Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan:Win32/Danmec.gen!A [Solved]


  • This topic is locked This topic is locked

#1
s0nginmyheart

s0nginmyheart

    Member

  • Member
  • PipPipPip
  • 147 posts
Hi all,

So, I need some help with one of our office computers. My boss had opened up a malicious email on accident (advertising he received an American Airlines flight) which then proceeded to infect his computer. He has Microsoft Security Essentials and one of the main things that kept popping up was Trojan:Win32/Danmec.gen!A even after we had "cleaned" it. I also ran PC Tools Spyware Doctor. It detected 3 files but I don't think that has cleaned everything.

The bigger problem is that this virus/spammer has cleared everything off the desktop, and in program files. There is NOTHING that shows up. How can I fix this computer and get the files back?

Thanks in advance.
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there. Our first job will be to restore the files/folders/icons

So to that end I will need you to run the first programme in the list twice

RUN 1

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 2 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

RUN 2

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 6 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

THEN

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    consrv.dll
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    C:\Windows\assembly\tmp\U\*.* /s
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

AND FINALLY

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image
  • 0

#3
s0nginmyheart

s0nginmyheart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
RogueKiller V6.2.4 [01/12/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: steve [Admin rights]
Mode: Remove -- Date : 01/14/2012 18:03:40

Bad processes: 0

Registry Entries: 5
[SUSP PATH] HKLM\[...]\Run : iexploreHelper. (C:\DOCUME~1\steve\APPLIC~1\MICROS~1\IEXPLO~1.EXE) -> DELETED
[SUSP PATH] HKCU\[...]\Run : SCC (C:\Documents and Settings\steve\Application Data\98C220.exe) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (1) -> DELETED
[HJPOL] HKCU\[...]\Explorer : NoDesktop (1) -> DELETED
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

Driver: [LOADED]
SSDT[257] : NtTerminateProcess @ 0x805D29E2 -> HOOKED (TfSysMon.sys @ 0xB9D96300)
SSDT[247] : NtSetValueKey @ 0x80622662 -> HOOKED (TfSysMon.sys @ 0xB9D94150)
SSDT[119] : NtOpenKey @ 0x806254CE -> HOOKED (TfSysMon.sys @ 0xB9D93AD0)
SSDT[65] : NtDeleteValueKey @ 0x8062475C -> HOOKED (TfSysMon.sys @ 0xB9D93F50)
SSDT[63] : NtDeleteKey @ 0x8062458C -> HOOKED (TfSysMon.sys @ 0xB9D93E90)
SSDT[41] : NtCreateKey @ 0x806240F0 -> HOOKED (TfSysMon.sys @ 0xB9D93C30)

Infection : Root.MBR

HOSTS File:
127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] db4c4eeeac06bc5cb80d4ab17e4a2037
[BSP] ba337520bfbb8d58932273d6689a91f2 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 31453 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 70e587144fd5adf4788062ac3dff391c
[BSP] ba337520bfbb8d58932273d6689a91f2 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 63 | Size: 31453 Mo
1 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 61432560 | Size: 10737 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 70e587144fd5adf4788062ac3dff391c
[BSP] ba337520bfbb8d58932273d6689a91f2 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 63 | Size: 31453 Mo
1 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 61432560 | Size: 10737 Mo

+++++ PhysicalDrive1: +++++
--- User ---
[MBR] db4c4eeeac06bc5cb80d4ab17e4a2037
[BSP] ba337520bfbb8d58932273d6689a91f2 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 31453 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 7cf8554e21b21f5907e83d9f5c9aa738
[BSP] f9ddb255bc9ffd3bdd9dbff8d4cb347c : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 31453 Mo
1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 61432560 | Size: 968666 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 7cf8554e21b21f5907e83d9f5c9aa738
[BSP] f9ddb255bc9ffd3bdd9dbff8d4cb347c : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 31453 Mo
1 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 61432560 | Size: 968666 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt
  • 0

#4
s0nginmyheart

s0nginmyheart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
RogueKiller V6.2.4 [01/12/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: steve [Admin rights]
Mode: Shortcuts HJfix -- Date : 01/14/2012 18:09:42

Bad processes: 0

Driver: [LOADED]

File attributes restored:
Desktop: Success 152 / Fail 0
Quick launch: Success 6 / Fail 0
Programs: Success 22065 / Fail 0
Start menu: Success 239 / Fail 0
User folder: Success 3672 / Fail 0
My documents: Success 2946 / Fail 0
My favorites: Success 199 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 57210 / Fail 0
Backup: [FOUND] Success 180 / Fail 2

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\CdRom1 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[G:] \Device\HarddiskVolume4 -- 0x3 --> Restored
[H:] \Device\HarddiskVolume5 -- 0x3 --> Restored

Infection : Rogue.FakeHDD

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
  • 0

#5
s0nginmyheart

s0nginmyheart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
OTL logfile created on: 1/14/2012 6:12:29 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = G:\My Documents old\anti virus
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.75 Gb Available Physical Memory | 37.73% Memory free
3.84 Gb Paging File | 2.79 Gb Available in Paging File | 72.61% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 9.39 Gb Free Space | 32.04% Space Free | Partition Type: NTFS
Drive F: | 29.29 Gb Total Space | 10.94 Gb Free Space | 37.33% Space Free | Partition Type: NTFS
Drive G: | 902.14 Gb Total Space | 868.46 Gb Free Space | 96.27% Space Free | Partition Type: NTFS
Drive H: | 465.76 Gb Total Space | 273.43 Gb Free Space | 58.71% Space Free | Partition Type: NTFS

Computer Name: STEVE-E192E14C2 | User Name: steve | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/14 18:02:45 | 000,584,192 | ---- | M] (OldTimer Tools) -- G:\My Documents old\anti virus\OTL.exe
PRC - [2011/11/13 07:53:42 | 002,996,592 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe
PRC - [2011/11/13 07:53:40 | 000,946,032 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe
PRC - [2011/11/13 07:53:36 | 002,120,048 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe
PRC - [2011/11/13 07:53:28 | 001,687,408 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe
PRC - [2011/06/22 04:57:14 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2011/06/15 14:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2011/01/07 14:54:12 | 000,108,496 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\PC Tools Security\BDT\FGuard.exe
PRC - [2011/01/07 14:54:08 | 000,247,760 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
PRC - [2009/06/18 12:42:26 | 000,479,232 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
PRC - [2008/08/26 19:02:00 | 000,014,336 | ---- | M] (Agere Systems) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2008/07/17 13:21:34 | 000,080,392 | ---- | M] () -- C:\Program Files\Gigabyte\EasySaver\essvr.exe
PRC - [2008/04/14 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/27 18:04:00 | 001,213,736 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
PRC - [2007/06/27 18:03:40 | 000,152,872 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2007/06/25 07:47:24 | 001,629,480 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
PRC - [2007/06/25 07:47:12 | 001,552,680 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
PRC - [2007/06/25 07:47:02 | 001,057,064 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCD.exe


========== Modules (No Company Name) ==========

MOD - [2012/01/03 09:45:08 | 000,016,832 | ---- | M] () -- C:\Program Files\Adobe\Reader 9.0\Reader\ViewerPS.dll
MOD - [2011/10/14 02:08:56 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll
MOD - [2011/10/14 02:04:28 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll
MOD - [2011/10/14 02:04:20 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/01/07 14:54:18 | 000,200,144 | ---- | M] () -- C:\Program Files\PC Tools Security\BDT\Utility.dll
MOD - [2008/07/17 13:21:34 | 000,080,392 | ---- | M] () -- C:\Program Files\Gigabyte\EasySaver\essvr.exe
MOD - [2007/12/07 14:24:56 | 000,117,256 | ---- | M] () -- C:\Program Files\Gigabyte\EasySaver\ycc.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/11/13 07:53:40 | 000,946,032 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC)
SRV - [2011/06/22 04:57:14 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/01/07 14:54:08 | 000,247,760 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2010/12/31 09:36:22 | 000,070,928 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\TFEngine\TFService.exe -- (ThreatFire)
SRV - [2010/11/19 06:57:14 | 001,150,936 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/15 14:02:36 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\pctsAuxs.exe -- (sdAuxService)
SRV - [2008/08/26 19:02:00 | 000,014,336 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2008/08/08 21:10:46 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/07/17 13:21:34 | 000,080,392 | ---- | M] () [Auto | Running] -- C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE -- (ES lite Service)
SRV - [2007/06/25 07:47:12 | 001,552,680 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe -- (InCDsrv)


========== Driver Services (SafeList) ==========

DRV - [2012/01/14 17:55:04 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DA6F95BB-25F9-41A7-B249-E54D03047C5C}\MpKsl452c0c41.sys -- (MpKsl452c0c41)
DRV - [2012/01/14 17:43:35 | 000,016,608 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2011/01/17 09:10:26 | 000,251,560 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pctgntdi.sys -- (pctgntdi)
DRV - [2010/12/31 09:36:40 | 000,069,392 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TFSysMon)
DRV - [2010/12/31 09:36:38 | 000,033,552 | --S- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2010/12/31 09:36:36 | 000,051,984 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/12/16 08:46:04 | 000,070,536 | ---- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pctplsg.sys -- (pctplsg)
DRV - [2010/12/10 13:24:12 | 000,239,168 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/07/16 14:59:54 | 000,656,320 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pctEFA.sys -- (pctEFA)
DRV - [2010/07/16 14:59:54 | 000,338,880 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\pctDS.sys -- (pctDS)
DRV - [2008/11/21 21:53:00 | 001,204,128 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2008/02/14 03:04:06 | 004,676,096 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/03 08:10:16 | 000,105,856 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/06/25 07:47:12 | 000,038,440 | ---- | M] (Nero AG) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm)
DRV - [2007/06/25 07:47:12 | 000,036,776 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass)
DRV - [2007/06/25 07:47:02 | 000,119,080 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.live.com [binary data]
IE - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = www.live.com [binary data]
IE - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\..\URLSearchHook: {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll (DeviceVM Inc.)
IE - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
IE - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{cb84136f-9c44-433a-9048-c5cd9df1dc16}: C:\Program Files\PC Tools Security\BDT\Firefox\ [2012/01/13 16:14:32 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2008/04/14 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [GEST] = File not found
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [MFNetworkScanUtility] C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE (CANON INC.)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [PCTools FGuard] C:\Program Files\PC Tools Security\BDT\FGuard.exe (Threat Expert Ltd.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe (Nero AG)
O4 - HKU\S-1-5-21-789336058-1482476501-1417001333-1003..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\steve\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\steve\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-789336058-1482476501-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.appl...ex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1234561590796 (WUWebControl Class)
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} https://www1.gotomee...ets/g2mdlax.cab (GoToMeeting/GoToWebinar Web Starter)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} http://dclive.future...eivers/FMSI.cab (Futuremark SystemInfo)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://hiltonhotels...bex/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.10.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{ED2DA8D7-FF24-42EE-B5EC-FBA5FAE0B57C}: DhcpNameServer = 10.1.10.1
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToMyPC: DllName - (C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll) - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/13 15:17:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/01/23 18:45:44 | 000,000,000 | ---- | M] () - F:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/05/31 16:17:24 | 000,000,118 | ---- | M] () - H:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{0899ec0c-fb1b-11de-b57f-001fd0ad5421}\Shell\AutoRun\command - "" = .\Encryption Tool\MaxtorEncryption.exe
O33 - MountPoints2\{74ac1887-0822-11df-b582-001fd0ad5421}\Shell - "" = AutoRun
O33 - MountPoints2\{74ac1887-0822-11df-b582-001fd0ad5421}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{74ac1887-0822-11df-b582-001fd0ad5421}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -a
O33 - MountPoints2\{942e5bf0-bb6f-11df-b59e-001fd0ad5421}\Shell\AutoRun\command - "" = K:\MULTIM~1.EXE
O33 - MountPoints2\{942e5bf0-bb6f-11df-b59e-001fd0ad5421}\Shell\doubleTwist\command - "" = K:\MULTIM~1.EXE
O33 - MountPoints2\{c83e732d-0f4f-11de-b558-001fd0ad5421}\Shell - "" = AutoRun
O33 - MountPoints2\{c83e732d-0f4f-11de-b558-001fd0ad5421}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c83e732d-0f4f-11de-b558-001fd0ad5421}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL /2009InterimPlan/pptview.exe /L "playlist.txt"
O33 - MountPoints2\{f9da7832-fbd2-11dd-b548-001fd0ad5421}\Shell - "" = AutoRun
O33 - MountPoints2\{f9da7832-fbd2-11dd-b548-001fd0ad5421}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f9da7832-fbd2-11dd-b548-001fd0ad5421}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\m.exe /s
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/01/14 18:03:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\RK_Quarantine
[2012/01/14 18:02:02 | 000,000,000 | ---D | C] -- G:\My Documents old\anti virus
[2012/01/14 14:12:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\Performance
[2012/01/14 14:12:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft Corporation
[2012/01/14 14:12:13 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor
[2012/01/14 13:53:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\Product_RM
[2012/01/13 22:36:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\Threat Expert
[2012/01/13 16:23:54 | 000,069,392 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2012/01/13 16:23:54 | 000,051,984 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys
[2012/01/13 16:23:54 | 000,033,552 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2012/01/13 16:14:31 | 002,000,848 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2012/01/13 16:14:31 | 001,533,904 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2012/01/13 16:14:31 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2012/01/13 15:19:20 | 000,656,320 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctEFA.sys
[2012/01/13 15:19:20 | 000,338,880 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctDS.sys
[2012/01/13 15:19:16 | 000,251,560 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2012/01/13 15:19:04 | 000,239,168 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2012/01/13 15:19:04 | 000,160,448 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2012/01/13 15:19:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PC Tools Security
[2012/01/13 15:18:52 | 000,070,536 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2012/01/13 15:18:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/01/13 15:18:20 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2012/01/13 15:18:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2012/01/13 15:18:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\PC Tools
[2012/01/13 15:17:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2012/01/13 13:32:44 | 000,000,000 | R--D | C] -- C:\Documents and Settings\steve\Recent
[2012/01/13 06:12:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Start Menu\Programs\System Check
[2012/01/05 13:14:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\Holicare
[2012/01/02 11:35:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\2012-01-02
[2011/12/22 18:30:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\2011-12-22
[2011/12/19 15:42:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Futuremark Shared
[2011/12/16 14:22:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\2011-12-16
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/14 18:06:00 | 000,000,580 | ---- | M] () -- C:\WINDOWS\tasks\DataUpload.job
[2012/01/14 18:04:57 | 000,111,872 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/01/14 17:48:27 | 000,000,424 | ---- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/01/14 17:44:41 | 000,000,422 | ---- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{BB73D801-7157-4769-9E13-A1753497B9A0}.job
[2012/01/14 17:43:54 | 000,012,598 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/14 17:43:35 | 000,000,616 | ---- | M] () -- C:\WINDOWS\tasks\ConfigExec.job
[2012/01/14 17:43:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/14 14:28:22 | 000,001,324 | ---- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\d3d9caps.dat
[2012/01/14 14:12:14 | 000,001,862 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2012/01/14 13:53:24 | 000,002,087 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\rminstall[1].exe.lnk
[2012/01/14 11:22:45 | 000,000,858 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/13 15:19:29 | 000,634,956 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2012/01/13 15:19:01 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2012/01/13 15:15:54 | 000,512,992 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\sdsetup_revwire207.exe
[2012/01/13 06:14:07 | 000,000,448 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\0jLv20KSb5i08J
[2012/01/13 06:12:40 | 000,000,280 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~0jLv20KSb5i08J
[2012/01/13 06:12:40 | 000,000,176 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~0jLv20KSb5i08Jr
[2012/01/13 06:12:39 | 000,000,896 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/01/12 15:41:41 | 000,071,457 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\1400 Holiday Inn offer (Clean) 011012.pdf
[2012/01/12 13:10:34 | 000,001,772 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2012/01/12 03:03:42 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/01/12 03:00:00 | 000,000,382 | ---- | M] () -- C:\WINDOWS\tasks\ErrorEND.job
[2012/01/11 19:09:26 | 000,127,404 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\doc 2.pdf
[2012/01/11 19:09:10 | 000,724,739 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Jeff Andrews Ins App.pdf
[2012/01/10 17:52:00 | 004,261,087 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Small Group EnrollmentChangeCancellation Form - 10.11.pdf
[2012/01/10 17:52:00 | 000,118,980 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Membership Maintenance Form - 9.10.pdf
[2012/01/10 17:52:00 | 000,037,773 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Membership Enrollment Form - 10.10.pdf
[2012/01/09 17:07:42 | 000,501,728 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Vinakom.pdf
[2012/01/09 12:47:13 | 001,328,874 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\EaganTV Quote rev .pdf
[2012/01/09 01:00:00 | 000,000,354 | ---- | M] () -- C:\WINDOWS\tasks\UHMgt 1275938506.job
[2012/01/08 09:08:55 | 000,655,228 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Paperwork.pdf
[2012/01/07 10:54:00 | 000,654,456 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\IMAG0575.jpg
[2012/01/06 10:15:09 | 000,113,603 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\RadissonCateringMenu.pdf
[2012/01/05 15:55:14 | 000,075,996 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\salesord270810.pdf
[2012/01/05 15:53:40 | 000,253,426 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Marketing Flyer - HIBF GM Certification Chicago 27FEB-02MAR11 (1) (2).pdf
[2012/01/05 13:26:44 | 000,094,096 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\fw9 recd from andres gamboa 1 5 2012.pdf
[2012/01/04 13:35:32 | 000,482,700 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\EMBASSYSUITES 3333.pdf
[2012/01/04 03:04:12 | 000,526,618 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\HIEagan_063011.pdf
[2012/01/03 20:11:21 | 000,052,855 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Estimate # 282 to United Hospitality for HI - Eagen MN.pdf
[2012/01/03 20:10:47 | 000,048,691 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Holiday Inn - Eagan MN 12-16-11 Model.pdf
[2012/01/03 20:09:01 | 000,082,755 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Est_42110_from_Grabinski_Gr.pdf
[2012/01/03 20:09:00 | 000,130,329 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\20111221103533597.pdf
[2012/01/03 06:34:19 | 000,068,584 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\pdf_report Eagan PIP tour.pdf
[2012/01/02 12:37:56 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Microsoft Office Excel 2007.lnk
[2011/12/28 22:43:00 | 000,654,456 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Cody the Driver.jpg
[2011/12/20 08:11:24 | 000,052,668 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Cmprtv Inc Stmt Whole Dllrs (2).pdf
[2011/12/19 06:40:05 | 000,069,989 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Focus Eagan MN.pdf
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/14 18:05:05 | 000,001,836 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickBooks Pro 2009.lnk
[2012/01/14 18:05:05 | 000,001,772 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2012/01/14 18:05:05 | 000,000,896 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/01/14 18:05:05 | 000,000,862 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Canon MF Toolbox 4.9.lnk
[2012/01/14 18:05:05 | 000,000,847 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/01/14 18:05:05 | 000,000,835 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2012/01/14 18:05:05 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Picasa 3.lnk
[2012/01/14 18:05:05 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Picasa 3.lnk
[2012/01/14 18:05:05 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/01/14 18:05:04 | 000,002,109 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
[2012/01/14 18:05:04 | 000,001,846 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk
[2012/01/14 18:05:04 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2012/01/14 18:05:04 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2012/01/14 18:05:03 | 000,002,463 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Access.lnk
[2012/01/14 18:05:03 | 000,001,986 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN.lnk
[2012/01/14 18:05:03 | 000,001,723 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/01/14 18:05:02 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2012/01/14 18:05:01 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Acrobat.com.lnk
[2012/01/14 18:03:24 | 000,111,872 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/01/14 14:12:14 | 000,001,868 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows 7 Upgrade Advisor.lnk
[2012/01/14 14:12:14 | 000,001,862 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2012/01/14 13:53:24 | 000,002,087 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\rminstall[1].exe.lnk
[2012/01/14 11:22:45 | 000,000,858 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/14 00:37:13 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2012/01/13 16:14:32 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2012/01/13 16:14:31 | 000,002,125 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2012/01/13 16:14:31 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2012/01/13 16:14:31 | 000,000,879 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2012/01/13 16:14:31 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2012/01/13 15:19:21 | 000,634,956 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2012/01/13 15:19:01 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2012/01/13 15:17:02 | 000,512,992 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\sdsetup_revwire207.exe
[2012/01/13 06:12:40 | 000,000,280 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~0jLv20KSb5i08J
[2012/01/13 06:12:40 | 000,000,176 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~0jLv20KSb5i08Jr
[2012/01/13 06:12:36 | 000,000,448 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\0jLv20KSb5i08J
[2012/01/12 15:41:40 | 000,071,457 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\1400 Holiday Inn offer (Clean) 011012.pdf
[2012/01/11 22:03:50 | 000,127,404 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\doc 2.pdf
[2012/01/11 22:03:41 | 000,724,739 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Jeff Andrews Ins App.pdf
[2012/01/10 17:52:00 | 004,261,087 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Small Group EnrollmentChangeCancellation Form - 10.11.pdf
[2012/01/10 17:52:00 | 000,118,980 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Membership Maintenance Form - 9.10.pdf
[2012/01/10 17:52:00 | 000,037,773 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Membership Enrollment Form - 10.10.pdf
[2012/01/09 20:56:26 | 000,501,728 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Vinakom.pdf
[2012/01/09 12:47:13 | 001,328,874 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\EaganTV Quote rev .pdf
[2012/01/07 10:54:00 | 000,654,456 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\IMAG0575.jpg
[2012/01/06 10:15:09 | 000,113,603 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\RadissonCateringMenu.pdf
[2012/01/05 15:55:14 | 000,075,996 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\salesord270810.pdf
[2012/01/05 15:53:40 | 000,253,426 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Marketing Flyer - HIBF GM Certification Chicago 27FEB-02MAR11 (1) (2).pdf
[2012/01/05 13:26:44 | 000,094,096 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\fw9 recd from andres gamboa 1 5 2012.pdf
[2012/01/04 13:35:32 | 000,482,700 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\EMBASSYSUITES 3333.pdf
[2012/01/04 03:04:12 | 000,526,618 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\HIEagan_063011.pdf
[2012/01/03 20:11:21 | 000,052,855 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Estimate # 282 to United Hospitality for HI - Eagen MN.pdf
[2012/01/03 20:10:47 | 000,048,691 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Holiday Inn - Eagan MN 12-16-11 Model.pdf
[2012/01/03 20:09:01 | 000,082,755 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Est_42110_from_Grabinski_Gr.pdf
[2012/01/03 20:09:00 | 000,130,329 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\20111221103533597.pdf
[2012/01/03 10:54:25 | 000,655,228 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Paperwork.pdf
[2012/01/03 06:34:19 | 000,068,584 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\pdf_report Eagan PIP tour.pdf
[2011/12/28 22:43:00 | 000,654,456 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Cody the Driver.jpg
[2011/12/20 08:11:24 | 000,052,668 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Cmprtv Inc Stmt Whole Dllrs (2).pdf
[2011/12/19 06:40:05 | 000,069,989 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\Focus Eagan MN.pdf
[2010/08/23 09:21:20 | 000,000,323 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP36.INI
[2010/07/07 12:06:56 | 000,114,504 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/04/08 13:37:56 | 000,003,584 | -H-- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/25 12:37:36 | 000,001,793 | -H-- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/07/20 16:17:50 | 000,001,324 | ---- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\d3d9caps.dat
[2009/03/11 13:05:48 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2009/03/01 10:25:42 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2009/02/21 13:07:19 | 000,000,069 | -H-- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/02/16 18:22:47 | 000,000,090 | -H-- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/02/16 17:24:11 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/16 11:54:28 | 000,000,976 | -H-- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2009/02/16 11:07:16 | 000,000,373 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP20.INI
[2009/02/16 11:04:12 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2009/02/16 11:04:00 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2009/02/16 11:03:07 | 000,000,416 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2009/02/13 15:29:26 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2009/02/13 15:28:49 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll
[2009/02/13 15:19:07 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/02/13 15:14:21 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/02/13 08:16:46 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/02/13 08:15:35 | 000,154,768 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/14 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 06:00:00 | 000,503,718 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 06:00:00 | 000,095,086 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 06:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007/09/27 10:51:02 | 000,020,698 | -H-- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | -H-- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | -H-- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2003/05/14 14:20:44 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\HPBVNSTP.dll
[2002/12/19 15:20:26 | 000,000,209 | ---- | C] () -- C:\WINDOWS\System32\HPBVNSTP.dat

========== LOP Check ==========

[2010/02/01 15:49:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CitrixLogs
[2009/02/16 18:22:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2011/10/12 20:36:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ErrorEND
[2009/02/16 23:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2009/02/16 11:03:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/02/16 18:35:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 10
[2012/01/14 17:43:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/05/07 06:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Guest\Application Data\Windows Desktop Search
[2012/01/14 12:00:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Master\Application Data\Windows Search
[2009/03/01 10:26:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Blackberry Desktop
[2010/08/25 17:26:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Canon
[2010/10/27 03:06:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Centra
[2012/01/12 14:24:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Dropbox
[2011/10/15 13:44:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\ElevatedDiagnostics
[2011/10/15 13:29:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\FixCleaner
[2010/08/17 11:14:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\mjusbsp
[2009/02/16 11:33:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\NewSoft
[2011/10/11 09:23:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\PC Cleaners
[2012/01/14 13:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Product_RM
[2009/03/01 08:53:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Research In Motion
[2010/10/27 03:06:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Saba
[2009/02/16 11:03:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\ScanSoft
[2011/05/26 12:02:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\webex
[2009/02/24 16:07:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Windows Desktop Search
[2009/04/12 09:05:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Windows Search
[2012/01/14 17:43:35 | 000,000,616 | ---- | M] () -- C:\WINDOWS\Tasks\ConfigExec.job
[2012/01/14 18:06:00 | 000,000,580 | ---- | M] () -- C:\WINDOWS\Tasks\DataUpload.job
[2012/01/12 03:00:00 | 000,000,382 | ---- | M] () -- C:\WINDOWS\Tasks\ErrorEND.job
[2012/01/14 17:48:27 | 000,000,424 | ---- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2012/01/09 01:00:00 | 000,000,354 | ---- | M] () -- C:\WINDOWS\Tasks\UHMgt 1275938506.job
[2012/01/14 17:44:41 | 000,000,422 | ---- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{BB73D801-7157-4769-9E13-A1753497B9A0}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2008/04/14 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/14 06:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2008/04/14 06:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/04/14 06:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/04/14 06:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 06:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2008/04/14 06:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s >
"Type" = 1
"Start" = 1
"ErrorControl" = 1
"Tag" = 6
"ImagePath" = system32\DRIVERS\netbt.sys -- [2008/04/14 06:00:00 | 000,162,816 | ---- | M] (Microsoft Corporation)
"DisplayName" = NetBios over Tcpip
"Group" = PNP_TDI
"DependOnService" = Tcpip [binary data]
"DependOnGroup" = [binary data]
"Description" = NetBios over Tcpip
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Linkage]
"OtherDependencies" = Tcpip [binary data]
"Bind" = [Binary data over 100 bytes]
"Route" = [Binary data over 100 bytes]
"Export" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters]
"NbProvider" = _tcp
"NameServerPort" = 137
"CacheTimeout" = 600000
"BcastNameQueryCount" = 3
"BcastQueryTimeout" = 750
"NameSrvQueryCount" = 3
"NameSrvQueryTimeout" = 1500
"Size/Small/Medium/Large" = 1
"SessionKeepAlive" = 3600000
"TransportBindName" = \Device\
"EnableLMHOSTS" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{626B7404-2A90-4AB0-9B56-AC0CEBDE9935}]
"NameServerList" = [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{6B57CC59-D7F0-4E78-83E4-A9FBD0AE04EE}]
"NameServerList" = [binary data]
"NetbiosOptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{8B47F2D8-76EE-4CA9-9F53-9105B1CB3FC5}]
"NameServerList" = [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{ED2DA8D7-FF24-42EE-B5EC-FBA5FAE0B57C}]
"NameServerList" = [binary data]
"NetbiosOptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Security]
"Security" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Enum]
"0" = Root\LEGACY_NETBT\0000
"Count" = 1
"NextInstance" = 1

< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s >
"Type" = 2
"Start" = 1
"ErrorControl" = 1
"Tag" = 1
"ImagePath" = system32\DRIVERS\netbios.sys -- [2008/04/14 06:00:00 | 000,034,688 | ---- | M] (Microsoft Corporation)
"DisplayName" = NetBIOS Interface
"Group" = NetBIOSGroup
"Description" = NetBIOS Interface
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Linkage]
"LanaMap" = 01 03 01 00 00 01 00 02 [binary data]
"Bind" = [Binary data over 100 bytes]
"Route" = [Binary data over 100 bytes]
"Export" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Parameters]
"MaxLana" = 3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Parameters\Winsock]
"HelperDllName" = %SystemRoot%\System32\wshnetbs.dll -- [2008/04/14 06:00:00 | 000,007,168 | ---- | M] (Microsoft Corporation)
"MaxSockAddrLength" = 20
"MinSockAddrLength" = 20
"Mapping" = 02 00 00 00 03 00 00 00 11 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00 02 00 00 00 00 00 00 00 [binary data]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Security]
"Security" = [Binary data over 100 bytes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS\Enum]
"0" = Root\LEGACY_NETBIOS\0000
"Count" = 1
"NextInstance" = 1

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/11/04 05:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/11/04 05:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/11/04 05:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/11/04 05:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/11/04 05:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/11/04 05:24:17 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< C:\Windows\assembly\tmp\U\*.* /s >

< %Temp%\smtmp\1\*.* >
[2009/02/13 15:17:21 | 000,000,294 | -HS- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\1\desktop.ini
[2009/02/16 17:23:54 | 000,001,992 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\1\New Office Document.lnk
[2009/02/16 17:23:54 | 000,002,002 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\1\Open Office Document.lnk
[2009/02/13 15:17:21 | 000,001,607 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\1\Set Program Access and Defaults.lnk
[2009/03/01 10:23:23 | 000,002,021 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\1\Software Manager.lnk
[2009/02/13 15:17:21 | 000,000,398 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\1\Windows Catalog.lnk
[2009/02/13 15:44:45 | 000,001,507 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\1\Windows Update.lnk

< %Temp%\smtmp\2\*.* >
[2009/02/13 15:23:42 | 000,000,119 | -HS- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\2\desktop.ini
[2009/05/10 13:12:52 | 000,000,858 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\2\Launch Internet Explorer Browser.lnk
[2009/05/13 06:43:45 | 000,000,835 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\2\Microsoft Office Outlook.lnk
[2011/10/27 11:18:14 | 000,000,820 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\2\Picasa 3.lnk
[2009/02/13 15:23:41 | 000,000,079 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\2\Show Desktop.scf
[2012/01/13 06:12:39 | 000,000,896 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\2\System Check.lnk
[2009/04/19 12:23:29 | 000,000,847 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\2\Windows Media Player.lnk

< %Temp%\smtmp\3\*.* >

< %Temp%\smtmp\4\*.* >
[2012/01/12 13:10:34 | 000,001,772 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\4\Adobe Reader 9.lnk
[2010/08/23 09:23:00 | 000,000,862 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\4\Canon MF Toolbox 4.9.lnk
[2011/10/27 11:18:14 | 000,000,802 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\4\Picasa 3.lnk
[2009/02/16 18:27:49 | 000,001,836 | ---- | M] () -- C:\DOCUME~1\steve\LOCALS~1\Temp\smtmp\4\QuickBooks Pro 2009.lnk

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 184 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >
  • 0

#6
s0nginmyheart

s0nginmyheart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
OTL Extras logfile created on: 1/14/2012 6:12:29 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = G:\My Documents old\anti virus
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.75 Gb Available Physical Memory | 37.73% Memory free
3.84 Gb Paging File | 2.79 Gb Available in Paging File | 72.61% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 9.39 Gb Free Space | 32.04% Space Free | Partition Type: NTFS
Drive F: | 29.29 Gb Total Space | 10.94 Gb Free Space | 37.33% Space Free | Partition Type: NTFS
Drive G: | 902.14 Gb Total Space | 868.46 Gb Free Space | 96.27% Space Free | Partition Type: NTFS
Drive H: | 465.76 Gb Total Space | 273.43 Gb Free Space | 58.71% Space Free | Partition Type: NTFS

Computer Name: STEVE-E192E14C2 | User Name: steve | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation)
"C:\Documents and Settings\steve\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\steve\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
"C:\Documents and Settings\steve\Local Settings\Temp\G2_626\g2viewer.exe" = C:\Documents and Settings\steve\Local Settings\Temp\G2_626\g2viewer.exe:*:Enabled:GoToMyPC Viewer


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{07300F01-89CA-4CF8-92BD-2A605EB83C95}" = EasySaver B8.0729.1
"{0ADEA8E1-B211-41B8-8DD4-D9A5FB04A5FA}" =
"{2000BE04-8B25-4776-93FC-830959521033}" = Nero 7 Essentials
"{267D350E-51AB-40B8-AF9F-DA7ED5687044}" =
"{329899E1-CBBA-49BC-9FFE-199E94316727}" =
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{582287DA-0806-4AC0-BF19-C15E3A466034}" = LightScribe System Software 1.12.33.2
"{58F4D4FD-1814-4068-B316-C28FC776C6DD}" = GoToMyPC
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{5BE226B3-1722-4fd0-9E39-997712B68F67}" = Canon MF8000 Series
"{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}" = Roxio Media Manager
"{6767DFEE-8909-453A-B553-C7693912B2EB}" = Canon MF Toolbox 4.9.1.1.mf09
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7A9DC8F6-2466-4E04-BF51-BE499C5D02BD}" =
"{85BD5F12-49EF-4B40-B1E0-77D85F6E99BF}" =
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_STANDARDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_STANDARDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_STANDARDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_STANDARDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{91120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A2F0810-3622-4E86-9072-973FBE1679C5}" = QuickBooks Pro 2009
"{9A2F0810-369F-4E86-9072-973FBE1679C5}" = QuickBooks
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}.KB300003" =
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}.KB958483" =
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}.KB960043" =
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}.KB975195" =
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}.KB976570" =
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}.KB976578" =
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}.KB976578v2" =
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}.KB976769" =
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}.KB976769v2" =
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}.KB977354" =
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}.KB977354v2" =
"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.0
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BB8B979E-E336-47E7-96BC-1031C1B94561}" =
"{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C178B38F-613A-4EFE-B718-A675BD27A1E1}" = BlackBerry Desktop Software 4.3
"{C1E693A4-B1D5-4DCD-B68D-2087835B7184}" = ScanSoft OmniPage SE 4.0
"{C628EC93-8E17-4114-BCE7-2D181B93FA0F}" =
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB350003" =
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB960043" =
"{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}" = Presto! PageManager 7.15.14
"{E8AEA11B-E60A-455E-B008-E4E763604612}" = Browser Configuration Utility
"{EA9741F6-A7F2-497B-BBE4-2ED0136649BE}" =
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Agere Systems Soft Modem" = Agere Systems USB 2.0 Soft Modem
"BlackBerry_{C178B38F-613A-4EFE-B718-A675BD27A1E1}" = BlackBerry Desktop Software 4.3
"Browser Defender_is1" = Browser Defender 3.0
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Neolog_is1" = Neolog 1.0
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Picasa 3" = Picasa 3
"Spyware Doctor" = Spyware Doctor
"STANDARDR" = Microsoft Office Standard 2007
"Windows Media Format Runtime" = Windows Media Format Runtime

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-789336058-1482476501-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/14/2012 3:08:28 PM | Computer Name = STEVE-E192E14C2 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 1/14/2012 3:08:28 PM | Computer Name = STEVE-E192E14C2 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 1/14/2012 3:09:21 PM | Computer Name = STEVE-E192E14C2 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 1/14/2012 3:09:21 PM | Computer Name = STEVE-E192E14C2 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 1/14/2012 3:09:21 PM | Computer Name = STEVE-E192E14C2 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 1/14/2012 3:09:21 PM | Computer Name = STEVE-E192E14C2 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 1/14/2012 4:28:59 PM | Computer Name = STEVE-E192E14C2 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 1/14/2012 4:28:59 PM | Computer Name = STEVE-E192E14C2 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 1/14/2012 4:28:59 PM | Computer Name = STEVE-E192E14C2 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 1/14/2012 4:28:59 PM | Computer Name = STEVE-E192E14C2 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

[ ODiag Events ]
Error - 12/7/2009 11:22:51 PM | Computer Name = STEVE-E192E14C2 | Source = Microsoft Office 12 Diagnostics | ID = 320
Description = An unexpected error occurred. Tag: 2kgl. Error code: N/A

Error - 9/20/2010 4:46:34 PM | Computer Name = STEVE-E192E14C2 | Source = Microsoft Office 12 Diagnostics | ID = 320
Description = An unexpected error occurred. Tag: 2kgl. Error code: N/A

Error - 9/20/2010 4:59:29 PM | Computer Name = STEVE-E192E14C2 | Source = Microsoft Office 12 Diagnostics | ID = 320
Description = An unexpected error occurred. Tag: 2kgl. Error code: N/A

Error - 9/20/2010 4:59:46 PM | Computer Name = STEVE-E192E14C2 | Source = Microsoft Office 12 Diagnostics | ID = 320
Description = An unexpected error occurred. Tag: 2kgl. Error code: N/A

Error - 9/20/2010 5:05:38 PM | Computer Name = STEVE-E192E14C2 | Source = Microsoft Office 12 Diagnostics | ID = 320
Description = An unexpected error occurred. Tag: 2kgl. Error code: N/A

Error - 9/20/2010 5:56:36 PM | Computer Name = STEVE-E192E14C2 | Source = Microsoft Office 12 Diagnostics | ID = 320
Description = An unexpected error occurred. Tag: 2kgl. Error code: N/A


========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >
  • 0

#7
s0nginmyheart

s0nginmyheart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
Thanks for your valued input! I was able to run all the scans except for the very last program (aswMBR). Can you please advise? Thanks in advance---
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets recover the remainder of the files and folders first and then look to see why aswMBR did not run

On completion of this run can you let me know if all menus, files and folders have returned

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKLM..\Run: [GEST] = File not found
    O33 - MountPoints2\{f9da7832-fbd2-11dd-b548-001fd0ad5421}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\m.exe /s
    [2012/01/13 06:14:07 | 000,000,448 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\0jLv20KSb5i08J
    [2012/01/13 06:12:40 | 000,000,280 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~0jLv20KSb5i08J
    [2012/01/13 06:12:40 | 000,000,176 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~0jLv20KSb5i08Jr
    [2012/01/13 06:12:39 | 000,000,896 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk

    :Files
    ipconfig /flushdns /c
    xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
    xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
    xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
    xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C

    :Commands
    [purity]
    [resethosts]
    [emptyjava]
    [emptyflash]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

FINALLY

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:



Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
  • 0

#9
s0nginmyheart

s0nginmyheart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
OTL logfile created on: 1/16/2012 10:00:59 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = G:\My Documents old\anti virus
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.09 Gb Available Physical Memory | 54.56% Memory free
3.84 Gb Paging File | 3.04 Gb Available in Paging File | 79.12% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.29 Gb Total Space | 9.70 Gb Free Space | 33.10% Space Free | Partition Type: NTFS
Drive F: | 29.29 Gb Total Space | 10.94 Gb Free Space | 37.34% Space Free | Partition Type: NTFS
Drive G: | 902.14 Gb Total Space | 868.37 Gb Free Space | 96.26% Space Free | Partition Type: NTFS
Drive H: | 465.76 Gb Total Space | 273.43 Gb Free Space | 58.71% Space Free | Partition Type: NTFS

Computer Name: STEVE-E192E14C2 | User Name: steve | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/16 09:54:15 | 000,584,192 | ---- | M] (OldTimer Tools) -- G:\My Documents old\anti virus\OTL.exe
PRC - [2011/11/13 07:53:42 | 002,996,592 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe
PRC - [2011/11/13 07:53:40 | 000,946,032 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe
PRC - [2011/11/13 07:53:36 | 002,120,048 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe
PRC - [2011/11/13 07:53:28 | 001,687,408 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe
PRC - [2011/09/01 18:42:06 | 024,183,152 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\steve\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2011/06/22 06:13:46 | 000,984,936 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2011/06/22 04:57:14 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2011/06/15 14:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2011/01/07 14:54:12 | 000,108,496 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\PC Tools Security\BDT\FGuard.exe
PRC - [2011/01/07 14:54:08 | 000,247,760 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
PRC - [2009/06/18 12:42:26 | 000,479,232 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
PRC - [2008/08/26 19:02:00 | 000,014,336 | ---- | M] (Agere Systems) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2008/07/17 13:21:34 | 000,080,392 | ---- | M] () -- C:\Program Files\Gigabyte\EasySaver\essvr.exe
PRC - [2008/04/14 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/27 18:04:00 | 001,213,736 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
PRC - [2007/06/27 18:03:40 | 000,152,872 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2007/06/25 07:47:24 | 001,629,480 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
PRC - [2007/06/25 07:47:12 | 001,552,680 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
PRC - [2007/06/25 07:47:02 | 001,057,064 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCD.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/14 02:08:56 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll
MOD - [2011/10/14 02:04:28 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll
MOD - [2011/10/14 02:04:20 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
MOD - [2011/01/07 14:54:18 | 000,200,144 | ---- | M] () -- C:\Program Files\PC Tools Security\BDT\Utility.dll
MOD - [2008/07/17 13:21:34 | 000,080,392 | ---- | M] () -- C:\Program Files\Gigabyte\EasySaver\essvr.exe
MOD - [2007/12/07 14:24:56 | 000,117,256 | ---- | M] () -- C:\Program Files\Gigabyte\EasySaver\ycc.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/11/13 07:53:40 | 000,946,032 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC)
SRV - [2011/06/22 04:57:14 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2011/04/27 14:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/01/07 14:54:08 | 000,247,760 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2010/12/31 09:36:22 | 000,070,928 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\TFEngine\TFService.exe -- (ThreatFire)
SRV - [2010/11/19 06:57:14 | 001,150,936 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/15 14:02:36 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\pctsAuxs.exe -- (sdAuxService)
SRV - [2008/08/26 19:02:00 | 000,014,336 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2008/08/08 21:10:46 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/07/17 13:