.6
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.51
FF - prefs.js..extensions.enabledItems: {e001c731-5e37-4538-a5cb-8168736a2360}:0.9.9.93

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: K:\InternetPersonal\Firefox3\components [2011/06/02 12:56:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: K:\InternetPersonal\Firefox3\plugins [2011/06/02 12:56:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\SeaMonkey 2.0.5\extensions\\Components: K:\InternetPersonal\Seamonkey\components [2011/04/27 15:21:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\SeaMonkey 2.0.5\extensions\\Plugins: K:\InternetPersonal\Seamonkey\plugins [2011/04/27 15:21:21 | 000,000,000 | ---D | M]

[2010/06/18 23:21:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/06/18 23:21:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/03/04 21:04:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}
[2011/06/02 12:40:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0qdvn26u.default\extensions
[2011/06/02 12:30:13 | 000,000,000 | ---D | M] ("BetterPrivacy") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0qdvn26u.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2011/05/28 01:41:43 | 000,000,000 | ---D | M] (BitDefender QuickScan) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0qdvn26u.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2011/04/29 21:04:13 | 000,000,000 | ---D | M] (Zotero) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0qdvn26u.default\extensions\[email protected]
[2011/02/11 10:32:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\SeaMonkey\Profiles\kcziedvp.default\extensions
[2011/02/11 10:21:59 | 000,000,000 | ---D | M] (JavaScript Debugger) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\SeaMonkey\Profiles\kcziedvp.default\extensions\{f13b157f-b174-47e7-a34d-4815ddfdfeb8}
[2011/02/11 10:21:59 | 000,000,000 | ---D | M] (DOM Inspector) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\SeaMonkey\Profiles\kcziedvp.default\extensions\[email protected]

O1 HOSTS File: ([2011/06/03 00:08:23 | 000,000,098 | ---- | M]) - C:\WINNT\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [NvCplDaemon] C:\WINNT\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINNT\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINNT\System32\nwiz.exe ()
O4 - HKLM..\Run: [PtiuPbmd] C:\WINNT\System32\ptipbm.dll (Promise Technology,Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [1999/12/18 08:36:08 | 000,000,000 | -H-D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetIcon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFavoritesMenu = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 177
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 95 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1085031214-1614895754-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = B5 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1085031214-1614895754-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 8388608
O7 - HKU\S-1-5-21-1085031214-1614895754-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 0
O7 - HKU\S-1-5-21-1085031214-1614895754-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1085031214-1614895754-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = [binary data]
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINNT\system32\RNR20.DLL (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINNT\system32\msafd.dll (Microsoft Corporation)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINNT\system32\msdxm.ocx ()
O18 - Protocol\Filter\Class Install Handler - No CLSID value found
O18 - Protocol\Filter\deflate - No CLSID value found
O18 - Protocol\Filter\gzip - No CLSID value found
O18 - Protocol\Filter\lzdhtml - No CLSID value found
O18 - Protocol\Filter\text/webviewhtml - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - File not found
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - File not found
O29 - HKLM SecurityProviders - (msnsspc.dll) - File not found
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2007/12/19 03:32:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: wzcsvc - File not found
SystemRestore not available.

========== Files/Folders - Created Within 30 Days ==========

[2011/06/03 00:32:39 | 000,589,632 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2011/06/03 00:01:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\.smplayer
[2011/06/02 13:02:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\MPEG Streamclip
[2011/06/02 12:56:14 | 000,065,536 | ---- | C] (Apple Inc.) -- C:\WINNT\System32\QuickTimeVR.qtx
[2011/06/02 12:56:14 | 000,049,152 | ---- | C] (Apple Inc.) -- C:\WINNT\System32\QuickTime.qts
[2011/06/02 12:56:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2011/05/28 01:41:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\QuickScan
[2011/05/27 22:34:53 | 000,000,000 | ---D | C] -- C:\!KillBox
[2011/05/13 18:08:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\MPlayer
[2011/05/13 15:40:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\WMV9 VCM
[2011/05/13 15:36:29 | 000,276,840 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\wmv8ds32.ax
[2011/05/13 15:36:29 | 000,264,552 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\wmvds32.ax
[2011/05/13 15:36:29 | 000,264,528 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\mpg4ds32.ax
[2011/05/13 15:36:29 | 000,227,960 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\msadds32.ax
[2011/05/13 15:36:29 | 000,076,120 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\msscds32.ax

========== Files - Modified Within 30 Days ==========

[2011/06/03 00:33:39 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2011/06/03 00:20:09 | 000,088,723 | ---- | M] () -- C:\WINNT\System32\nvapps.xml
[2011/06/03 00:18:32 | 000,743,998 | -H-- | M] () -- C:\WINNT\ShellIconCache
[2011/06/03 00:09:47 | 000,000,000 | ---- | M] () -- C:\WINNT\TempFile
[2011/06/03 00:05:44 | 000,589,632 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2011/06/02 21:33:56 | 000,000,116 | ---- | M] () -- C:\WINNT\NeroDigital.ini
[2011/06/02 13:41:47 | 000,000,642 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MPEGStreamclip.lnk
[2011/05/28 01:39:19 | 000,314,816 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Avira AntiVir Personal report file.pdf
[2011/05/26 15:25:07 | 000,000,435 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\SAS7_000.DAT
[2011/05/19 10:38:25 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_21c.dat
[2011/05/13 16:51:37 | 000,000,861 | ---- | M] () -- C:\WINNT\asfbinwin.INI
[2011/05/13 15:20:00 | 000,000,021 | ---- | M] () -- C:\WINNT\asfbin.ini
[2011/05/13 08:28:53 | 000,016,384 | ---- | M] () -- C:\WINNT\System32\Perflib_Perfdata_224.dat
[2011/05/10 17:14:50 | 000,000,550 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

========== Files Created - No Company Name ==========

[2011/06/03 00:33:39 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2011/06/02 13:41:47 | 000,000,642 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MPEGStreamclip.lnk
[2011/05/28 01:55:44 | 000,743,998 | -H-- | C] () -- C:\WINNT\ShellIconCache
[2011/05/28 01:39:16 | 000,314,816 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Avira AntiVir Personal report file.pdf
[2011/05/19 10:38:25 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_21c.dat
[2011/05/13 15:20:00 | 000,000,021 | ---- | C] () -- C:\WINNT\asfbin.ini
[2011/05/13 14:01:40 | 000,000,861 | ---- | C] () -- C:\WINNT\asfbinwin.INI
[2011/05/13 08:28:53 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_224.dat
[2011/04/18 04:31:42 | 000,197,744 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ConduitInstaller.exe
[2011/03/27 13:43:08 | 000,096,768 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Bloson.exe
[2011/03/21 05:36:30 | 000,026,456 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\bloson.bmp
[2010/11/13 04:14:46 | 000,062,648 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\toolbar3.bmp
[2010/11/12 04:09:56 | 000,195,108 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\lateral3.bmp
[2010/11/12 03:44:14 | 000,193,744 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\lateral1.bmp
[2010/11/12 03:10:58 | 000,193,744 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\lateral2.bmp
[2010/07/28 13:24:25 | 000,002,560 | ---- | C] () -- C:\WINNT\System32\pavedius.dll
[2010/07/28 13:24:24 | 000,003,072 | ---- | C] () -- C:\WINNT\hasp_windows.dll
[2010/07/28 09:15:58 | 000,033,019 | ---- | C] () -- C:\WINNT\System32\CoreAAC-uninstall.exe
[2010/07/17 00:40:16 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_20c.dat
[2010/07/17 00:38:17 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_208.dat
[2010/05/15 14:55:08 | 000,000,598 | ---- | C] () -- C:\WINNT\System32\secushr.dat
[2010/05/15 14:54:15 | 000,000,025 | ---- | C] () -- C:\WINNT\libem.INI
[2010/04/15 13:09:54 | 000,011,616 | R--- | C] () -- C:\WINNT\System32\drivers\SECDRV.SYS
[2009/09/26 12:09:30 | 000,000,046 | ---- | C] () -- C:\WINNT\TP-LINK ADSL Modem_Router Utility.INI
[2009/07/02 13:18:54 | 000,168,448 | ---- | C] () -- C:\WINNT\System32\unrar.dll
[2009/07/02 13:18:54 | 000,000,038 | ---- | C] () -- C:\WINNT\avisplitter.ini
[2009/07/02 13:18:53 | 002,402,304 | ---- | C] () -- C:\WINNT\System32\x264vfw.dll
[2009/07/02 13:18:53 | 000,819,200 | ---- | C] () -- C:\WINNT\System32\xvidcore.dll
[2009/07/02 13:18:52 | 000,180,224 | ---- | C] () -- C:\WINNT\System32\xvidvfw.dll
[2009/07/02 13:18:51 | 000,085,504 | ---- | C] () -- C:\WINNT\System32\ff_vfw.dll
[2009/06/26 16:20:17 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\Perflib_Perfdata_204.dat
[2009/02/26 22:48:30 | 000,116,224 | ---- | C] () -- C:\WINNT\System32\pdfcmnnt.dll
[2009/02/12 17:33:28 | 000,000,168 | ---- | C] () -- C:\WINNT\Clipbook.INI
[2008/10/02 10:32:38 | 000,000,754 | ---- | C] () -- C:\WINNT\WORDPAD.INI
[2008/09/19 15:57:34 | 003,596,288 | ---- | C] () -- C:\WINNT\System32\qt-dx331.dll
[2008/09/19 15:54:18 | 000,012,288 | ---- | C] () -- C:\WINNT\System32\DivXWMPExtType.dll
[2008/02/27 14:15:24 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/21 06:05:23 | 000,081,920 | ---- | C] () -- C:\WINNT\asr32311.dll
[2008/02/15 01:24:07 | 000,000,000 | ---- | C] () -- C:\WINNT\Textart.INI
[2008/02/12 02:06:52 | 000,000,285 | ---- | C] () -- C:\WINNT\EReg072.dat
[2008/01/14 05:41:49 | 000,000,116 | ---- | C] () -- C:\WINNT\NeroDigital.ini
[2007/12/19 03:35:58 | 000,000,664 | ---- | C] () -- C:\WINNT\System32\d3d9caps.dat
[2007/12/19 03:35:36 | 000,000,008 | ---- | C] () -- C:\WINNT\System32\nvModes.dat
[2002/07/24 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINNT\System32\mlang.dat
[2002/07/24 06:00:00 | 000,300,378 | ---- | C] () -- C:\WINNT\System32\perfh009.dat
[2002/07/24 06:00:00 | 000,272,492 | ---- | C] () -- C:\WINNT\System32\perfi009.dat
[2002/07/24 06:00:00 | 000,217,359 | ---- | C] () -- C:\WINNT\System32\dssec.dat
[2002/07/24 06:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[2002/07/24 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINNT\System32\mib.bin
[2002/07/24 06:00:00 | 000,038,036 | ---- | C] () -- C:\WINNT\System32\perfc009.dat
[2002/07/24 06:00:00 | 000,033,552 | ---- | C] () -- C:\WINNT\System32\efsadu.dll
[2002/07/24 06:00:00 | 000,028,270 | ---- | C] () -- C:\WINNT\System32\perfd009.dat
[2002/07/24 06:00:00 | 000,007,265 | ---- | C] () -- C:\WINNT\System32\iasperf.ini
[2002/07/24 06:00:00 | 000,000,023 | ---- | C] () -- C:\WINNT\welcome.ini
[1999/12/18 10:58:32 | 000,000,435 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\SAS7_000.DAT
[1999/12/18 09:39:09 | 000,000,000 | ---- | C] () -- C:\WINNT\WT12sptlEN.INI
[1999/12/18 09:19:38 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\PFP120JPR.{PB
[1999/12/18 09:19:38 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\PFP120JCM.{PB
[1999/12/18 08:45:37 | 000,000,026 | ---- | C] () -- C:\WINNT\SPSETUP.INI
[1999/12/18 07:25:51 | 000,112,688 | ---- | C] () -- C:\WINNT\System32\shw32.dll
[1999/12/18 07:25:51 | 000,039,095 | ---- | C] () -- C:\WINNT\iccsigs.dat
[1999/12/18 07:06:35 | 000,000,207 | ---- | C] () -- C:\WINNT\ODBC.INI
[1999/12/18 06:20:17 | 000,204,800 | ---- | C] () -- C:\WINNT\System32\IVIresizeW7.dll
[1999/12/18 06:20:17 | 000,200,704 | ---- | C] () -- C:\WINNT\System32\IVIresizeA6.dll
[1999/12/18 06:20:17 | 000,192,512 | ---- | C] () -- C:\WINNT\System32\IVIresizeP6.dll
[1999/12/18 06:20:17 | 000,192,512 | ---- | C] () -- C:\WINNT\System32\IVIresizeM6.dll
[1999/12/18 06:20:17 | 000,188,416 | ---- | C] () -- C:\WINNT\System32\IVIresizePX.dll
[1999/12/18 06:20:17 | 000,020,480 | ---- | C] () -- C:\WINNT\System32\IVIresize.dll
[1999/12/18 06:17:37 | 000,831,600 | ---- | C] () -- C:\WINNT\System32\Ctaa1.dat
[1999/12/18 06:17:37 | 000,122,880 | ---- | C] () -- C:\WINNT\System32\cddvdint.dll
[1999/12/18 06:09:51 | 000,354,816 | ---- | C] () -- C:\WINNT\System32\psisdecd.dll
[1999/12/18 05:38:22 | 000,623,616 | ---- | C] () -- C:\WINNT\System32\CMCplDlg.dll
[1999/12/18 05:38:22 | 000,063,488 | ---- | C] () -- C:\WINNT\System32\CMCplSvr.dll
[1999/12/18 05:29:24 | 000,000,130 | ---- | C] () -- C:\WINNT\System32\tablet.dat
[1999/12/18 03:41:00 | 000,000,335 | ---- | C] () -- C:\WINNT\nsreg.dat
[1999/12/18 03:40:57 | 000,118,784 | ---- | C] () -- C:\WINNT\GREUninstall.exe
[1999/12/18 03:40:56 | 000,006,581 | ---- | C] () -- C:\WINNT\mozver.dat
[1999/12/18 02:00:01 | 000,013,824 | ---- | C] () -- C:\WINNT\System32\CopyPath.exe
[1999/12/17 05:42:13 | 000,167,936 | R--- | C] () -- C:\WINNT\essspk.exe
[1999/12/17 05:42:13 | 000,049,152 | R--- | C] () -- C:\WINNT\remvess.exe
[1999/12/17 05:22:53 | 001,626,112 | ---- | C] () -- C:\WINNT\System32\nwiz.exe
[1999/12/17 05:22:52 | 001,703,936 | ---- | C] () -- C:\WINNT\System32\nvwdmcpl.dll
[1999/12/17 05:22:52 | 001,474,560 | ---- | C] () -- C:\WINNT\System32\nview.dll
[1999/12/17 05:22:52 | 001,019,904 | ---- | C] () -- C:\WINNT\System32\nvwimg.dll
[1999/12/17 05:22:52 | 000,581,632 | ---- | C] () -- C:\WINNT\System32\nvhwvid.dll
[1999/12/17 05:22:52 | 000,466,944 | ---- | C] () -- C:\WINNT\System32\nvshell.dll
[1999/12/17 05:22:52 | 000,286,720 | ---- | C] () -- C:\WINNT\System32\nvnt4cpl.dll
[1999/12/17 05:22:51 | 001,339,392 | ---- | C] () -- C:\WINNT\System32\nvdspsch.exe
[1999/12/17 05:22:51 | 000,442,368 | ---- | C] () -- C:\WINNT\System32\nvappbar.exe
[1999/12/17 05:22:51 | 000,212,992 | ---- | C] () -- C:\WINNT\System32\nvapi.dll
[1999/12/17 05:22:49 | 000,425,984 | ---- | C] () -- C:\WINNT\System32\keystone.exe
[1999/12/16 13:13:23 | 000,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI
[1999/12/16 13:12:58 | 000,245,688 | ---- | C] () -- C:\WINNT\System32\FNTCACHE.DAT
[1999/12/16 06:40:44 | 000,045,056 | ---- | C] () -- C:\WINNT\System32\vusetup.dll
[1999/12/16 05:52:13 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[1999/12/16 05:51:43 | 000,015,012 | ---- | C] () -- C:\WINNT\System32\emptyregdb.dat
[1999/09/25 04:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 04:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys

========== LOP Check ==========

[2011/01/04 20:34:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Audacity
[2011/06/02 12:47:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\avidemux
[2010/05/15 14:53:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\BITS
[2010/05/15 14:53:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FlashGet
[2010/05/15 14:53:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FlashGetBHO
[1999/12/17 23:59:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Gena01
[2010/07/28 13:28:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Grass Valley
[2010/08/16 22:42:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ImgBurn
[2008/01/14 05:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterVideo
[2011/06/02 13:02:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\MPEG Streamclip
[1999/12/18 07:40:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Nuance
[2011/05/28 01:42:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\QuickScan
[2010/06/18 23:21:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Thunderbird
[2011/05/27 21:43:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[1999/12/18 08:58:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Borland
[2010/07/28 13:27:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grass Valley
[1999/12/18 07:40:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
[1999/12/18 07:40:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2011/02/21 09:55:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CookDing\Application Data\Audacity
[2011/06/01 23:16:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CookDing\Application Data\avidemux
[2008/02/06 02:04:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CookDing\Application Data\Gena01
[2009/01/15 22:55:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CookDing\Application Data\InterVideo
[2011/05/27 13:36:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CookDing\Application Data\KYL
[2011/06/02 13:53:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CookDing\Application Data\MPEG Streamclip
[2008/09/16 10:28:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CookDing\Application Data\Nuance
[2010/07/13 12:10:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\CookDing\Application Data\Thunderbird

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2003/06/18 22:05:04 | 000,150,528 | RHS- | M] () -- C:\arcldr.exe
[2003/06/18 22:05:04 | 000,163,840 | RHS- | M] () -- C:\arcsetup.exe


< MD5 for: EXPLORER.EXE >
[2003/06/18 22:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) MD5=59CF2B7DCED9111F48F51B4B570E672D -- C:\WINNT\explorer.exe
[2003/06/18 22:05:04 | 000,243,472 | ---- | M] (Microsoft Corporation) MD5=59CF2B7DCED9111F48F51B4B570E672D -- C:\WINNT\ServicePackFiles\i386\explorer.exe

< MD5 for: SVCHOST.EXE >
[2002/07/24 06:00:00 | 000,007,952 | ---- | M] (Microsoft Corporation) MD5=9E64AD53CFD9DA2D22E8A924F8C6E62C -- C:\WINNT\system32\dllcache\svchost.exe
[2002/07/24 06:00:00 | 000,007,952 | ---- | M] (Microsoft Corporation) MD5=9E64AD53CFD9DA2D22E8A924F8C6E62C -- C:\WINNT\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2003/06/18 22:05:04 | 000,017,680 | ---- | M] (Microsoft Corporation) MD5=BF179C5B8A722CC79AEF1CA90D6C7D48 -- C:\WINNT\ServicePackFiles\i386\userinit.exe
[2003/06/18 22:05:04 | 000,017,680 | ---- | M] (Microsoft Corporation) MD5=BF179C5B8A722CC79AEF1CA90D6C7D48 -- C:\WINNT\system32\USERINIT.EXE

< MD5 for: WINLOGON.EXE >
[2003/06/18 22:05:04 | 000,181,008 | ---- | M] (Microsoft Corporation) MD5=3980C28D116D438BBB36FB38526FDE1A -- C:\WINNT\$NtUpdateRollupPackUninstall$\winlogon.exe
[2003/06/18 22:05:04 | 000,181,008 | ---- | M] (Microsoft Corporation) MD5=3980C28D116D438BBB36FB38526FDE1A -- C:\WINNT\ServicePackFiles\i386\winlogon.exe
[2005/04/07 14:51:16 | 000,186,640 | ---- | M] (Microsoft Corporation) MD5=BB1DAF6A5737652646D52665251A0265 -- C:\WINNT\system32\dllcache\WINLOGON.EXE
[2005/04/07 14:51:16 | 000,186,640 | ---- | M] (Microsoft Corporation) MD5=BB1DAF6A5737652646D52665251A0265 -- C:\WINNT\system32\WINLOGON.EXE

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "K:\InternetPersonal\Firefox3\uninstall\helper.exe" /HideShortcuts [2011/05/05 21:05:47 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "K:\InternetPersonal\Firefox3\uninstall\helper.exe" /ShowShortcuts [2011/05/05 21:05:47 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "K:\InternetPersonal\Firefox3\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/05/05 21:05:47 | 000,552,464 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: K:\InternetPersonal\Firefox3\firefox.exe [2011/05/05 21:05:47 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "K:\InternetPersonal\Firefox3\firefox.exe" -preferences [2011/05/05 21:05:47 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "K:\InternetPersonal\Firefox3\firefox.exe" -safe-mode [2011/05/05 21:05:47 | 000,912,344 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\SEAMONKEY.EXE\InstallInfo\\HideIconsCommand: "K:\InternetPersonal\Seamonkey\uninstall\helper.exe" /HideShortcuts [2011/04/27 15:21:20 | 000,574,444 | ---- | M] (mozilla.org)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\SEAMONKEY.EXE\InstallInfo\\ShowIconsCommand: "K:\InternetPersonal\Seamonkey\uninstall\helper.exe" /ShowShortcuts [2011/04/27 15:21:20 | 000,574,444 | ---- | M] (mozilla.org)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\SEAMONKEY.EXE\InstallInfo\\ReinstallCommand: "K:\InternetPersonal\Seamonkey\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/04/27 15:21:20 | 000,574,444 | ---- | M] (mozilla.org)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\SEAMONKEY.EXE\shell\open\command\\: K:\InternetPersonal\Seamonkey\seamonkey.exe [2011/04/27 15:21:20 | 011,638,272 | ---- | M] (mozilla.org)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\SEAMONKEY.EXE\shell\properties\command\\: "K:\InternetPersonal\Seamonkey\seamonkey.exe" -preferences [2011/04/27 15:21:20 | 011,638,272 | ---- | M] (mozilla.org)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\SEAMONKEY.EXE\shell\safemode\command\\: "K:\InternetPersonal\Seamonkey\seamonkey.exe" -safe-mode [2011/04/27 15:21:20 | 011,638,272 | ---- | M] (mozilla.org)

< End of report >



----------------
+++++++++++
EXTRAS LOG
+++++++++++
----------------

OTL Extras logfile created on: 06/03/2011 12:40:29 AM - Run 4
OTL by OldTimer - Version 3.2.23.0 Folder = O:\x_DelViruses
Windows 2000 Professional Edition Service Pack 4 (Version = 5.0.2195) - Type = NTWorkstation
Internet Explorer (Version = 5.00.3315.1000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

2.00 Gb Total Physical Memory | 1.80 Gb Available Physical Memory | 89.91% Memory free
5.89 Gb Paging File | 5.76 Gb Available in Paging File | 97.80% Paging File free
Paging file location(s): C:\pagefile.sys 80 80Y:\pagefile.sys 4000 4000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 10.00 Gb Total Space | 3.21 Gb Free Space | 32.10% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 9.28 Gb Free Space | 92.74% Space Free | Partition Type: NTFS
Drive E: | 10.00 Gb Total Space | 9.38 Gb Free Space | 93.75% Space Free | Partition Type: NTFS
Drive F: | 6.00 Gb Total Space | 4.71 Gb Free Space | 78.56% Space Free | Partition Type: NTFS
Drive G: | 6.00 Gb Total Space | 1.71 Gb Free Space | 28.46% Space Free | Partition Type: NTFS
Drive H: | 6.00 Gb Total Space | 4.99 Gb Free Space | 83.25% Space Free | Partition Type: NTFS
Drive I: | 6.00 Gb Total Space | 5.97 Gb Free Space | 99.45% Space Free | Partition Type: NTFS
Drive J: | 6.00 Gb Total Space | 5.96 Gb Free Space | 99.42% Space Free | Partition Type: NTFS
Drive K: | 10.00 Gb Total Space | 9.59 Gb Free Space | 95.81% Space Free | Partition Type: NTFS
Drive L: | 20.00 Gb Total Space | 16.32 Gb Free Space | 81.60% Space Free | Partition Type: NTFS
Drive M: | 15.00 Gb Total Space | 14.37 Gb Free Space | 95.83% Space Free | Partition Type: NTFS
Drive N: | 9.24 Gb Total Space | 2.25 Gb Free Space | 24.31% Space Free | Partition Type: NTFS
Drive O: | 465.65 Gb Total Space | 9.53 Gb Free Space | 2.05% Space Free | Partition Type: FAT32
Unable to calculate disk information.
Drive Y: | 9.99 Gb Total Space | 6.09 Gb Free Space | 60.91% Space Free | Partition Type: FAT32

Computer Name: LONGYUAN | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL %1,%*
.html [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found
.inf [@ = inffile] -- K:\DocRelated\Win32Pad\Win32Pad.exe (Gennady Feldman)
.ini [@ = inifile] -- notepad.exe %1
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l
.js [@ = JSFile] -- Reg Error: Key error. File not found
.txt [@ = txtfile] -- K:\DocRelated\Win32Pad\Win32Pad.exe (Gennady Feldman)

[HKEY_USERS\S-1-5-21-1085031214-1614895754-839522115-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- K:\InternetPersonal\Firefox3\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- K:\DocRelated\Win32Pad\Win32Pad.exe %1 (Gennady Feldman)
batfile [open] -- "%1" %*
batfile [print] -- Reg Error: Key error.
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1
cmdfile [open] -- "%1" %*
cmdfile [print] -- K:\DocRelated\Win32Pad\Win32Pad.exe /p %1 (Gennady Feldman)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL %1,%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- Reg Error: Key error.
htmlfile [opennew] -- Reg Error: Key error.
htmlfile [print] -- Reg Error: Key error.
http [open] -- K:\INTERN~1\FIREFOX\FIREFOX.EXE -requestPending -osint -url "%1"
https [open] -- K:\INTERN~1\FIREFOX\FIREFOX.EXE -requestPending -osint -url "%1"
inffile [open] -- K:\DocRelated\Win32Pad\Win32Pad.exe %1 (Gennady Feldman)
inffile [print] -- Reg Error: Key error.
inifile [open] -- notepad.exe %1
inifile [print] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
jsfile [edit] -- Reg Error: Key error.
jsfile [open] -- Reg Error: Key error.
jsfile [print] -- Reg Error: Key error.
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1
jsefile [print] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [edit] -- K:\DocRelated\Win32Pad\Win32Pad.exe %1 (Gennady Feldman)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- Reg Error: Key error.
scrfile [config] -- %1
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- K:\DocRelated\Win32Pad\Win32Pad.exe %1 (Gennady Feldman)
txtfile [print] -- Reg Error: Key error.
txtfile [printto] -- Reg Error: Key error.
vbefile [edit] -- K:\DocRelated\Win32Pad\Win32Pad.exe %1 (Gennady Feldman)
vbefile [print] -- Reg Error: Key error.
vbsfile [edit] -- K:\DocRelated\Win32Pad\Win32Pad.exe %1 (Gennady Feldman)
vbsfile [print] -- Reg Error: Key error.
wsffile [edit] -- K:\DocRelated\Win32Pad\Win32Pad.exe %1 (Gennady Feldman)
wsffile [print] -- Reg Error: Key error.
Unknown [openas] -- Reg Error: Key error.
Directory [ClearRO] -- "K:\Management\OS&fileMgmt\Clear_ReadonlyAttrbt\ClearRO.exe" "/r" "%L" ()
Directory [cmd] -- CopyPath.exe "%L" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] --
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "iexplore.exe"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"K:\InternetPersonal\Flashget\FlashGet3.exe" = K:\InternetPersonal\Flashget\FlashGet3.exe:*:Enabled:Flashget3


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{0DD140D3-9563-481E-AA75-BA457CBDAEF2}" = PC Inspector File Recovery
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1B399A41-C1D0-40A2-9E4F-095868EFAF01}" = InterVideo WinDVD 5
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{2CD7C9E0-8DFC-11DA-6784-1AC038B618BE}" = TBIView
"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator 2
"{6F716D8C-398F-11D3-85E1-005004838609}" = WebFldrs
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{772E9146-D676-4869-A298-047FF2A2B92D}" = Canopus Codec Option
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{96BF9A2A-1835-4DEE-A94F-9EA4F77976BF}" = InterVideo DVDCopy 2 for AsusTek
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}" = Dragon NaturallySpeaking 9
"2000lite" = 2000lite PROFESSIONAL
"7-Zip" = 7-Zip 4.16 beta
"AC3Filter_is1" = AC3Filter 1.63b
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AntiVir PersonalEdition Classic" = Avira AntiVir Personal - Free Antivirus
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.9 (Unicode)
"Avi2Dvd" = Avi2Dvd 0.6.1
"Avidemux 2.5" = Avidemux 2.5
"AviSynth" = AviSynth 2.5
"Cacheman 5.50" = Cacheman 5.50
"CHControlManager_is1" = CH Control Manager
"Clear Read-Only" = Clear Read-Only 1.1
"CoreAAC Audio Decoder" = CoreAAC Audio Decoder (remove only)
"Corel Applications" = Corel Applications
"CTDVDAudio Plugin" = Creative DVD Audio Plugin for Audigy Series
"DVD Identifier_is1" = DVD Identifier
"DVDStyler_is1" = DVDStyler v1.8.2 beta 1
"EndItAll_is1" = EndItAll 2.0
"ESSMDM" = Uninstall ESS Modem
"Exact Audio Copy" = Exact Audio Copy 0.99pb4
"ffdshow_is1" = ffdshow [rev 3299] [2010-03-03]
"Game Commander 2" = Game Commander 2
"GSpot" = GSpot Codec Information Appliance
"HaaliMkx" = Haali Media Splitter
"HTMLBEAUTY_is1" = MAX's HTML Beauty++ ME
"Infiltration_2.9" = Infiltration 2.9
"Infiltration_2.9_BonusPack" = Infiltration 2.9 BonusPack
"InfoHesiveEP_is1" = InfoHesiveEP v 3.1.0.1
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"IrfanView" = IrfanView (remove only)
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 4.9.5
"LAME for Audacity_is1" = LAME v3.98.2 for Audacity
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"MechWarrior Vengeance" = MechWarrior Vengeance
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"Nero BurnRights!UninstallKey" = Nero BurnRights
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NVIDIA Drivers" = NVIDIA Drivers
"OldunrealMultimediaUpdate for UnrealGold / RTNP_is1" = OpenGL 3.0 - OpenAL 0.2 - FMOD 0.2
"OldunrealMultimediaUpdate for UnrealTournament_is1" = OpenGL 3.0 - OpenAL 0.2 - FMOD 0.2
"QuicktimeAlt_is1" = QuickTime Alternative 1.81
"RegEditX" = RegEditX
"SeaMonkey (2.0.5)" = SeaMonkey (2.0.5)
"ShellExView" = ShellExView
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SShockDeinstallKey" = System Shock2
"ST5UNST #1" = Unreal Editor
"Tablet Driver" = Tablet
"Ten Clipboards" = Ten Clipboards 1.12
"Unreal Gold" = Unreal Gold
"UnrealTournament" = Unreal Tournament G.O.T.Y. Edition
"Update Rollup 1" = Update Rollup 1 for Windows 2000 SP4
"Win32Pad" = Win32Pad 1.5.9.1
"WinRAR archiver" = WinRAR archiver
"WMV9_VCM" = Microsoft Windows Media Video 9 VCM
"Xvid_is1" = Xvid 1.2.2 final uninstall

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1085031214-1614895754-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 05/27/2011 11:55:49 PM | Computer Name = LONGYUAN | Source = PerfDisk | ID = 1000
Description = Unable to open the Disk performance object. Status code returned is
data
DWORD 0.

Error - 05/27/2011 11:55:49 PM | Computer Name = LONGYUAN | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 05/27/2011 11:55:49 PM | Computer Name = LONGYUAN | Source = PerfNet | ID = 2002
Description = Unable to open the Redirector service. Redirector performance data
will not be returned. Error code returned is in data DWORD 0.

Error - 05/27/2011 11:55:50 PM | Computer Name = LONGYUAN | Source = rasctrs | ID = 2001
Description =

Error - 05/28/2011 12:10:08 AM | Computer Name = LONGYUAN | Source = PerfDisk | ID = 1000
Description = Unable to open the Disk performance object. Status code returned is
data
DWORD 0.

Error - 05/28/2011 12:10:11 AM | Computer Name = LONGYUAN | Source = rasctrs | ID = 2001
Description =

Error - 05/28/2011 12:17:30 AM | Computer Name = LONGYUAN | Source = PerfDisk | ID = 1000
Description = Unable to open the Disk performance object. Status code returned is
data
DWORD 0.

Error - 05/28/2011 12:17:30 AM | Computer Name = LONGYUAN | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 05/28/2011 12:17:30 AM | Computer Name = LONGYUAN | Source = PerfNet | ID = 2002
Description = Unable to open the Redirector service. Redirector performance data
will not be returned. Error code returned is in data DWORD 0.

Error - 05/28/2011 12:17:31 AM | Computer Name = LONGYUAN | Source = rasctrs | ID = 2001
Description =

[ System Events ]
Error - 05/29/2011 2:42:09 PM | Computer Name = LONGYUAN | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 0011D858B983 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 05/30/2011 8:15:56 PM | Computer Name = LONGYUAN | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 0011D858B983 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 05/31/2011 2:45:49 AM | Computer Name = LONGYUAN | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 0011D858B983 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 06/02/2011 12:35:22 PM | Computer Name = LONGYUAN | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 0011D858B983 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 06/02/2011 9:59:25 PM | Computer Name = LONGYUAN | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 0011D858B983 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 06/03/2011 2:02:29 AM | Computer Name = LONGYUAN | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.2 for the Network Card with network
address 0011D858B983 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 06/03/2011 2:08:22 AM | Computer Name = LONGYUAN | Source = Service Control Manager | ID = 7031
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
0 milliseconds: No action.

Error - 06/03/2011 2:08:22 AM | Computer Name = LONGYUAN | Source = Service Control Manager | ID = 7031
Description = The Still Image Service service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
No action.

Error - 06/03/2011 2:08:22 AM | Computer Name = LONGYUAN | Source = Service Control Manager | ID = 7031
Description = The HID Input Service service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 0 milliseconds:
No action.

Error - 06/03/2011 2:08:23 AM | Computer Name = LONGYUAN | Source = Service Control Manager | ID = 7031
Description = The Windows Management Instrumentation service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
60000 milliseconds: Restart the service.

< End of report >
  • 0

#4
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi and sorry for that. It's been a long time ago since I worked on Windows 2000.

So original issues remains?

Do the following please:

Posted Image Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from Here and double click on mbam-setup.exe to install the application

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Click on Check for Updates button.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  • 0

#5
MikeF2

MikeF2

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
In your new reply, you ask, "So original issues remains?"

As far as I can tell, no it doesn't. As I said prior to the 4 logs in my previous post, "at least the DOS windows aren't popping up anymore upon reboot." That's the only symptom I've ever been able to see. So I would assume that everything's OK now, unless you've found something in those logs that needs to be dealt with.

Should I go ahead with MalwareBytes anyway? I downloaded it and am ready to do so if necessary.

Thanks again.
  • 0

#6
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

I'm sorry but I overlooked your reply.:) That's good then.

Yes please, proceed with MBAM scan as I want to fully check your machine.
  • 0

#7
MikeF2

MikeF2

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

Yes please, proceed with MBAM scan as I want to fully check your machine.

Well, you were right. It found one item, a "PUM.Hijack.Help" registry entry. Here's the log:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6768

Windows 5.0.2195 Service Pack 4
Internet Explorer 5.00.3315.1000

06/04/2011 12:22:47 AM
mbam-log-2011-06-04 (00-22-47).txt

Scan type: Quick scan
Objects scanned: 139103
Time elapsed: 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#8
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

Actually that is not something dangerous. It's only potentially unwanted modification of that registry key. If set to 1 will remove the Start Menu Help menu. Setting this to 0 will show the Help menu. Nothing serious.

Now do this please:

Please download AVP Tool by Kaspersky. Save it to your desktop, and reboot your computer into SafeMode.

  • You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  • Use your up arrow key to highlight SafeMode then hit enter.
  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit OK at the prompt for scanning in Safe Mode.
  • It will then open a box. There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked:

    Hidden Startup Objects
    System Memory
    Disk Boot Sectors.
    My Computer.
    Also any other drives (Removable that you may have)

  • Leave the rest of the settings as they appear as default.
  • Then click on Scan at the to right hand corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all.
  • If it says it cannot be Neutralized then choose the delete option when prompted.
  • After that is done click on the Reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and post it in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.
  • 0

#9
MikeF2

MikeF2

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Please accept my apologies for taking so long to implement your latest instructions. I work 12-hour night shifts over the weekend, and still have to spend some time with the family during the day, so it takes a lot out of me.

Anyhow, Kaspersky did find something:

Autoscan: completed 9 hours ago (events: 6, objects: 477000, time: 03:49:17)
06/06/2011 11:43:25 PM Task started
06/06/2011 11:52:19 PM Detected: Trojan-Spy.Win32.Carberp.uh K:\InternetPersonal\Firefox3\0.8558440454543509.exe/UPX
06/07/2011 2:32:43 AM Deleted: Trojan-Spy.Win32.Carberp.uh K:\InternetPersonal\Firefox3\0.8558440454543509.exe
06/07/2011 3:00:29 AM Detected: Trojan-Spy.Win32.Carberp.uh O:\Recycled\Dr9\MovedFiles\06032011_000822\C_Documents and Settings\CookDing\Start Menu\Programs\Startup\igfxtray.exe/UPX
06/07/2011 3:00:33 AM Deleted: Trojan-Spy.Win32.Carberp.uh O:\Recycled\Dr9\MovedFiles\06032011_000822\C_Documents and Settings\CookDing\Start Menu\Programs\Startup\igfxtray.exe
06/07/2011 3:32:42 AM Task completed
  • 0

#10
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi, Mike. No problem with the delay. :)

Your logs shows that your system is clean. If you have no further issues with your computer, then please proceed with the following housekeeping procedures outlined below.

Removing the tools we used:

Reset System Restore points:

  • Please reopen Posted Image on your desktop.
  • Copy (select all lines inside quote box and press CTRL+C) and Paste (press CTRL+V) the following code into the Posted Image textbox.

    :Commands
    [ClearAllRestorePoints]

  • Click on Posted Image button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click on Posted Image button.

NEXT...

OTL Clean-Up:

  • Reopen Posted Image on your desktop.
  • Click on Posted Image
  • You will be prompted to reboot your system. Please do so.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


There are a few things I recommend you to do once your computer is completely clean:

Notes: Windows 2000 reached the end of its lifecycle on 13 July 2010. It will not receive new security updates and new security-related hotfixes after this date. Please don't use Internet Explorer as it is obsolete. Newer versions of Internet Explorer are not compatible with Windows 2000. Please, instead use some of recommended browsers listed below.

Updates for other installed software

A common attack method for hacking attempts and malware installs is to exploit known vulnerabilities in programs that are commonly installed on a person's computer. These vulnerabilities could allow a remote user or malware developer to install malware, keyloggers, and backdoors on to your computer without your knowledge or permission.
Some of the programs that are commonly exploited include Adobe Shockwave, Adobe Reader, Sun Java, Adobe Flash, and even Windows itself. Therefore it is crucial that everyone remain vigilant as to when a security vulnerability is found in our installed programs and to update it when a security update is released. Unfortunately, no one has the time to stay on top of these updates, which can happen frequently.

I highly recommend you to install Secunia Personal Software Inspector (PSI) that can be used to scan your computer for known vulnerable programs, provide information on the vulnerability, and provide a location to an update for the vulnerable program. A tutorial on how to use Secunia Personal Software Inspector (PSI) can be found here: Keep Software Updated with Secunia PSI.

Web Browsers - Picking the right internet browser is very important. You need to find one that suits your needs but that is also safe. All browsers listed below are far more secure than Internet Explorer, immune to almost all known browser hijackers, and also have the best built-in pop up blockers.

Tips to protect yourself against malware and reduce the potential for re-infection:

Now after all these steps, your PC will be more secure. However it is important to note that you can still get infected if you are not careful. One of the best security programs you can have is common sense. As malware gets more sophisticated, you need to be more wary. If you do get caught though and the above steps can't help prevent it, we will be here to help you out.

Stay secure and thank you for choosing GeeksToGo.
  • 0

#11
MikeF2

MikeF2

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
There were a couple of problems. I attempted to follow the instructions several times, both in Administrator and normal user, and got the same results each time:

1. After having copied your short script to the Custom Scans box and clicking Run Fix, I am not asked to reboot. I get a box that says "Fix Complete! Click OK to open the Fix log", but upon clicking OK there is no log.

2. When I proceed to press Cleanup, there is a message displayed at the bottom of the program that says "Processing [deleteself]..." and the program hangs. It doesn't actually crash; I can still close the app with no problem. Anyway, I found this link (http://forums.malwar...37) discussing the problem and followed the instructions to end OTL in Task Manager and reboot, but unlike the user in that post, I still have OTL sitting there. So should I just delete it myself manually? Are there any registry entries I should clean out myself?
  • 0

#12
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

1. This is not a problem.

2. Please just delete OTL.exe and all logs. There are some minor entries in registry but we can ignore them.
  • 0

#13
MikeF2

MikeF2

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OK, done. Will get Secunia too. Thanks very much for your help. I'm having significant job and personal problems at the moment, both of which have severely cut my disposable income, so my donation is not very big. But I am most grateful.
  • 0

#14
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
You are welcome, Mike. I'm glad that your issue has been resolved and let me know if you have any other questions.
  • 0

#15
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP