Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware removal help - W32.Blaster.Worm [Closed] [Solved]


  • This topic is locked This topic is locked

#1
LArnett

LArnett

    Member

  • Member
  • PipPip
  • 41 posts
I'm working on a friend's computer which was infected by malware. W32.Blaster.Worm to be exact. This is my first experience with malware but I've done a lot of research over the last couple of days. Ok, here's the problem and then what I've tried.

The computer is running XP Home with two users as administrators. At start up before choosing which profile to load I get an error.

Isass.ese - system error The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department exports restrictions.

click ok

sqlbrowser.exe - System Error The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department exports restrictions.

click ok

iqs.exe - System Error The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department exports restrictions.

click ok

alg.exe - System Error The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department exports restrictions.

click ok

No more error messages.

click first profile

Security Protection starts a Full PC Scan and instantly finds malware.
stop the scan and the desktop is blank or won't load.

I have had to use the second profile to be able to get to the desktop but couldn't load anything because another warning pops up

BGCheck.exe - System Error The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department exports restrictions.

Clicked ok

ViewMgr.exe – System Message The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department exports restrictions

Clicked ok

ApplicationUpdater.exe – System Error The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department exports restrictions
Clicked ok and no more error messages.

I was unable to access any programs or even CMD. I tried safe mode, safe mode w/ CMD prompt and still nothing.

Went to Microsoft’s support site for this Malware but had no luck. Did the following:

(To search for the these files:
1. Click Start, click Run, type cmd in the Open box, and then click OK.
2. At the command prompt, type dir %systemroot%\system32\filename.ext /a /s, and then press ENTER, where filename.ext is Msblast.exe, Nstask32.exe, Penis32.exe, Teekids.exe, Winlogin.exe, Win32sockdrv.dll, or Yuetyutr.dll.

Note Repeat step 2 for each of these file names: Msblast.exe, Nstask32.exe, Penis32.exe, Teekids.exe, Winlogin.exe, Win32sockdrv.dll, and Yuetyutr.dll. If you find any of these files, your computer may be infected with the worm. If you find one of these files, delete the file, and then follow the steps in the "Recovery" section of this article. To delete the file, type del %systemroot%\system32\filename.ext /a at the command prompt, and then press ENTER.)

I was reading through some of the forums on here I came across a program to get started with and did this:

(Originally Posted by Belahzur
Hello.

We need to use the RKill Tool by Grinler


Rkill.com <--- Download site
• Please Download Rkill.com. Save it to your Desktop.
• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
• NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.
• Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.
• Please be patient while the program looks for various malware programs and ends them.
• When it has finished, the black window will automatically close and you can continue with the next step.
NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program, when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the steps.

If you continue having problems running rkill.com, you can download:
iExplore.exe or eXplorer.exe
which are renamed copies of rkill.com, and try them instead.

Try OTL now.)

I finally got eXplorer.exe to work. I ran it 4 times and copied each log just in case it was needed. I have downloaded OTL and am ready to install and run it. I have just been reading over the 56 page instructions to better familiarize myself with the program before I run it.

If you need any more information or have questions, please feel free to ask.

oh, what kind of files can I upload? I tried to upload a microsoft word doc and it said Error You aren't permitted to upload this kind of file.
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there and sorry for the delay, could you update me on the current problems please

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 2 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.


NEXT

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    consrv.dll
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
    C:\Windows\assembly\tmp\U\*.* /s
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image
  • 0

#3
LArnett

LArnett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Thanks for the assistance.

The skinny of the problem is that a friend of mine brought me his computer that no one in his family could use anymore. Through some research I found that it was malware specifically the W32.Blaster.worm .Lots of pop ups of different files that said

Isass.ese - system error The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department exports restrictions.

There were about 5 or six of these warnings that would pop up and everytime you tried to open something it would run the windows instal for 3-5 min and then open up.

Reading through some of the forums on here I came across a program named Rkill and ran that. I ran it 4 times and keep all 4 reports from that.

Ran the RogueKiller prog and here are the results.

RogueKiller V6.2.4 [01/12/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Ricky [Admin rights]
Mode: Remove -- Date : 01/16/2012 10:51:49

¤¤¤ Bad processes: 3 ¤¤¤
[SUSP PATH] 3949259467:873831188.exe -- C:\WINDOWS\3949259467:873831188.exe -> KILLED [TermProc]
[SUSP PATH] 3949259467:873831188.exe -- C:\WINDOWS\3949259467:873831188.exe -> KILLED [TermProc]
[RESIDUE] 3949259467:873831188.exe -- C:\WINDOWS\3949259467:873831188.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 9 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : {C92A9AE0-5B6C-C633-0C92-8249B6CDCF79} ("C:\Documents and Settings\Ricky\Application Data\Nyigyw\pyfu.exe") -> DELETED
[SUSP PATH] HKCU\[...]\Run : Security Protection (C:\Documents and Settings\All Users\Application Data\defender.exe) -> DELETED
[DNS] HKLM\[...]\ControlSet001\Parameters : NameServer (93.188.162.149,93.188.160.29) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Parameters\Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3} : NameServer (93.188.162.149,93.188.160.29) -> NOT REMOVED, USE DNSFIX
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[FILEASSO] HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("C:\Documents and Settings\Ricky\Local Settings\Application Data\nyo.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") -> REPLACED ("C:\Program Files\internet explorer\iexplore.exe")

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Rogue.AntiSpy-AH ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 3dc4aaf7b36b9be8d1d1084187128be4
[BSP] b72667633f4c7c2babf1970635a88ab8 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 32 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 64260 | Size: 36553 Mo
2 - [XXXXXX] FAT32 [HIDDEN!] Offset (sectors): 71457120 | Size: 3405 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] 7958267ce3edacd504a037c60a44c77d
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT16 [VISIBLE] Offset (sectors): 32 | Size: 1006 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt



Getting ready to run OTL right now.

LArnett

Attached Files


  • 0

#4
LArnett

LArnett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Ok ran OTL and here are the results.

OTL REPORT

OTL logfile created on: 1/16/2012 11:49:37 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Ricky\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 292.06 Mb Available Physical Memory | 58.06% Memory free
4.37 Gb Paging File | 4.19 Gb Available in Paging File | 96.03% Paging File free
Paging file location(s): C:\pagefile.sys 4000 4025 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.04 Gb Total Space | 7.68 Gb Free Space | 22.56% Space Free | Partition Type: NTFS
Drive E: | 959.22 Mb Total Space | 894.92 Mb Free Space | 93.30% Space Free | Partition Type: FAT

Computer Name: FAMILY | User Name: Ricky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\3949259467:873831188.exe
PRC - [2012/01/11 11:17:58 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ricky\Desktop\OTL.exe
PRC - [2011/06/27 14:25:21 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/12/16 17:38:20 | 000,377,344 | ---- | M] (Spigot, Inc.) -- C:\Program Files\Application Updater\ApplicationUpdater.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 16:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe


========== Modules (No Company Name) ==========

MOD - [2011/06/27 14:25:22 | 001,014,744 | ---- | M] () -- C:\Program Files\Mozilla Firefox\js3250.dll
MOD - [2008/06/20 12:41:10 | 000,245,248 | ---- | M] () -- C:\WINDOWS\system32\mswsock.dll
MOD - [2008/06/20 12:41:10 | 000,245,248 | ---- | M] () -- \\?\globalroot\systemroot\system32\mswsock.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Windows Overlay Components)
SRV - File not found [Auto | Stopped] -- -- (Network Monitor)
SRV - File not found [Auto | Stopped] -- -- (DomainService)
SRV - File not found [Auto | Stopped] -- -- (cmdService)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2009/12/16 17:38:20 | 000,377,344 | ---- | M] (Spigot, Inc.) [Auto | Running] -- C:\Program Files\Application Updater\ApplicationUpdater.exe -- (Application Updater)
SRV - [2009/09/11 07:33:18 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/09/11 07:24:32 | 000,735,960 | ---- | M] () [Auto | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2008/06/20 12:41:10 | 000,245,248 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\mswsock.dll -- (Nla) Network Location Awareness (NLA)
SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)


========== Driver Services (SafeList) ==========

DRV - [2009/09/11 07:26:26 | 000,096,408 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2009/09/11 07:23:50 | 000,108,792 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009/09/11 07:17:16 | 000,116,008 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2008/06/18 10:49:16 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2005/07/14 07:28:30 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2004/09/17 14:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/06/16 03:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/03/06 04:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/06 04:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/06 04:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2003/07/15 21:20:46 | 000,043,136 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/01/10 16:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/11/08 19:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/mywaybiz
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...chlft.html?p=DS
IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - No CLSID value found
IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\URLSearchHook: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - No CLSID value found
IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\URLSearchHook: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - SOFTWARE\Classes\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}\InprocServer32 File not found
IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=634471"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"
FF - prefs.js..extensions.enabledItems: [email protected]:1.2.3


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/npracplug;version=1.0.0.0: C:\Program Files\Real\RealArcade\Plugins\Mozilla\npracplug.dll (RealNetworks)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\Ricky\Application Data\Facebook\npfbplugin_1_0_3.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/24 19:45:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/27 14:25:28 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2009/11/20 16:08:55 | 000,000,000 | ---D | M]

[2009/11/20 08:14:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ricky\Application Data\Mozilla\Extensions
[2011/04/15 23:36:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\extensions
[2009/11/20 12:47:01 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/10 20:42:31 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/08/26 18:32:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/12/17 19:24:03 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/07/30 02:53:04 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2011/08/13 09:29:43 | 000,000,000 | ---D | M] (Search Settings Plugin) -- C:\PROGRAM FILES\SEARCH SETTINGS\FF
[2009/07/17 18:02:48 | 000,002,476 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\BearShareWebSearch.xml

O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {21652878-587A-466C-987A-C31EC6E38803} - C:\Program Files\ComPlus Applications\holenu4444.dll File not found
O2 - BHO: (RXResultTracker Class) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll File not found
O2 - BHO: (no name) - {664E992D-7D84-47A5-90E7-470D398D4B1F} - C:\Program Files\ComPlus Applications\holenu83122.dll File not found
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (SearchSettings Class) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - Reg Error: Value error. File not found
O2 - BHO: (no name) - Software - No CLSID value found.
O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\ShellBrowser: (no name) - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - No CLSID value found.
O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\WebBrowser: (no name) - {4D1C4E89-A32A-416B-BCDB-33B3EF3617D3} - No CLSID value found.
O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\WebBrowser: (no name) - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - No CLSID value found.
O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\WebBrowser: (no name) - {7EFBC57C-CD57-481F-B794-648FCE9C9116} - No CLSID value found.
O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\WebBrowser: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No CLSID value found.
O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe (MP2P Technologies.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u File not found
O4 - Startup: C:\Documents and Settings\Ricky\Start Menu\Programs\Startup\Skype.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZCxdm832YYUS File not found
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Ricky\Application Data\Dealio\kb124\res\DealioSearch.html File not found
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\System32\mswsock.dll ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\System32\mswsock.dll ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - mswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - mswsock.dll File not found
O15 - HKLM\..Trusted Domains: getmirar.com ([click] http in Trusted sites)
O15 - HKLM\..Trusted Domains: getmirar.com ([click] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mirarsearch.com ([click] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mirarsearch.com ([click] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mirarsearch.com ([redirect] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mirarsearch.com ([redirect] https in Trusted sites)
O15 - HKLM\..Trusted Domains: net-nucleus.com ([awbeta] http in Trusted sites)
O15 - HKLM\..Trusted Domains: net-nucleus.com ([awbeta] https in Trusted sites)
O15 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfar...p1.0.0.15-3.cab (Reg Error: Key error.)
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} http://forms.real.co...ne_Inst_Win.cab (Reg Error: Key error.)
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} http://asp.mathxl.co...GenXInstall.cab (TTestGenXInstallObject)
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} http://disney.go.com...OnlineGames.cab (Disney Online Games ActiveX Control)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo.walgree...eensActivia.cab (Snapfish Activia)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} http://asp.mathxl.co...nstallAsst2.cab (Pearson Installation Assistant 2)
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} http://myitlab.pears...ces/ax/stub.cab (Enlite 2.x Simulation Engine Installer)
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} http://locator1.cdn....nnerInstall.cab (Reg Error: Key error.)
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} http://ak.imgag.com/...tall/AxCtp2.cab (Create & Print ActiveX Plug-in)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} http://asp.mathxl.co.../MathPlayer.cab (Pearson MathXL Player)
O16 - DPF: ActiveGS.cab http://www.virtualapple.org/gs.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.149,93.188.160.29
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}: NameServer = 93.188.162.149,93.188.160.29
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/html {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -Explorer.exe ()
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/10/28 13:21:56 | 000,000,794 | -H-- | M] () - E:\Autorun.inf -- [ FAT ]
O32 - AutoRun File - [2007/03/12 23:50:16 | 000,362,264 | -H-- | M] (Ceedo Technologies Ltd.) - E:\AutoDetect.exe -- [ FAT ]
O33 - MountPoints2\{fa1badeb-206d-11dd-b56a-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{fa1badeb-206d-11dd-b56a-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fa1badeb-206d-11dd-b56a-00038a000015}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: pxcppsrv - (C:\WINDOWS\system32\audiinst.dll) - File not found
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: Nla - C:\WINDOWS\system32\mswsock.dll ()
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 30 Days ==========

[2012/01/16 11:19:10 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ricky\Desktop\OTL.exe
[2012/01/16 10:48:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ricky\Desktop\RK_Quarantine
[2012/01/09 20:21:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/09/10 04:03:53 | 000,842,240 | ---- | C] (Heaventools Software) -- C:\Documents and Settings\All Users\Application Data\defender
[2011/08/31 14:54:19 | 000,842,240 | ---- | C] (Heaventools Software) -- C:\Documents and Settings\All Users\Application Data\defender.exe
[2009/02/16 18:25:01 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/16 10:49:01 | 000,111,872 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/01/16 10:41:37 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/16 10:41:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/16 10:41:33 | 000,000,000 | ---- | M] () -- C:\WINDOWS\3949259467
[2012/01/16 10:41:29 | 527,503,360 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/16 10:38:12 | 000,787,456 | ---- | M] () -- C:\Documents and Settings\Ricky\Desktop\RogueKiller.exe
[2012/01/11 11:17:58 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ricky\Desktop\OTL.exe
[2012/01/11 09:43:30 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Ricky\Desktop\eXplorer.exe
[2012/01/11 09:39:48 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Ricky\Desktop\rkill.com
[2012/01/11 09:21:40 | 000,000,177 | ---- | M] () -- C:\Documents and Settings\Ricky\Desktop\rk-proxy.reg
[2012/01/10 08:26:01 | 000,492,506 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/10 08:26:01 | 000,090,526 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/16 10:48:19 | 000,111,872 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/01/16 10:47:55 | 000,787,456 | ---- | C] () -- C:\Documents and Settings\Ricky\Desktop\RogueKiller.exe
[2012/01/11 09:21:40 | 000,000,177 | ---- | C] () -- C:\Documents and Settings\Ricky\Desktop\rk-proxy.reg
[2012/01/11 09:19:41 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Ricky\Desktop\eXplorer.exe
[2012/01/11 09:19:18 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Ricky\Desktop\rkill.com
[2012/01/11 09:14:37 | 527,503,360 | -HS- | C] () -- C:\hiberfil.sys
[2011/08/31 14:54:28 | 004,194,304 | ---- | C] () -- C:\WINDOWS\System32\odetmngk.dll
[2011/06/15 05:18:58 | 000,016,806 | -HS- | C] () -- C:\Documents and Settings\Ricky\Local Settings\Application Data\rn18yk600c1cco7vj4
[2011/06/15 05:18:58 | 000,016,806 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\rn18yk600c1cco7vj4
[2010/07/30 02:54:34 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/03/05 14:28:57 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\Ricky\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/03 07:37:02 | 000,067,072 | ---- | C] () -- C:\WINDOWS\System32\drivers\kungsflrpumxts.sys
[2009/05/02 07:37:44 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2008/02/13 20:22:46 | 000,000,071 | ---- | C] () -- C:\WINDOWS\pex.INI
[2008/02/13 20:15:16 | 000,000,151 | ---- | C] () -- C:\WINDOWS\Ulead32.ini
[2007/07/23 22:22:24 | 000,022,661 | ---- | C] () -- C:\WINDOWS\cookies.ini
[2007/07/16 21:18:01 | 000,000,353 | ---- | C] () -- C:\WINDOWS\retadpu.exe.bin
[2007/07/11 02:05:37 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007/07/07 07:39:56 | 000,000,002 | ---- | C] () -- C:\WINDOWS\System32\wcpicomsv.exe
[2007/06/27 05:15:19 | 000,000,932 | ---- | C] () -- C:\WINDOWS\System32\winpfz32.sys
[2007/06/27 05:14:28 | 000,016,591 | ---- | C] () -- C:\WINDOWS\cs_cache.ini
[2006/11/08 19:07:43 | 000,000,028 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/10/26 18:19:20 | 000,000,004 | -H-- | C] () -- C:\WINDOWS\uccspecb.sys
[2006/02/01 19:34:29 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Ricky\Application Data\PFP120JPR.{PB
[2006/02/01 19:34:29 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Ricky\Application Data\PFP120JCM.{PB
[2006/01/04 18:40:45 | 000,000,881 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/12/30 11:37:47 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2005/12/03 21:39:06 | 000,000,010 | ---- | C] () -- C:\WINDOWS\smdat32m.sys
[2005/12/03 21:39:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\smdat32a.sys
[2005/12/01 21:25:15 | 000,002,516 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2005/12/01 21:25:15 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\0A354710AB.sys
[2005/11/29 14:28:02 | 000,000,021 | ---- | C] () -- C:\WINDOWS\PI_setup.ini
[2005/11/29 14:24:14 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2005/11/29 14:24:14 | 000,003,136 | ---- | C] () -- C:\WINDOWS\Ade001.bin
[2005/11/29 14:24:14 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2005/11/29 14:21:20 | 000,000,182 | ---- | C] () -- C:\WINDOWS\System32\EBPPORT4.DAT
[2005/11/29 14:20:05 | 000,000,196 | ---- | C] () -- C:\WINDOWS\EPSONCX6400.ini
[2005/07/14 07:44:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/07/14 07:29:20 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/07/14 07:27:05 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2005/07/14 06:58:00 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2005/07/14 06:57:20 | 000,000,375 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/01/28 08:08:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 13:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 13:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 13:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 13:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 12:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 12:57:15 | 000,352,176 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 12:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 12:51:20 | 000,492,506 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 12:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 12:51:20 | 000,090,526 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 12:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 12:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 12:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 12:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 12:51:15 | 000,245,248 | ---- | C] () -- C:\WINDOWS\System32\mswsock.dll
[2004/08/10 12:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 12:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 12:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 12:50:56 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2002/03/13 16:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll

========== LOP Check ==========

[2009/12/25 19:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\201CC
[2009/11/20 16:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2012/01/09 20:21:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2007/06/27 05:36:01 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Application Data\SalesMonitor
[2008/05/04 11:01:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2008/12/03 13:26:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/06/27 05:33:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
[2007/07/07 07:24:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\NetMon
[2009/12/25 20:02:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Dealio
[2005/12/01 21:19:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Earthlink
[2005/12/05 21:57:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\EarthLink Toolbar
[2006/09/13 13:48:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\EPSON
[2007/10/28 10:36:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\FUJIFILM
[2005/11/29 14:34:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Leadertech
[2011/08/12 18:36:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Search Settings
[2007/07/29 20:08:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Slide
[2006/04/04 17:03:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Smart Panel
[2006/10/21 16:11:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\SmartDraw
[2007/09/27 18:46:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Snapfish
[2007/02/09 19:43:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\SpamBlocker
[2007/01/21 21:43:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\SpamBlockerUtility_Icons
[2008/05/31 12:00:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\TAIT3
[2008/02/13 20:19:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Ulead Systems
[2007/04/18 07:09:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Viewpoint
[2006/10/18 18:11:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\WinAntiSpyware 2006
[2007/06/27 05:40:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\WinAntiSpyware 2007
[2009/12/28 19:45:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\bearsharetb
[2010/03/05 12:57:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\EPSON
[2010/10/28 21:59:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\FUJIFILM
[2010/07/08 23:33:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\Ifsun
[2005/11/29 20:08:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\Leadertech
[2010/07/14 01:33:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\Nyigyw
[2011/08/31 14:59:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\Search Settings
[2007/04/30 20:41:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\Smart Panel
[2010/07/21 03:39:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\Smilebox
[2007/01/31 21:05:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\SpamBlockerUtility_Icons
[2007/08/09 16:47:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\Viewpoint
[2006/10/23 14:59:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\WinAntiSpyware 2006

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/12/05 21:52:28 | 000,010,920 | ---- | M] () -- C:\aolconnfix.exe


< MD5 for: EXPLORER.EXE >
[2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[2012/01/11 09:43:30 | 001,008,141 | ---- | M] () MD5=28C253A0212B221E96F6A17499B91651 -- C:\Documents and Settings\Ricky\Desktop\eXplorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX0\procs\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX1\procs\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX2\procs\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX3\procs\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX4\procs\explorer.exe
[2011/01/16 15:55:21 | 000,255,488 | ---- | M] () MD5=3C33B26F2F7FA61D882515F2D6078691 -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX5\procs\explorer.exe
[2007/06/13 06:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\explorer.exe
[2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\system32\dllcache\explorer.exe
[2004/08/04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX0\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX1\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX2\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX3\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX4\h\explorer.exe
[2005/08/16 01:54:58 | 000,001,536 | ---- | M] () MD5=ABC6379205DE2618851C4FCBF72112EB -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX5\h\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
[2004/08/04 05:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 05:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\userinit.exe
[2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX0\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX1\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX2\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX3\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX4\userinit.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX5\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 05:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX0\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX1\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX2\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX3\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX4\winlogon.exe
[2009/05/26 18:47:22 | 000,031,232 | ---- | M] (NirSoft) MD5=AC6094297CD882B8626466CDEB64F19F -- C:\Documents and Settings\Ricky\Local Settings\Temp\RarSFX5\winlogon.exe
[2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s >
"Type" = 1
"Start" = 1
"ErrorControl" = 1
"Tag" = 5
"ImagePath" = system32\DRIVERS\netbt.sys -- [2004/08/04 05:00:00 | 000,162,816 | ---- | M] (Microsoft Corporation)
"DisplayName" = NetBios over Tcpip
"Group" = PNP_TDI
"DependOnService" = Tcpip [binary data]
"DependOnGroup" = [binary data]
"Description" = NetBios over Tcpip
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Linkage]
"OtherDependencies" = Tcpip [binary data]
"Bind" = [Binary data over 100 bytes]
"Route" = [Binary data over 100 bytes]
"Export" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters]
"NbProvider" = _tcp
"NameServerPort" = 137
"CacheTimeout" = 600000
"BcastNameQueryCount" = 3
"BcastQueryTimeout" = 750
"NameSrvQueryCount" = 3
"NameSrvQueryTimeout" = 1500
"Size/Small/Medium/Large" = 1
"SessionKeepAlive" = 3600000
"TransportBindName" = \Device\
"EnableLMHOSTS" = 1
"DhcpNodeType" = 8
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{078510B6-55D8-4A81-AADB-FD5B2CD38B3A}]
"NameServerList" = [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{2810EB22-763D-4D0C-9450-64BBD1758685}]
"NameServerList" = [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}]
"NameServerList" = [binary data]
"NetbiosOptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{531D3D38-B38F-4A40-9052-52EFBA55506B}]
"NameServerList" = [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{F9490C3D-B287-44DF-9035-70B6801B4E9A}]
"NameServerList" = [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Security]
"Security" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Enum]
"0" = Root\LEGACY_NETBT\0000
"Count" = 1
"NextInstance" = 1

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s >
"Type" = 2
"Start" = 1
"ErrorControl" = 1
"Tag" = 1
"ImagePath" = system32\DRIVERS\netbios.sys -- [2004/08/04 05:00:00 | 000,034,560 | ---- | M] (Microsoft Corporation)
"DisplayName" = NetBIOS Interface
"Group" = NetBIOSGroup
"Description" = NetBIOS Interface
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Linkage]
"LanaMap" = 01 00 00 01 00 02 00 03 00 04 [binary data]
"Bind" = [Binary data over 100 bytes]
"Route" = [Binary data over 100 bytes]
"Export" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Parameters]
"MaxLana" = 4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Parameters\Winsock]
"HelperDllName" = %SystemRoot%\System32\wshnetbs.dll -- [2004/08/04 05:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation)
"MaxSockAddrLength" = 20
"MinSockAddrLength" = 20
"Mapping" = 02 00 00 00 03 00 00 00 11 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00 02 00 00 00 00 00 00 00 [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Security]
"Security" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Enum]
"0" = Root\LEGACY_NETBIOS\0000
"Count" = 1
"NextInstance" = 1

< C:\Windows\assembly\tmp\U\*.* /s >

< %Temp%\smtmp\1\*.* >

< %Temp%\smtmp\2\*.* >

< %Temp%\smtmp\3\*.* >

< %Temp%\smtmp\4\*.* >

========== Files - Unicode (All) ==========
[2007/07/09 18:33:55 | 000,000,000 | ---D | M](C:\Documents and Settings\Mary Kay\Application Data\?ystem) -- C:\Documents and Settings\Mary Kay\Application Data\ѕystem

========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\3949259467:873831188.exe

< End of report >


EXTRAS REPORT

OTL Extras logfile created on: 1/16/2012 11:49:37 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Ricky\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 292.06 Mb Available Physical Memory | 58.06% Memory free
4.37 Gb Paging File | 4.19 Gb Available in Paging File | 96.03% Paging File free
Paging file location(s): C:\pagefile.sys 4000 4025 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.04 Gb Total Space | 7.68 Gb Free Space | 22.56% Space Free | Partition Type: NTFS
Drive E: | 959.22 Mb Total Space | 894.92 Mb Free Space | 93.30% Space Free | Partition Type: FAT

Computer Name: FAMILY | User Name: Ricky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-2379642614-4113044259-601262879-1007\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [FinePix] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" "%1" (FUJI PHOTO FILM CO.,LTD.)
Directory [FinePixPrint] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" /p "%1" (FUJI PHOTO FILM CO.,LTD.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe:*:Enabled:AOL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Disabled:TaskPanl
"C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE" = C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE:*:Disabled:SAgent4 -- (SEIKO EPSON CORPORATION)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
"C:\Program Files\Common Files\AOL\1169921979\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1169921979\ee\aolsoftware.exe:*:Enabled:AOL Shared Components
"C:\Documents and Settings\Mary Kay\Local Settings\Temp\~os1BA.tmp\ossproxy.exe" = C:\Documents and Settings\Mary Kay\Local Settings\Temp\~os1BA.tmp\ossproxy.exe:*:Enabled:ossproxy.exe
"C:\WINDOWS\system32\ijjbediw.exe" = C:\WINDOWS\system32\ijjb\wmdc.exe
"C:\Program Files\Blubster\Blubster.exe" = C:\Program Files\Blubster\Blubster.exe:*:Enabled:Blubster -- (MP2P Technologies.)
"C:\Program Files\BearShare Applications\BearShare\BearShare.exe" = C:\Program Files\BearShare Applications\BearShare\BearShare.exe:*:Disabled:BearShare
"C:\Program Files\Kazaa\kazaa.exe" = C:\Program Files\Kazaa\kazaa.exe:*:Disabled:Kazaa
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox -- (Mozilla Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0B53B71D-9E2F-42B8-9123-96354872D166}" = EPSON Photo Print
"{0E0131B2-CF18-40D9-A331-60A3746C1204}" = EPSON Scan
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.4.2
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 19
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{353D20CC-719B-4A60-AD33-D03F88C10330}" = Microsoft Office Accounting PayPal Addin
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3877C2CD-F137-4144-BDB2-0A811492F920}" = Command
"{46614A49-222A-48EF-87A9-BFD603E608E1}" = Microsoft Office Accounting Fixed Asset Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5490882C-6961-11D5-BAE5-00E0188E010B}" = FUJIFILM USB Driver
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5F05C28D-DEA9-4AD6-A73A-064175988EAB}" = Search Settings v1.2.3
"{5FA793A6-0071-42C1-9355-8F69A428C44F}" = Microsoft Office Accounting ADP Payroll Addin
"{66C8BE35-8BBB-472B-96C7-C7C9A499F988}" = ArcSoft Software Suite
"{6C11D561-620B-47DA-A693-4C597F3CDF40}" = EPSON Smart Panel
"{6E179C77-7335-458D-9537-4F4EAC0181ED}" = Photo Click
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{89EE857B-8970-4F9F-AB58-A1C873AC72B3}" = Broadcom Management Programs
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8C711818-076E-475C-B95B-DF11CD9D8DBE}" = Microsoft Office Accounting Equifax Addin
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{934E9442-D305-4ACF-AD87-A6C11D677CB9}" = ImageMixer VCD2 for FinePix
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A394E835-C8D6-4B4B-884B-D2709059F3BE}" = Network Monitor
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B0717D5A-1976-482B-9ADF-F19631A541A4}" = Microsoft Office Accounting 2007
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D271DAE0-8D68-4C97-8356-A126D48A1D8C}" = Ulead Photo Explorer 8.0 SE Basic
"{EFA800BF-C5C8-46D1-B49D-13920D05417C}" = ESET NOD32 Antivirus
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Blubster" = Blubster 3.1.1
"Drumaxx" = Drumaxx
"EPSON Printer and Utilities" = EPSON Printer Software
"FL Studio 9" = FL Studio 9
"Hardcore" = Hardcore
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IL Download Manager" = IL Download Manager
"InstallShield_{89EE857B-8970-4F9F-AB58-A1C873AC72B3}" = Broadcom Management Programs
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Office Accounting 2007" = Microsoft Office Accounting 2007
"Microsoft Office Accounting Equifax Addin" = Microsoft Office Accounting Equifax Addin
"Microsoft Office Accounting PayPal Addin" = Microsoft Office Accounting PayPal Addin
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.6.18)" = Mozilla Firefox (3.6.18)
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OvMon" = Windows Overlay Components
"PoiZone" = PoiZone
"PROR" = Microsoft Office Professional 2007 Trial
"QIC UnInstall" = Insight Broadband QIC Service Activator
"QuickTime" = QuickTime
"RealArcade 1.2" = RealArcade
"RealPlayer 6.0" = RealPlayer Basic
"Sakura" = Sakura
"Sawer" = Sawer
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2379642614-4113044259-601262879-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Smilebox" = Smilebox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/11/2012 10:42:52 AM | Computer Name = FAMILY | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 1/11/2012 10:43:03 AM | Computer Name = FAMILY | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/11/2012 10:46:10 AM | Computer Name = FAMILY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x001a624b.

Error - 1/12/2012 4:30:54 PM | Computer Name = FAMILY | Source = SQLWRITER | ID = 4
Description = SQL writer initialization error: the COM security cannot be initialized
[0x80010119].

Error - 1/12/2012 4:30:56 PM | Computer Name = FAMILY | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 1/12/2012 4:33:57 PM | Computer Name = FAMILY | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 1/16/2012 11:41:44 AM | Computer Name = FAMILY | Source = SQLWRITER | ID = 4
Description = SQL writer initialization error: the COM security cannot be initialized
[0x80010119].

Error - 1/16/2012 11:41:46 AM | Computer Name = FAMILY | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 1/16/2012 11:42:00 AM | Computer Name = FAMILY | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/16/2012 11:44:53 AM | Computer Name = FAMILY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x001a624b.

[ Application Events ]
Error - 1/11/2012 10:42:52 AM | Computer Name = FAMILY | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 1/11/2012 10:43:03 AM | Computer Name = FAMILY | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/11/2012 10:46:10 AM | Computer Name = FAMILY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x001a624b.

Error - 1/12/2012 4:30:54 PM | Computer Name = FAMILY | Source = SQLWRITER | ID = 4
Description = SQL writer initialization error: the COM security cannot be initialized
[0x80010119].

Error - 1/12/2012 4:30:56 PM | Computer Name = FAMILY | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 1/12/2012 4:33:57 PM | Computer Name = FAMILY | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 1/16/2012 11:41:44 AM | Computer Name = FAMILY | Source = SQLWRITER | ID = 4
Description = SQL writer initialization error: the COM security cannot be initialized
[0x80010119].

Error - 1/16/2012 11:41:46 AM | Computer Name = FAMILY | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 1/16/2012 11:42:00 AM | Computer Name = FAMILY | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/16/2012 11:44:53 AM | Computer Name = FAMILY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x001a624b.

[ System Events ]
Error - 1/16/2012 11:41:58 AM | Computer Name = FAMILY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/16/2012 11:45:16 AM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 11:45:46 AM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 11:46:17 AM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 12:11:02 PM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 12:11:33 PM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 12:12:03 PM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 12:23:36 PM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 12:24:07 PM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 12:24:37 PM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.


< End of report >


Preparing to run aswMBR.exe

Attached Files


  • 0

#5
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi this is actually a zero access type rootkit, it generates the blaster worm warning as a way of getting you to buy the rogue.. You do not have Blaster. I will kill the main part first and then remove the residue

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
  • Allow the installation of the recovery console
    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#6
LArnett

LArnett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
I had problems running teh ComboFix at first. I had to run the rkill program before it would run. Finally ran ComboFix but I couldn't find the log it created. When it finished it left a blank green CMD screen open.

Window's programs or most programs would still open with a Windows Install popping up first for 3-5 min.

Searched for the ComboFix file and it wouldn't even open after the Windows Install popup.

Still getting the System Error message about having the maximum number of secrets .... after reboot.

I was busy running aswMBR when you responded so i have that log if you need it.

aswMBR log

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-16 14:03:57
-----------------------------
14:03:57.000 OS Version: Windows 5.1.2600 Service Pack 2
14:03:57.000 Number of processors: 1 586 0x209
14:03:57.000 ComputerName: FAMILY UserName: Ricky
14:03:57.546 Initialize success
14:04:29.750 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
14:04:29.750 Disk 0 Vendor: ST340014A 8.16 Size: 38146MB BusType: 3
14:04:29.750 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST340014A_______________________________8.16____#4a354b5858374857202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
14:04:29.750 Device \Driver\atapi -> DriverStartIo 832f0aea
14:04:29.781 Disk 0 MBR read successfully
14:04:29.781 Disk 0 MBR scan
14:04:29.781 Disk 0 unknown MBR code
14:04:29.781 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
14:04:29.781 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 34859 MB offset 64260
14:04:29.812 Disk 0 Partition 3 00 DB CP/M / CTOS MSWIN4.1 3247 MB offset 71457120
14:04:29.812 Disk 0 scanning sectors +78108030
14:04:29.875 Disk 0 scanning C:\WINDOWS\system32\drivers
14:04:42.218 File: C:\WINDOWS\system32\drivers\imapi.sys TDL3 **ROOTKIT**
14:04:45.921 File: C:\WINDOWS\system32\drivers\intelide.sys TDL3 **ROOTKIT**
14:04:50.296 Disk 0 trace - called modules:
14:04:50.328 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83122530]<<
14:04:50.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83391ab8]
14:04:50.343 3 CLASSPNP.SYS[f884305b] -> nt!IofCallDriver -> [0x831127d0]
14:04:50.343 \Driver\00001550[0x8310fda0] -> IRP_MJ_CREATE -> 0x83122530
14:04:50.343 Scan finished successfully
14:06:42.281 Disk 0 MBR has been saved successfully to "E:\Computer Repair Progs\aswMBR\MBR.dat"
14:06:42.359 The log file has been saved successfully to "E:\Computer Repair Progs\aswMBR\aswMBR1.txt"

Attached Files


  • 0

#7
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets kill the TDL3 that has been revealed first

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 2 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

FINALLY

Now retry combofix please
  • 0

#8
LArnett

LArnett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Ran tdsskiller and here are the results

16:41:33.0078 2948 TDSS rootkit removing tool 2.7.2.0 Jan 14 2012 20:07:30
16:41:35.0109 2948 ============================================================
16:41:35.0109 2948 Current date / time: 2012/01/16 16:41:35.0109
16:41:35.0109 2948 SystemInfo:
16:41:35.0109 2948
16:41:35.0109 2948 OS Version: 5.1.2600 ServicePack: 2.0
16:41:35.0109 2948 Product type: Workstation
16:41:35.0109 2948 ComputerName: FAMILY
16:41:35.0109 2948 UserName: Ricky
16:41:35.0109 2948 Windows directory: C:\WINDOWS
16:41:35.0109 2948 System windows directory: C:\WINDOWS
16:41:35.0109 2948 Processor architecture: Intel x86
16:41:35.0109 2948 Number of processors: 1
16:41:35.0109 2948 Page size: 0x1000
16:41:35.0109 2948 Boot type: Normal boot
16:41:35.0109 2948 ============================================================
16:41:36.0656 2948 Drive \Device\Harddisk0\DR0 - Size: 0x9502F9000, SectorSize: 0x200, Cylinders: 0x12FF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000054
16:41:36.0671 2948 Drive \Device\Harddisk1\DR6 - Size: 0x3BF80000, SectorSize: 0x200, Cylinders: 0x7A, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
16:41:36.0718 2948 Initialize success
16:42:27.0640 1872 ============================================================
16:42:27.0640 1872 Scan started
16:42:27.0640 1872 Mode: Manual; SigCheck; TDLFS;
16:42:27.0640 1872 ============================================================
16:42:27.0968 1872 Abiosdsk - ok
16:42:28.0046 1872 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
16:42:36.0531 1872 abp480n5 - ok
16:42:36.0687 1872 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:42:36.0937 1872 ACPI - ok
16:42:37.0078 1872 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:42:37.0312 1872 ACPIEC - ok
16:42:37.0468 1872 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
16:42:37.0687 1872 adpu160m - ok
16:42:37.0843 1872 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
16:42:38.0468 1872 aec - ok
16:42:38.0593 1872 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
16:42:38.0656 1872 AFD - ok
16:42:38.0796 1872 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
16:42:39.0015 1872 agp440 - ok
16:42:39.0171 1872 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
16:42:39.0421 1872 agpCPQ - ok
16:42:39.0562 1872 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
16:42:39.0687 1872 Aha154x - ok
16:42:39.0843 1872 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
16:42:40.0062 1872 aic78u2 - ok
16:42:40.0234 1872 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
16:42:40.0500 1872 aic78xx - ok
16:42:40.0656 1872 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
16:42:40.0906 1872 AliIde - ok
16:42:41.0062 1872 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
16:42:41.0296 1872 alim1541 - ok
16:42:41.0359 1872 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
16:42:41.0609 1872 amdagp - ok
16:42:41.0734 1872 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
16:42:41.0890 1872 amsint - ok
16:42:42.0015 1872 ApiMon - ok
16:42:42.0109 1872 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
16:42:42.0359 1872 asc - ok
16:42:42.0515 1872 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
16:42:42.0640 1872 asc3350p - ok
16:42:42.0781 1872 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
16:42:43.0000 1872 asc3550 - ok
16:42:43.0078 1872 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
16:42:43.0093 1872 ASCTRM ( UnsignedFile.Multi.Generic ) - warning
16:42:43.0093 1872 ASCTRM - detected UnsignedFile.Multi.Generic (1)
16:42:43.0359 1872 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:42:43.0703 1872 AsyncMac - ok
16:42:43.0828 1872 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:42:44.0046 1872 atapi - ok
16:42:44.0187 1872 Atdisk - ok
16:42:44.0578 1872 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:42:45.0500 1872 Atmarpc - ok
16:42:45.0593 1872 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:42:45.0593 1872 audstub ( UnsignedFile.Multi.Generic ) - warning
16:42:45.0593 1872 audstub - detected UnsignedFile.Multi.Generic (1)
16:42:45.0734 1872 bcm4sbxp (b60f57b4d9cdbc663cc03eb8af7ec34e) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
16:42:45.0750 1872 bcm4sbxp ( UnsignedFile.Multi.Generic ) - warning
16:42:45.0750 1872 bcm4sbxp - detected UnsignedFile.Multi.Generic (1)
16:42:45.0812 1872 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:42:45.0812 1872 Beep ( UnsignedFile.Multi.Generic ) - warning
16:42:45.0812 1872 Beep - detected UnsignedFile.Multi.Generic (1)
16:42:45.0906 1872 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
16:42:45.0906 1872 BVRPMPR5 ( UnsignedFile.Multi.Generic ) - warning
16:42:45.0906 1872 BVRPMPR5 - detected UnsignedFile.Multi.Generic (1)
16:42:46.0000 1872 cbea64eb (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\3949259467:873831188.exe
16:42:46.0000 1872 Suspicious file (Hidden): C:\WINDOWS\3949259467:873831188.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
16:42:46.0000 1872 cbea64eb ( Rootkit.Win32.PMax.gen ) - infected
16:42:46.0000 1872 cbea64eb - detected Rootkit.Win32.PMax.gen (0)
16:42:46.0171 1872 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
16:42:46.0171 1872 cbidf ( UnsignedFile.Multi.Generic ) - warning
16:42:46.0171 1872 cbidf - detected UnsignedFile.Multi.Generic (1)
16:42:46.0218 1872 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:42:46.0234 1872 cbidf2k ( UnsignedFile.Multi.Generic ) - warning
16:42:46.0234 1872 cbidf2k - detected UnsignedFile.Multi.Generic (1)
16:42:46.0296 1872 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
16:42:46.0296 1872 cd20xrnt ( UnsignedFile.Multi.Generic ) - warning
16:42:46.0296 1872 cd20xrnt - detected UnsignedFile.Multi.Generic (1)
16:42:46.0421 1872 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:42:46.0421 1872 Cdaudio ( UnsignedFile.Multi.Generic ) - warning
16:42:46.0421 1872 Cdaudio - detected UnsignedFile.Multi.Generic (1)
16:42:46.0515 1872 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
16:42:46.0531 1872 Cdfs ( UnsignedFile.Multi.Generic ) - warning
16:42:46.0531 1872 Cdfs - detected UnsignedFile.Multi.Generic (1)
16:42:46.0578 1872 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:42:46.0593 1872 Cdrom ( UnsignedFile.Multi.Generic ) - warning
16:42:46.0593 1872 Cdrom - detected UnsignedFile.Multi.Generic (1)
16:42:46.0625 1872 Changer - ok
16:42:46.0718 1872 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
16:42:46.0718 1872 CmdIde ( UnsignedFile.Multi.Generic ) - warning
16:42:46.0718 1872 CmdIde - detected UnsignedFile.Multi.Generic (1)
16:42:46.0796 1872 core - ok
16:42:46.0906 1872 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
16:42:46.0906 1872 Cpqarray ( UnsignedFile.Multi.Generic ) - warning
16:42:46.0906 1872 Cpqarray - detected UnsignedFile.Multi.Generic (1)
16:42:47.0015 1872 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
16:42:47.0031 1872 dac2w2k ( UnsignedFile.Multi.Generic ) - warning
16:42:47.0031 1872 dac2w2k - detected UnsignedFile.Multi.Generic (1)
16:42:47.0078 1872 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
16:42:47.0093 1872 dac960nt ( UnsignedFile.Multi.Generic ) - warning
16:42:47.0093 1872 dac960nt - detected UnsignedFile.Multi.Generic (1)
16:42:47.0187 1872 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
16:42:47.0203 1872 Disk ( UnsignedFile.Multi.Generic ) - warning
16:42:47.0203 1872 Disk - detected UnsignedFile.Multi.Generic (1)
16:42:47.0390 1872 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
16:42:47.0453 1872 dmboot ( UnsignedFile.Multi.Generic ) - warning
16:42:47.0453 1872 dmboot - detected UnsignedFile.Multi.Generic (1)
16:42:47.0609 1872 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
16:42:47.0625 1872 dmio ( UnsignedFile.Multi.Generic ) - warning
16:42:47.0625 1872 dmio - detected UnsignedFile.Multi.Generic (1)
16:42:47.0687 1872 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:42:47.0703 1872 dmload ( UnsignedFile.Multi.Generic ) - warning
16:42:47.0703 1872 dmload - detected UnsignedFile.Multi.Generic (1)
16:42:47.0796 1872 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
16:42:47.0796 1872 DMusic ( UnsignedFile.Multi.Generic ) - warning
16:42:47.0796 1872 DMusic - detected UnsignedFile.Multi.Generic (1)
16:42:47.0968 1872 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
16:42:47.0968 1872 dpti2o ( UnsignedFile.Multi.Generic ) - warning
16:42:47.0968 1872 dpti2o - detected UnsignedFile.Multi.Generic (1)
16:42:48.0046 1872 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
16:42:48.0062 1872 drmkaud ( UnsignedFile.Multi.Generic ) - warning
16:42:48.0062 1872 drmkaud - detected UnsignedFile.Multi.Generic (1)
16:42:48.0187 1872 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
16:42:48.0203 1872 drvmcdb ( UnsignedFile.Multi.Generic ) - warning
16:42:48.0203 1872 drvmcdb - detected UnsignedFile.Multi.Generic (1)
16:42:48.0343 1872 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
16:42:48.0343 1872 drvnddm ( UnsignedFile.Multi.Generic ) - warning
16:42:48.0343 1872 drvnddm - detected UnsignedFile.Multi.Generic (1)
16:42:48.0421 1872 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
16:42:48.0437 1872 E100B ( UnsignedFile.Multi.Generic ) - warning
16:42:48.0437 1872 E100B - detected UnsignedFile.Multi.Generic (1)
16:42:48.0500 1872 eamon (30372bcc67d63bee538cdfeca755d81c) C:\WINDOWS\system32\DRIVERS\eamon.sys
16:43:09.0031 1872 eamon - ok
16:43:09.0171 1872 ehdrv (6504d6afb75fef830dd99e8c4235d54d) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
16:43:09.0218 1872 ehdrv - ok
16:43:09.0375 1872 epfwtdir (ad414acda67d3020f7a04fb9c8621f01) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
16:43:09.0406 1872 epfwtdir - ok
16:43:09.0531 1872 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
16:43:10.0796 1872 Fastfat - ok
16:43:11.0000 1872 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
16:43:11.0265 1872 Fdc - ok
16:43:11.0390 1872 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
16:43:11.0609 1872 Fips - ok
16:43:11.0781 1872 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:43:12.0015 1872 Flpydisk - ok
16:43:12.0093 1872 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
16:43:12.0765 1872 FltMgr - ok
16:43:12.0890 1872 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:43:13.0125 1872 Fs_Rec - ok
16:43:13.0203 1872 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:43:13.0437 1872 Ftdisk - ok
16:43:13.0593 1872 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:43:13.0828 1872 Gpc - ok
16:43:13.0921 1872 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:43:14.0140 1872 HidUsb - ok
16:43:14.0296 1872 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
16:43:14.0515 1872 hpn - ok
16:43:14.0671 1872 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
16:43:14.0734 1872 HTTP - ok
16:43:14.0890 1872 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
16:43:15.0078 1872 i2omgmt - ok
16:43:15.0234 1872 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
16:43:15.0437 1872 i2omp - ok
16:43:15.0578 1872 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:43:15.0796 1872 i8042prt - ok
16:43:15.0921 1872 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
16:43:16.0046 1872 ialm - ok
16:43:16.0203 1872 Imapi (3168616c8b6a082b914f8e69f61a0160) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:43:16.0203 1872 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\imapi.sys. Real md5: 3168616c8b6a082b914f8e69f61a0160, Fake md5: f8aa320c6a0409c0380e5d8a99d76ec6
16:43:16.0203 1872 Imapi ( Rootkit.Win32.ZAccess.e ) - infected
16:43:16.0203 1872 Imapi - detected Rootkit.Win32.ZAccess.e (0)
16:43:16.0265 1872 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
16:43:16.0484 1872 ini910u - ok
16:43:16.0671 1872 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
16:43:16.0781 1872 IntelC51 - ok
16:43:16.0953 1872 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
16:43:17.0031 1872 IntelC52 - ok
16:43:17.0156 1872 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
16:43:17.0203 1872 IntelC53 - ok
16:43:17.0359 1872 IntelIde (a76dfe8d0a2bb7acfc7dced7f396d923) C:\WINDOWS\system32\DRIVERS\intelide.sys
16:43:17.0359 1872 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\intelide.sys. Real md5: a76dfe8d0a2bb7acfc7dced7f396d923, Fake md5: 2d722b2b54ab55b2fa475eb58d7b2aad
16:43:17.0359 1872 IntelIde ( Rootkit.Win32.TDSS.tdl3 ) - infected
16:43:17.0359 1872 IntelIde - detected Rootkit.Win32.TDSS.tdl3 (0)
16:43:17.0515 1872 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:43:17.0718 1872 intelppm - ok
16:43:17.0890 1872 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
16:43:18.0078 1872 Ip6Fw - ok
16:43:18.0234 1872 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:43:18.0437 1872 IpFilterDriver - ok
16:43:18.0484 1872 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:43:18.0703 1872 IpInIp - ok
16:43:18.0859 1872 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:43:19.0562 1872 IpNat - ok
16:43:19.0718 1872 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:43:19.0953 1872 IPSec - ok
16:43:20.0031 1872 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:43:20.0156 1872 IRENUM - ok
16:43:20.0328 1872 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:43:20.0546 1872 isapnp - ok
16:43:20.0687 1872 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:43:20.0906 1872 Kbdclass - ok
16:43:21.0046 1872 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
16:43:21.0265 1872 kbdhid - ok
16:43:21.0406 1872 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
16:43:22.0109 1872 kmixer - ok
16:43:22.0250 1872 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
16:43:22.0328 1872 KSecDD - ok
16:43:22.0453 1872 lbrtfdc - ok
16:43:22.0578 1872 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:43:22.0765 1872 mnmdd - ok
16:43:22.0843 1872 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
16:43:23.0046 1872 Modem - ok
16:43:23.0203 1872 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
16:43:23.0406 1872 MODEMCSA - ok
16:43:23.0546 1872 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
16:43:23.0578 1872 mohfilt - ok
16:43:23.0718 1872 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:43:23.0937 1872 Mouclass - ok
16:43:24.0078 1872 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:43:24.0296 1872 mouhid - ok
16:43:24.0468 1872 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
16:43:24.0671 1872 MountMgr - ok
16:43:24.0750 1872 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
16:43:24.0953 1872 mraid35x - ok
16:43:25.0093 1872 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:43:25.0812 1872 MRxDAV - ok
16:43:25.0984 1872 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:43:26.0093 1872 MRxSmb - ok
16:43:26.0250 1872 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
16:43:26.0468 1872 Msfs - ok
16:43:26.0562 1872 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:43:26.0765 1872 MSKSSRV - ok
16:43:26.0937 1872 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:43:27.0140 1872 MSPCLOCK - ok
16:43:27.0296 1872 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
16:43:27.0500 1872 MSPQM - ok
16:43:27.0656 1872 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:43:27.0843 1872 mssmbios - ok
16:43:28.0015 1872 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
16:43:28.0218 1872 Mup - ok
16:43:28.0265 1872 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
16:43:28.0468 1872 NDIS - ok
16:43:28.0593 1872 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:43:28.0796 1872 NdisTapi - ok
16:43:28.0968 1872 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:43:29.0171 1872 Ndisuio - ok
16:43:29.0234 1872 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:43:29.0421 1872 NdisWan - ok
16:43:29.0546 1872 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
16:43:29.0734 1872 NDProxy - ok
16:43:29.0906 1872 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:43:30.0109 1872 NetBIOS - ok
16:43:30.0171 1872 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:43:30.0375 1872 NetBT - ok
16:43:30.0562 1872 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
16:43:30.0765 1872 Npfs - ok
16:43:30.0843 1872 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
16:43:31.0625 1872 Ntfs - ok
16:43:31.0765 1872 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:43:31.0968 1872 Null - ok
16:43:32.0140 1872 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
16:43:32.0500 1872 nv - ok
16:43:32.0656 1872 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:43:32.0859 1872 NwlnkFlt - ok
16:43:32.0937 1872 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:43:33.0125 1872 NwlnkFwd - ok
16:43:33.0296 1872 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
16:43:33.0312 1872 omci ( UnsignedFile.Multi.Generic ) - warning
16:43:33.0312 1872 omci - detected UnsignedFile.Multi.Generic (1)
16:43:33.0500 1872 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
16:43:33.0703 1872 Parport - ok
16:43:33.0750 1872 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
16:43:33.0953 1872 PartMgr - ok
16:43:34.0109 1872 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:43:34.0312 1872 ParVdm - ok
16:43:34.0406 1872 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
16:43:34.0593 1872 PCI - ok
16:43:34.0703 1872 PCIDump - ok
16:43:34.0796 1872 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:43:34.0984 1872 PCIIde - ok
16:43:35.0140 1872 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
16:43:35.0343 1872 Pcmcia - ok
16:43:35.0468 1872 PDCOMP - ok
16:43:35.0531 1872 PDFRAME - ok
16:43:35.0578 1872 PDRELI - ok
16:43:35.0625 1872 PDRFRAME - ok
16:43:35.0703 1872 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
16:43:35.0906 1872 perc2 - ok
16:43:36.0031 1872 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
16:43:36.0234 1872 perc2hib - ok
16:43:36.0453 1872 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:43:36.0656 1872 PptpMiniport - ok
16:43:36.0828 1872 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
16:43:37.0046 1872 PSched - ok
16:43:37.0187 1872 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:43:37.0375 1872 Ptilink - ok
16:43:37.0500 1872 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys
16:43:37.0515 1872 PxHelp20 ( UnsignedFile.Multi.Generic ) - warning
16:43:37.0515 1872 PxHelp20 - detected UnsignedFile.Multi.Generic (1)
16:43:37.0656 1872 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
16:43:37.0875 1872 ql1080 - ok
16:43:38.0015 1872 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
16:43:38.0218 1872 Ql10wnt - ok
16:43:38.0375 1872 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
16:43:38.0562 1872 ql12160 - ok
16:43:38.0718 1872 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
16:43:38.0906 1872 ql1240 - ok
16:43:39.0062 1872 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
16:43:39.0265 1872 ql1280 - ok
16:43:39.0406 1872 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:43:39.0625 1872 RasAcd - ok
16:43:39.0687 1872 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:43:39.0890 1872 Rasl2tp - ok
16:43:40.0062 1872 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:43:40.0250 1872 RasPppoe - ok
16:43:40.0296 1872 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:43:40.0500 1872 Raspti - ok
16:43:40.0625 1872 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:43:41.0343 1872 Rdbss - ok
16:43:41.0453 1872 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:43:41.0656 1872 RDPCDD - ok
16:43:41.0828 1872 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:43:42.0031 1872 rdpdr - ok
16:43:42.0187 1872 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
16:43:42.0921 1872 RDPWD - ok
16:43:43.0062 1872 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:43:43.0250 1872 redbook - ok
16:43:43.0453 1872 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:43:44.0203 1872 Secdrv - ok
16:43:44.0390 1872 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
16:43:44.0515 1872 senfilt - ok
16:43:44.0671 1872 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:43:44.0875 1872 serenum - ok
16:43:44.0906 1872 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
16:43:45.0125 1872 Serial - ok
16:43:45.0312 1872 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:43:45.0515 1872 Sfloppy - ok
16:43:45.0593 1872 Simbad - ok
16:43:45.0656 1872 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
16:43:45.0843 1872 sisagp - ok
16:43:46.0015 1872 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
16:43:46.0062 1872 smwdm - ok
16:43:46.0140 1872 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
16:43:46.0312 1872 Sparrow - ok
16:43:46.0468 1872 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
16:43:47.0281 1872 splitter - ok
16:43:47.0468 1872 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
16:43:47.0593 1872 sr - ok
16:43:47.0750 1872 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
16:43:47.0859 1872 Srv - ok
16:43:47.0984 1872 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
16:43:48.0000 1872 sscdbhk5 ( UnsignedFile.Multi.Generic ) - warning
16:43:48.0000 1872 sscdbhk5 - detected UnsignedFile.Multi.Generic (1)
16:43:48.0140 1872 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
16:43:48.0156 1872 ssrtln ( UnsignedFile.Multi.Generic ) - warning
16:43:48.0156 1872 ssrtln - detected UnsignedFile.Multi.Generic (1)
16:43:48.0343 1872 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:43:48.0531 1872 swenum - ok
16:43:48.0687 1872 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
16:43:48.0890 1872 swmidi - ok
16:43:49.0062 1872 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
16:43:49.0312 1872 symc810 - ok
16:43:49.0453 1872 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
16:43:49.0656 1872 symc8xx - ok
16:43:49.0828 1872 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
16:43:50.0031 1872 sym_hi - ok
16:43:50.0187 1872 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
16:43:50.0390 1872 sym_u3 - ok
16:43:50.0546 1872 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
16:43:50.0734 1872 sysaudio - ok
16:43:50.0906 1872 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:43:51.0046 1872 Tcpip - ok
16:43:51.0406 1872 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:43:51.0625 1872 TDPIPE - ok
16:43:51.0781 1872 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
16:43:51.0968 1872 TDTCP - ok
16:43:52.0125 1872 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:43:52.0312 1872 TermDD - ok
16:43:52.0437 1872 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
16:43:52.0453 1872 tfsnboio ( UnsignedFile.Multi.Generic ) - warning
16:43:52.0453 1872 tfsnboio - detected UnsignedFile.Multi.Generic (1)
16:43:52.0578 1872 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
16:43:52.0593 1872 tfsncofs ( UnsignedFile.Multi.Generic ) - warning
16:43:52.0593 1872 tfsncofs - detected UnsignedFile.Multi.Generic (1)
16:43:52.0703 1872 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
16:43:52.0718 1872 tfsndrct ( UnsignedFile.Multi.Generic ) - warning
16:43:52.0718 1872 tfsndrct - detected UnsignedFile.Multi.Generic (1)
16:43:52.0812 1872 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
16:43:52.0843 1872 tfsndres ( UnsignedFile.Multi.Generic ) - warning
16:43:52.0843 1872 tfsndres - detected UnsignedFile.Multi.Generic (1)
16:43:52.0953 1872 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
16:43:52.0968 1872 tfsnifs ( UnsignedFile.Multi.Generic ) - warning
16:43:52.0968 1872 tfsnifs - detected UnsignedFile.Multi.Generic (1)
16:43:53.0093 1872 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
16:43:53.0109 1872 tfsnopio ( UnsignedFile.Multi.Generic ) - warning
16:43:53.0109 1872 tfsnopio - detected UnsignedFile.Multi.Generic (1)
16:43:53.0234 1872 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
16:43:53.0250 1872 tfsnpool ( UnsignedFile.Multi.Generic ) - warning
16:43:53.0250 1872 tfsnpool - detected UnsignedFile.Multi.Generic (1)
16:43:53.0375 1872 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
16:43:53.0390 1872 tfsnudf ( UnsignedFile.Multi.Generic ) - warning
16:43:53.0390 1872 tfsnudf - detected UnsignedFile.Multi.Generic (1)
16:43:53.0515 1872 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
16:43:53.0531 1872 tfsnudfa ( UnsignedFile.Multi.Generic ) - warning
16:43:53.0531 1872 tfsnudfa - detected UnsignedFile.Multi.Generic (1)
16:43:53.0703 1872 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
16:43:53.0890 1872 TosIde - ok
16:43:54.0046 1872 TrueSight (f69641efdb19acb4753b0155f7fdeed5) c:\windows\system32\drivers\TrueSight.sys
16:43:54.0078 1872 TrueSight ( UnsignedFile.Multi.Generic ) - warning
16:43:54.0078 1872 TrueSight - detected UnsignedFile.Multi.Generic (1)
16:43:54.0250 1872 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
16:43:54.0453 1872 Udfs - ok
16:43:54.0546 1872 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
16:43:54.0656 1872 ultra - ok
16:43:54.0828 1872 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
16:43:55.0625 1872 Update - ok
16:43:55.0781 1872 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:43:55.0968 1872 usbccgp - ok
16:43:56.0125 1872 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:43:56.0312 1872 usbehci - ok
16:43:56.0453 1872 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:43:56.0656 1872 usbhub - ok
16:43:56.0812 1872 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:43:57.0031 1872 usbprint - ok
16:43:57.0187 1872 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
16:43:57.0390 1872 usbscan - ok
16:43:57.0546 1872 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:43:57.0750 1872 USBSTOR - ok
16:43:57.0906 1872 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:43:58.0093 1872 usbuhci - ok
16:43:58.0281 1872 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
16:43:58.0500 1872 VgaSave - ok
16:43:58.0546 1872 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
16:43:58.0750 1872 viaagp - ok
16:43:58.0890 1872 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
16:43:59.0109 1872 ViaIde - ok
16:43:59.0531 1872 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
16:43:59.0796 1872 VolSnap - ok
16:43:59.0921 1872 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:44:00.0125 1872 Wanarp - ok
16:44:00.0281 1872 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
16:44:00.0328 1872 wanatw - ok
16:44:00.0406 1872 WDICA - ok
16:44:00.0515 1872 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
16:44:01.0328 1872 wdmaud - ok
16:44:01.0734 1872 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\Drivers\wpdusb.sys
16:44:02.0250 1872 WpdUsb - ok
16:44:02.0343 1872 MBR (0x1B8) (b16a2359f4962b0c622d81a1c1f4b703) \Device\Harddisk0\DR0
16:44:02.0406 1872 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
16:44:02.0406 1872 \Device\Harddisk0\DR0 - detected TDSS File System (1)
16:44:02.0421 1872 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR6
16:44:02.0593 1872 \Device\Harddisk1\DR6 - ok
16:44:02.0625 1872 Boot (0x1200) (88f1bc71a7df4ff1136592e07df099d1) \Device\Harddisk0\DR0\Partition0
16:44:02.0656 1872 \Device\Harddisk0\DR0\Partition0 - ok
16:44:02.0671 1872 Boot (0x1200) (c4a34d2b393763b6272dc4f3f9605323) \Device\Harddisk1\DR6\Partition0
16:44:02.0671 1872 \Device\Harddisk1\DR6\Partition0 - ok
16:44:02.0671 1872 ============================================================
16:44:02.0671 1872 Scan finished
16:44:02.0671 1872 ============================================================
16:44:02.0812 2864 Detected object count: 43
16:44:02.0812 2864 Actual detected object count: 43
16:47:50.0671 2864 ASCTRM ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0671 2864 ASCTRM ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0671 2864 audstub ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0671 2864 audstub ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0671 2864 bcm4sbxp ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0671 2864 bcm4sbxp ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0671 2864 Beep ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0671 2864 Beep ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0671 2864 BVRPMPR5 ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0671 2864 BVRPMPR5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0671 2864 HKLM\SYSTEM\ControlSet001\services\cbea64eb - will be deleted on reboot
16:47:50.0671 2864 HKLM\SYSTEM\ControlSet004\services\cbea64eb - will be deleted on reboot
16:47:50.0671 2864 C:\WINDOWS\3949259467:873831188.exe - will be deleted on reboot
16:47:50.0671 2864 cbea64eb ( Rootkit.Win32.PMax.gen ) - User select action: Delete
16:47:50.0671 2864 cbidf ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0671 2864 cbidf ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0671 2864 cbidf2k ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0671 2864 cbidf2k ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0671 2864 cd20xrnt ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0671 2864 cd20xrnt ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0671 2864 Cdaudio ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0671 2864 Cdaudio ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0671 2864 Cdfs ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0671 2864 Cdfs ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0671 2864 Cdrom ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0671 2864 Cdrom ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0687 2864 CmdIde ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0687 2864 CmdIde ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0687 2864 Cpqarray ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0687 2864 Cpqarray ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0687 2864 dac2w2k ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0687 2864 dac2w2k ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0687 2864 dac960nt ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0687 2864 dac960nt ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0687 2864 Disk ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0687 2864 Disk ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0703 2864 dmboot ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0703 2864 dmboot ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0703 2864 dmio ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0703 2864 dmio ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0703 2864 dmload ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0703 2864 dmload ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0703 2864 DMusic ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0703 2864 DMusic ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0703 2864 dpti2o ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0703 2864 dpti2o ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0703 2864 drmkaud ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0703 2864 drmkaud ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0718 2864 drvmcdb ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0718 2864 drvmcdb ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0718 2864 drvnddm ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0718 2864 drvnddm ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:50.0718 2864 E100B ( UnsignedFile.Multi.Generic ) - skipped by user
16:47:50.0718 2864 E100B ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:47:51.0750 2864 Backup copy not found, trying to cure infected file..
16:47:51.0750 2864 C:\WINDOWS\system32\DRIVERS\imapi.sys - Cure failed (FFFFFFFF)
16:47:51.0750 2864 C:\WINDOWS\system32\DRIVERS\imapi.sys - processing error
16:47:54.0859 2864 C:\WINDOWS\system32\c_42144.nls - will be deleted on reboot
16:47:57.0671 2864 Imapi ( Rootkit.Win32.ZAccess.e ) - User select action: Cure
16:48:02.0765 2864 Backup copy not found, trying to cure infected file..
16:48:02.0765 2864 Cure success, using it..
16:48:02.0796 2864 C:\WINDOWS\system32\DRIVERS\intelide.sys - will be cured on reboot
16:48:02.0796 2864 IntelIde ( Rootkit.Win32.TDSS.tdl3 ) - User select action: Cure
16:48:02.0812 2864 omci ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0812 2864 omci ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0812 2864 PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0812 2864 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0812 2864 sscdbhk5 ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0812 2864 sscdbhk5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0828 2864 ssrtln ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0828 2864 ssrtln ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0828 2864 tfsnboio ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0828 2864 tfsnboio ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0843 2864 tfsncofs ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0843 2864 tfsncofs ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0843 2864 tfsndrct ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0843 2864 tfsndrct ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0843 2864 tfsndres ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0843 2864 tfsndres ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0859 2864 tfsnifs ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0859 2864 tfsnifs ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0859 2864 tfsnopio ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0859 2864 tfsnopio ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0875 2864 tfsnpool ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0875 2864 tfsnpool ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0875 2864 tfsnudf ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0875 2864 tfsnudf ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0890 2864 tfsnudfa ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0890 2864 tfsnudfa ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0890 2864 TrueSight ( UnsignedFile.Multi.Generic ) - skipped by user
16:48:02.0890 2864 TrueSight ( UnsignedFile.Multi.Generic ) - User select action: Skip
16:48:02.0890 2864 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
16:48:02.0890 2864 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
16:48:36.0781 3000 Deinitialize success


Running ComboFix again

Attached Files


  • 0

#9
LArnett

LArnett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
ComboFix needs a Microsoft Windows recovery console and the computer I'm working on doesn't have one. comboFix is asking if I want it to download and instal one from online. Would it be safe to hook the infected computer up to my network for internet or no? So far I have not just to be safe since a warning has popped up stating some site was trying to access the computer and was aking me to allow or block it.
  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes connect long enough to download the recovery console please
  • 0

Advertisements


#11
LArnett

LArnett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Sry about the delay, rebuilding a bathroom and homework all at the same time.

Here's the results from ComboFix

ComboFix 12-01-16.02 - Ricky 01/16/2012 18:42:44.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.318 [GMT -5:00]
Running from: c:\documents and settings\Ricky\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\salesmonitor
c:\documents and settings\All Users\Application Data\winantispyware 2007
c:\documents and settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
c:\documents and settings\All Users\Application Data\winantispyware 2007\Data\ProductCode
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\documents and settings\Mary Kay\System
c:\documents and settings\Mary Kay\System\win_qs7.jqx
c:\documents and settings\Ricky\Application Data\Ifsun
c:\documents and settings\Ricky\Application Data\Ifsun\fopo.sae
c:\documents and settings\Ricky\Application Data\Ifsun\fopo.tmp
c:\documents and settings\Ricky\Application Data\SpamBlockerUtility_Icons
c:\documents and settings\Ricky\Application Data\SpamBlockerUtility_Icons\Registryrepair.ico
c:\documents and settings\Ricky\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico
c:\documents and settings\Ricky\Application Data\SpamBlockerUtility_Icons\wallpapere1.ico
c:\documents and settings\Ricky\Application Data\WinAntiSpyware 2006
c:\documents and settings\Ricky\Application Data\WinAntiSpyware 2006\Logs\update.log
c:\program files\Altnet
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.i01.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.xmd.cab
c:\program files\AntiSpywareMaster
c:\program files\AntiSpywareMaster\install_asm_update_scanner.exe
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Shared\069A8800.dat
c:\program files\Hotbar
c:\program files\inetget2
c:\program files\Need2Find
c:\program files\Need2Find\bar\History\search
c:\program files\network monitor
c:\program files\Search Settings
c:\program files\Search Settings\FF\chrome.manifest
c:\program files\Search Settings\FF\chrome\content\plugin.js
c:\program files\Search Settings\FF\chrome\content\plugin.xul
c:\program files\Search Settings\FF\chrome\content\protection.js
c:\program files\Search Settings\FF\chrome\content\utils.js
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.dtd
c:\program files\Search Settings\FF\chrome\locale\en-US\searchsettingsplugin.properties
c:\program files\Search Settings\FF\components\IFBHOSearch.xpt
c:\program files\Search Settings\FF\components\IFBHOSearchHelperEngine.xpt
c:\program files\Search Settings\FF\components\IFHelperPreferences.xpt
c:\program files\Search Settings\FF\components\SearchSettingsFF.dll
c:\program files\Search Settings\FF\install.rdf
c:\program files\winpop
c:\temp\tn3
c:\windows\cdmxtras
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\retadpu.exe.bin
c:\windows\system32\c_42144.nl_
c:\windows\system32\c_42144.nls
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\kungsflrpumxts.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\o02PrEz
c:\windows\system32\odetmngk.dll
c:\windows\system32\W1
c:\windows\system32\W2
c:\windows\system32\W3
c:\windows\system32\W4
c:\windows\system32\W5
c:\windows\system32\win
c:\windows\TWFyeSBLYXk
.
Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\msiexec.exe was found and disinfected
Restored copy from - c:\windows\$MSI31Uninstall_KB893803v2$\msiexec.exe
.
c:\windows\system32\drivers\serial.sys . . . is infected!!
.
c:\program files\Application Updater\ApplicationUpdater.exe . . . is infected!!
c:\program files\Application Updater\ApplicationUpdater.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe . . . is infected!!
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Viewpoint\Common\ViewpointService.exe . . . is infected!!
c:\program files\Viewpoint\Common\ViewpointService.exe . . . was deleted!! You should re-install the program it pertains to
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_CMDSERVICE
-------\Legacy_CORE
-------\Legacy_DOMAINSERVICE
-------\Legacy_FOPN
-------\Legacy_NETWORK_MONITOR
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_ApiMon
-------\Service_cbea64eb
-------\Service_cmdService
-------\Service_core
-------\Service_DomainService
-------\Service_Network Monitor
-------\Service_Windows Overlay Components
.
.
((((((((((((((((((((((((( Files Created from 2011-12-17 to 2012-01-17 )))))))))))))))))))))))))))))))
.
.
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\drivers\imapi.sys
2012-01-16 23:35 . 2004-08-04 10:00 41856 ----a-w- c:\windows\system32\dllcache\imapi.sys
2012-01-16 15:48 . 2012-01-16 21:13 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-01-10 01:21 . 2012-01-10 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-01-10 01:17 . 2004-08-04 03:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-10 00:35 . 2004-08-04 05:56 21504 ----a-w- c:\windows\system32\hidserv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-16 21:49 . 2004-08-10 17:58 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2009-02-13 00:32 . 2009-02-16 23:25 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-09-11 2054360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-07-14 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Blubster"="c:\program files\Blubster\Blubster.exe" [2009-11-27 2866176]
.
c:\documents and settings\Ricky\Start Menu\Programs\Startup\
Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 10:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\windows\system32\ijjbediw.exe"= c:\windows\system32\ijj
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Blubster\\Blubster.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 7:23 AM 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [9/11/2009 7:26 AM 96408]
S2 Application Updater;Application Updater;"c:\program files\Application Updater\ApplicationUpdater.exe" --> c:\program files\Application Updater\ApplicationUpdater.exe [?]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [9/11/2009 7:24 AM 735960]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
IE: Compare Prices with &Dealio - c:\documents and settings\Ricky\Application Data\Dealio\kb124\res\DealioSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: getmirar.com\click
Trusted Zone: mirarsearch.com\click
Trusted Zone: mirarsearch.com\redirect
Trusted Zone: net-nucleus.com\awbeta
TCP: Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}: NameServer = 93.188.162.149,93.188.160.29
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/gs.cab
FF - ProfilePath - c:\documents and settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{21652878-587A-466C-987A-C31EC6E38803} - c:\program files\ComPlus Applications\holenu4444.dll
BHO-{664E992D-7D84-47A5-90E7-470D398D4B1F} - c:\program files\ComPlus Applications\holenu83122.dll
SafeBoot-20410191.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-16 19:45
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\3949259467:873831188.exe 816 bytes executable
c:\windows\$NtUninstallKB20734$:SummaryInformation 0 bytes hidden from API
.
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\3949259467:873831188.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
.
**************************************************************************
.
Completion time: 2012-01-16 19:51:44 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-17 00:51
.
Pre-Run: 8,083,087,360 bytes free
Post-Run: 8,797,130,752 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - AE82FB7F5717D275AA7D2E93D40B4895

Attached Files


  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I now need to find a spare copy of an infected file .. How is the computer behaving at the moment ?


  • Run OTL.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    serial.*
    /md5stop
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

  • 0

#13
LArnett

LArnett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
The computer is running like it's suppose to. No more popups at the log in screen, no more windows installer everytime you do something. I haven't tested every program yet but I will just to make sure both users are good to go.

Here are the Logs from OTL. It looks like the OTL reported today after I ran it but there was not an UPDATED extras log.

OTL REPORT

OTL logfile created on: 1/20/2012 9:26:11 AM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Ricky\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 298.70 Mb Available Physical Memory | 59.38% Memory free
4.37 Gb Paging File | 4.21 Gb Available in Paging File | 96.50% Paging File free
Paging file location(s): C:\pagefile.sys 4000 4025 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.04 Gb Total Space | 8.32 Gb Free Space | 24.45% Space Free | Partition Type: NTFS

Computer Name: FAMILY | User Name: Ricky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\WINDOWS\3949259467:873831188.exe
PRC - [2012/01/11 11:17:58 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ricky\Desktop\OTL.exe
PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Viewpoint Manager Service)
SRV - File not found [Auto | Stopped] -- -- (SQLWriter)
SRV - File not found [Auto | Stopped] -- -- (JavaQuickStarterService)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - File not found [Auto | Stopped] -- -- (Application Updater)
SRV - [2009/09/11 07:33:18 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/09/11 07:24:32 | 000,735,960 | ---- | M] () [Auto | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)


========== Driver Services (SafeList) ==========

DRV - [2012/01/16 16:49:11 | 000,005,504 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\intelide.sys -- (IntelIde)
DRV - [2009/09/11 07:26:26 | 000,096,408 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2009/09/11 07:23:50 | 000,108,792 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009/09/11 07:17:16 | 000,116,008 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2008/06/18 10:49:16 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2005/07/14 07:28:30 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2004/09/17 14:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/06/16 03:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/03/06 04:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/06 04:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/06 04:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2003/07/15 21:20:46 | 000,043,136 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003/01/10 16:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/11/08 19:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/mywaybiz
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\URLSearchHook: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - No CLSID value found
IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=634471"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"
FF - prefs.js..extensions.enabledItems: [email protected]:1.2.3


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/npracplug;version=1.0.0.0: C:\Program Files\Real\RealArcade\Plugins\Mozilla\npracplug.dll (RealNetworks)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\Ricky\Application Data\Facebook\npfbplugin_1_0_3.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/24 19:45:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.18\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/27 14:25:28 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2009/11/20 16:08:55 | 000,000,000 | ---D | M]

[2009/11/20 08:14:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ricky\Application Data\Mozilla\Extensions
[2011/04/15 23:36:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\extensions
[2009/11/20 12:47:01 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/10 20:42:31 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Ricky\Application Data\Mozilla\Firefox\Profiles\w6omdj8q.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/08/26 18:32:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/12/17 19:24:03 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/07/30 02:53:04 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
File not found (No name found) -- C:\PROGRAM FILES\SEARCH SETTINGS\FF
[2009/07/17 18:02:48 | 000,002,476 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\BearShareWebSearch.xml

O1 HOSTS File: ([2012/01/16 19:45:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (no name) - Software - No CLSID value found.
O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\WebBrowser: (no name) - {4D1C4E89-A32A-416B-BCDB-33B3EF3617D3} - No CLSID value found.
O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\WebBrowser: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No CLSID value found.
O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe (MP2P Technologies.)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - Startup: C:\Documents and Settings\Ricky\Start Menu\Programs\Startup\Skype.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Ricky\Application Data\Dealio\kb124\res\DealioSearch.html File not found
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O15 - HKLM\..Trusted Domains: getmirar.com ([click] http in Trusted sites)
O15 - HKLM\..Trusted Domains: getmirar.com ([click] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mirarsearch.com ([click] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mirarsearch.com ([click] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mirarsearch.com ([redirect] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mirarsearch.com ([redirect] https in Trusted sites)
O15 - HKLM\..Trusted Domains: net-nucleus.com ([awbeta] http in Trusted sites)
O15 - HKLM\..Trusted Domains: net-nucleus.com ([awbeta] https in Trusted sites)
O15 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} http://forms.real.co...ne_Inst_Win.cab (Reg Error: Key error.)
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} http://asp.mathxl.co...GenXInstall.cab (TTestGenXInstallObject)
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} http://disney.go.com...OnlineGames.cab (Disney Online Games ActiveX Control)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo.walgree...eensActivia.cab (Snapfish Activia)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} http://asp.mathxl.co...nstallAsst2.cab (Pearson Installation Assistant 2)
O16 - DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} http://myitlab.pears...ces/ax/stub.cab (Enlite 2.x Simulation Engine Installer)
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} http://ak.imgag.com/...tall/AxCtp2.cab (Create & Print ActiveX Plug-in)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} http://asp.mathxl.co.../MathPlayer.cab (Pearson MathXL Player)
O16 - DPF: ActiveGS.cab http://www.virtualapple.org/gs.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{42AAA1A2-A41E-4C6B-BC89-B07492D6ECB3}: NameServer = 93.188.162.149,93.188.160.29
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -Explorer.exe ()
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/01/19 21:10:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/01/16 19:51:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/01/16 18:31:12 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/01/16 16:58:38 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/01/16 16:58:38 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/01/16 16:58:37 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/01/16 16:58:37 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/01/16 16:58:29 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/01/16 16:41:25 | 001,974,064 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ricky\Desktop\tdsskiller.exe
[2012/01/16 14:30:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/01/16 14:30:06 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/01/16 14:24:24 | 004,385,658 | R--- | C] (Swearware) -- C:\Documents and Settings\Ricky\Desktop\ComboFix.exe
[2012/01/16 14:03:44 | 004,713,472 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Ricky\Desktop\aswMBR.exe
[2012/01/16 11:19:10 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ricky\Desktop\OTL.exe
[2012/01/16 10:48:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ricky\Desktop\RK_Quarantine
[2012/01/09 20:21:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/09/10 04:03:53 | 000,842,240 | ---- | C] (Heaventools Software) -- C:\Documents and Settings\All Users\Application Data\defender
[2011/08/31 14:54:19 | 000,842,240 | ---- | C] (Heaventools Software) -- C:\Documents and Settings\All Users\Application Data\defender.exe
[2009/02/16 18:25:01 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/19 20:59:06 | 000,007,037 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Global.sw2
[2012/01/19 20:55:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/19 20:55:00 | 000,000,000 | ---- | M] () -- C:\WINDOWS\3949259467
[2012/01/19 20:54:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/19 20:54:56 | 527,503,360 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/16 19:45:27 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/01/16 18:31:19 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/01/16 16:49:11 | 000,005,504 | ---- | M] () -- C:\WINDOWS\System32\drivers\intelide.sys
[2012/01/16 16:14:06 | 001,974,064 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ricky\Desktop\tdsskiller.exe
[2012/01/16 16:13:38 | 000,111,872 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/01/16 14:13:58 | 004,385,658 | R--- | M] (Swearware) -- C:\Documents and Settings\Ricky\Desktop\ComboFix.exe
[2012/01/16 12:10:48 | 004,713,472 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Ricky\Desktop\aswMBR.exe
[2012/01/16 10:38:12 | 000,787,456 | ---- | M] () -- C:\Documents and Settings\Ricky\Desktop\RogueKiller.exe
[2012/01/11 11:17:58 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ricky\Desktop\OTL.exe
[2012/01/11 09:43:30 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Ricky\Desktop\eXplorer.exe
[2012/01/11 09:39:48 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Ricky\Desktop\rkill.com
[2012/01/11 09:21:40 | 000,000,177 | ---- | M] () -- C:\Documents and Settings\Ricky\Desktop\rk-proxy.reg
[2012/01/10 08:26:01 | 000,492,506 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/10 08:26:01 | 000,090,526 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/16 19:01:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\3949259467
[2012/01/16 18:31:19 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/01/16 18:31:13 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/01/16 16:58:38 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/01/16 16:58:38 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/01/16 16:58:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/01/16 16:58:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/01/16 16:58:37 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/01/16 10:48:19 | 000,111,872 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/01/16 10:47:55 | 000,787,456 | ---- | C] () -- C:\Documents and Settings\Ricky\Desktop\RogueKiller.exe
[2012/01/11 09:21:40 | 000,000,177 | ---- | C] () -- C:\Documents and Settings\Ricky\Desktop\rk-proxy.reg
[2012/01/11 09:19:41 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Ricky\Desktop\eXplorer.exe
[2012/01/11 09:19:18 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Ricky\Desktop\rkill.com
[2012/01/11 09:14:37 | 527,503,360 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/15 05:18:58 | 000,016,806 | -HS- | C] () -- C:\Documents and Settings\Ricky\Local Settings\Application Data\rn18yk600c1cco7vj4
[2011/06/15 05:18:58 | 000,016,806 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\rn18yk600c1cco7vj4
[2010/07/30 02:54:34 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/03/05 14:28:57 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\Ricky\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/02 07:37:44 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2008/02/13 20:22:46 | 000,000,071 | ---- | C] () -- C:\WINDOWS\pex.INI
[2008/02/13 20:15:16 | 000,000,151 | ---- | C] () -- C:\WINDOWS\Ulead32.ini
[2007/07/23 22:22:24 | 000,022,661 | ---- | C] () -- C:\WINDOWS\cookies.ini
[2007/07/11 02:05:37 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007/07/07 07:39:56 | 000,000,002 | ---- | C] () -- C:\WINDOWS\System32\wcpicomsv.exe
[2007/06/27 05:15:19 | 000,000,932 | ---- | C] () -- C:\WINDOWS\System32\winpfz32.sys
[2007/06/27 05:14:28 | 000,016,591 | ---- | C] () -- C:\WINDOWS\cs_cache.ini
[2006/11/08 19:07:43 | 000,000,028 | ---- | C] () -- C:\WINDOWS\atid.ini
[2006/10/26 18:19:20 | 000,000,004 | -H-- | C] () -- C:\WINDOWS\uccspecb.sys
[2006/02/01 19:34:29 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Ricky\Application Data\PFP120JPR.{PB
[2006/02/01 19:34:29 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Ricky\Application Data\PFP120JCM.{PB
[2006/01/04 18:40:45 | 000,000,881 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/12/30 11:37:47 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2005/12/03 21:39:06 | 000,000,010 | ---- | C] () -- C:\WINDOWS\smdat32m.sys
[2005/12/03 21:39:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\smdat32a.sys
[2005/12/01 21:25:15 | 000,002,516 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2005/12/01 21:25:15 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\0A354710AB.sys
[2005/11/29 14:28:02 | 000,000,021 | ---- | C] () -- C:\WINDOWS\PI_setup.ini
[2005/11/29 14:24:14 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2005/11/29 14:24:14 | 000,003,136 | ---- | C] () -- C:\WINDOWS\Ade001.bin
[2005/11/29 14:24:14 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2005/11/29 14:21:20 | 000,000,182 | ---- | C] () -- C:\WINDOWS\System32\EBPPORT4.DAT
[2005/11/29 14:20:05 | 000,000,196 | ---- | C] () -- C:\WINDOWS\EPSONCX6400.ini
[2005/07/14 07:44:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/07/14 07:29:20 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/07/14 07:27:05 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2005/07/14 06:58:00 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe
[2005/07/14 06:57:20 | 000,000,375 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/01/28 08:08:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 13:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 13:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/10 13:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/10 13:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 12:58:43 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\intelide.sys
[2004/08/10 12:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/10 12:57:15 | 000,352,176 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/10 12:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 12:51:20 | 000,492,506 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 12:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 12:51:20 | 000,090,526 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 12:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 12:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 12:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/10 12:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/10 12:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 12:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 12:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 12:50:56 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2002/03/13 16:46:46 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\zlib.dll

========== LOP Check ==========

[2009/12/25 19:49:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\201CC
[2009/11/20 16:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2012/01/09 20:21:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2008/05/04 11:01:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2008/12/03 13:26:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/12/25 20:02:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Dealio
[2005/12/01 21:19:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Earthlink
[2005/12/05 21:57:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\EarthLink Toolbar
[2006/09/13 13:48:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\EPSON
[2007/10/28 10:36:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\FUJIFILM
[2005/11/29 14:34:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Leadertech
[2011/08/12 18:36:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Search Settings
[2007/07/29 20:08:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Slide
[2006/04/04 17:03:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Smart Panel
[2006/10/21 16:11:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\SmartDraw
[2007/09/27 18:46:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Snapfish
[2007/02/09 19:43:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\SpamBlocker
[2007/01/21 21:43:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\SpamBlockerUtility_Icons
[2008/05/31 12:00:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\TAIT3
[2008/02/13 20:19:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Ulead Systems
[2007/04/18 07:09:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\Viewpoint
[2006/10/18 18:11:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\WinAntiSpyware 2006
[2007/06/27 05:40:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\WinAntiSpyware 2007
[2009/12/28 19:45:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\bearsharetb
[2010/03/05 12:57:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\EPSON
[2010/10/28 21:59:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\FUJIFILM
[2005/11/29 20:08:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\Leadertech
[2010/07/14 01:33:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\Nyigyw
[2011/08/31 14:59:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\Search Settings
[2007/04/30 20:41:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\Smart Panel
[2010/07/21 03:39:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\Smilebox
[2007/08/09 16:47:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\Viewpoint

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/12/05 21:52:28 | 000,010,920 | ---- | M] () -- C:\aolconnfix.exe


< MD5 for: SERIAL.SY_ >
[2004/08/03 23:15:54 | 000,030,067 | ---- | M] () MD5=56A1F7591D17ECD1C5F60DABD2FA6B61 -- C:\cmdcons\SERIAL.SY_

< MD5 for: SERIAL.SYS >
[2008/04/13 14:15:45 | 000,064,512 | ---- | M] (Microsoft Corporation) MD5=CCA207A8896D4C6A0C9CE29A4AE411A7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\serial.sys
[2004/08/04 05:00:00 | 000,064,896 | ---- | M] (Microsoft Corporation) MD5=CD9404D115A00D249F70A371B46D5A26 -- C:\WINDOWS\system32\drivers\serial.sys

< CRESTERESTOREPOINT >

========== Files - Unicode (All) ==========
[2007/07/09 18:33:55 | 000,000,000 | ---D | M](C:\Documents and Settings\Mary Kay\Application Data\?ystem) -- C:\Documents and Settings\Mary Kay\Application Data\ѕystem

========== Alternate Data Streams ==========

@Alternate Data Stream - 816 bytes -> C:\WINDOWS\3949259467:873831188.exe

< End of report >


EXTRAS REPORT

OTL Extras logfile created on: 1/16/2012 11:49:37 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Ricky\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 292.06 Mb Available Physical Memory | 58.06% Memory free
4.37 Gb Paging File | 4.19 Gb Available in Paging File | 96.03% Paging File free
Paging file location(s): C:\pagefile.sys 4000 4025 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.04 Gb Total Space | 7.68 Gb Free Space | 22.56% Space Free | Partition Type: NTFS
Drive E: | 959.22 Mb Total Space | 894.92 Mb Free Space | 93.30% Space Free | Partition Type: FAT

Computer Name: FAMILY | User Name: Ricky | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-2379642614-4113044259-601262879-1007\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [FinePix] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" "%1" (FUJI PHOTO FILM CO.,LTD.)
Directory [FinePixPrint] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" /p "%1" (FUJI PHOTO FILM CO.,LTD.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe:*:Enabled:AOL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Disabled:TaskPanl
"C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE" = C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE:*:Disabled:SAgent4 -- (SEIKO EPSON CORPORATION)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
"C:\Program Files\Common Files\AOL\1169921979\ee\aolsoftware.exe" = C:\Program Files\Common Files\AOL\1169921979\ee\aolsoftware.exe:*:Enabled:AOL Shared Components
"C:\Documents and Settings\Mary Kay\Local Settings\Temp\~os1BA.tmp\ossproxy.exe" = C:\Documents and Settings\Mary Kay\Local Settings\Temp\~os1BA.tmp\ossproxy.exe:*:Enabled:ossproxy.exe
"C:\WINDOWS\system32\ijjbediw.exe" = C:\WINDOWS\system32\ijjb\wmdc.exe
"C:\Program Files\Blubster\Blubster.exe" = C:\Program Files\Blubster\Blubster.exe:*:Enabled:Blubster -- (MP2P Technologies.)
"C:\Program Files\BearShare Applications\BearShare\BearShare.exe" = C:\Program Files\BearShare Applications\BearShare\BearShare.exe:*:Disabled:BearShare
"C:\Program Files\Kazaa\kazaa.exe" = C:\Program Files\Kazaa\kazaa.exe:*:Disabled:Kazaa
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox -- (Mozilla Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0B53B71D-9E2F-42B8-9123-96354872D166}" = EPSON Photo Print
"{0E0131B2-CF18-40D9-A331-60A3746C1204}" = EPSON Scan
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.4.2
"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 19
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{353D20CC-719B-4A60-AD33-D03F88C10330}" = Microsoft Office Accounting PayPal Addin
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3877C2CD-F137-4144-BDB2-0A811492F920}" = Command
"{46614A49-222A-48EF-87A9-BFD603E608E1}" = Microsoft Office Accounting Fixed Asset Manager
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5490882C-6961-11D5-BAE5-00E0188E010B}" = FUJIFILM USB Driver
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5F05C28D-DEA9-4AD6-A73A-064175988EAB}" = Search Settings v1.2.3
"{5FA793A6-0071-42C1-9355-8F69A428C44F}" = Microsoft Office Accounting ADP Payroll Addin
"{66C8BE35-8BBB-472B-96C7-C7C9A499F988}" = ArcSoft Software Suite
"{6C11D561-620B-47DA-A693-4C597F3CDF40}" = EPSON Smart Panel
"{6E179C77-7335-458D-9537-4F4EAC0181ED}" = Photo Click
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{89EE857B-8970-4F9F-AB58-A1C873AC72B3}" = Broadcom Management Programs
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8C711818-076E-475C-B95B-DF11CD9D8DBE}" = Microsoft Office Accounting Equifax Addin
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{934E9442-D305-4ACF-AD87-A6C11D677CB9}" = ImageMixer VCD2 for FinePix
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A394E835-C8D6-4B4B-884B-D2709059F3BE}" = Network Monitor
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B0717D5A-1976-482B-9ADF-F19631A541A4}" = Microsoft Office Accounting 2007
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D271DAE0-8D68-4C97-8356-A126D48A1D8C}" = Ulead Photo Explorer 8.0 SE Basic
"{EFA800BF-C5C8-46D1-B49D-13920D05417C}" = ESET NOD32 Antivirus
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Blubster" = Blubster 3.1.1
"Drumaxx" = Drumaxx
"EPSON Printer and Utilities" = EPSON Printer Software
"FL Studio 9" = FL Studio 9
"Hardcore" = Hardcore
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"IL Download Manager" = IL Download Manager
"InstallShield_{89EE857B-8970-4F9F-AB58-A1C873AC72B3}" = Broadcom Management Programs
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Office Accounting 2007" = Microsoft Office Accounting 2007
"Microsoft Office Accounting Equifax Addin" = Microsoft Office Accounting Equifax Addin
"Microsoft Office Accounting PayPal Addin" = Microsoft Office Accounting PayPal Addin
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.6.18)" = Mozilla Firefox (3.6.18)
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OvMon" = Windows Overlay Components
"PoiZone" = PoiZone
"PROR" = Microsoft Office Professional 2007 Trial
"QIC UnInstall" = Insight Broadband QIC Service Activator
"QuickTime" = QuickTime
"RealArcade 1.2" = RealArcade
"RealPlayer 6.0" = RealPlayer Basic
"Sakura" = Sakura
"Sawer" = Sawer
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2379642614-4113044259-601262879-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Smilebox" = Smilebox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/11/2012 10:42:52 AM | Computer Name = FAMILY | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 1/11/2012 10:43:03 AM | Computer Name = FAMILY | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/11/2012 10:46:10 AM | Computer Name = FAMILY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x001a624b.

Error - 1/12/2012 4:30:54 PM | Computer Name = FAMILY | Source = SQLWRITER | ID = 4
Description = SQL writer initialization error: the COM security cannot be initialized
[0x80010119].

Error - 1/12/2012 4:30:56 PM | Computer Name = FAMILY | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 1/12/2012 4:33:57 PM | Computer Name = FAMILY | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 1/16/2012 11:41:44 AM | Computer Name = FAMILY | Source = SQLWRITER | ID = 4
Description = SQL writer initialization error: the COM security cannot be initialized
[0x80010119].

Error - 1/16/2012 11:41:46 AM | Computer Name = FAMILY | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 1/16/2012 11:42:00 AM | Computer Name = FAMILY | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/16/2012 11:44:53 AM | Computer Name = FAMILY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x001a624b.

[ Application Events ]
Error - 1/11/2012 10:42:52 AM | Computer Name = FAMILY | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 1/11/2012 10:43:03 AM | Computer Name = FAMILY | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/11/2012 10:46:10 AM | Computer Name = FAMILY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x001a624b.

Error - 1/12/2012 4:30:54 PM | Computer Name = FAMILY | Source = SQLWRITER | ID = 4
Description = SQL writer initialization error: the COM security cannot be initialized
[0x80010119].

Error - 1/12/2012 4:30:56 PM | Computer Name = FAMILY | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 1/12/2012 4:33:57 PM | Computer Name = FAMILY | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 1/16/2012 11:41:44 AM | Computer Name = FAMILY | Source = SQLWRITER | ID = 4
Description = SQL writer initialization error: the COM security cannot be initialized
[0x80010119].

Error - 1/16/2012 11:41:46 AM | Computer Name = FAMILY | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 1/16/2012 11:42:00 AM | Computer Name = FAMILY | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 1/16/2012 11:44:53 AM | Computer Name = FAMILY | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x001a624b.

[ System Events ]
Error - 1/16/2012 11:41:58 AM | Computer Name = FAMILY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 1/16/2012 11:45:16 AM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 11:45:46 AM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 11:46:17 AM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 12:11:02 PM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 12:11:33 PM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 12:12:03 PM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 12:23:36 PM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 12:24:07 PM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 1/16/2012 12:24:37 PM | Computer Name = FAMILY | Source = DCOM | ID = 10010
Description = The server {000C101C-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.


< End of report >

Attached Files


  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
This should be the last

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    SRV - File not found [Auto | Stopped] -- -- (Viewpoint Manager Service)
    SRV - File not found [Auto | Stopped] -- -- (SQLWriter)
    SRV - File not found [Auto | Stopped] -- -- (JavaQuickStarterService)
    SRV - File not found [Auto | Stopped] -- -- (Application Updater)
    IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\URLSearchHook: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - No CLSID value found
    IE - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
    [2009/07/17 18:02:48 | 000,002,476 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\BearShareWebSearch.xml
    O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\WebBrowser: (no name) - {4D1C4E89-A32A-416B-BCDB-33B3EF3617D3} - No CLSID value found.
    O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\WebBrowser: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No CLSID value found.
    O3 - HKU\S-1-5-21-2379642614-4113044259-601262879-1007\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
    O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Ricky\Application Data\Dealio\kb124\res\DealioSearch.html File not found
    [2012/01/16 14:03:44 | 004,713,472 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Ricky\Desktop\aswMBR.exe
    [2011/09/10 04:03:53 | 000,842,240 | ---- | C] (Heaventools Software) -- C:\Documents and Settings\All Users\Application Data\defender
    [2011/08/31 14:54:19 | 000,842,240 | ---- | C] (Heaventools Software) -- C:\Documents and Settings\All Users\Application Data\defender.exe
    [2012/01/19 20:55:00 | 000,000,000 | ---- | M] () -- C:\WINDOWS\3949259467
    [2012/01/11 09:43:30 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Ricky\Desktop\eXplorer.exe
    [2012/01/11 09:39:48 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Ricky\Desktop\rkill.com
    [2012/01/11 09:21:40 | 000,000,177 | ---- | M] () -- C:\Documents and Settings\Ricky\Desktop\rk-proxy.reg
    [2011/06/15 05:18:58 | 000,016,806 | -HS- | C] () -- C:\Documents and Settings\Ricky\Local Settings\Application Data\rn18yk600c1cco7vj4
    [2011/06/15 05:18:58 | 000,016,806 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\rn18yk600c1cco7vj4
    [2006/10/18 18:11:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\WinAntiSpyware 2006
    [2007/06/27 05:40:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mary Kay\Application Data\WinAntiSpyware 2007
    [2009/12/28 19:45:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ricky\Application Data\bearsharetb
    [2007/07/09 18:33:55 | 000,000,000 | ---D | M](C:\Documents and Settings\Mary Kay\Application Data\?ystem) -- C:\Documents and Settings\Mary Kay\Application Data\ѕystem
    @Alternate Data Stream - 816 bytes -> C:\WINDOWS\3949259467:873831188.exe

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
  • 0

#15
LArnett

LArnett

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
How long will it take for OTL to run the fix? It's been running for about an hour and no restart. Just sitting here with a blue screen with the cursor on it. It will go to sleep and when it wakes up I have to choose a user and the user shows 1 prog running.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP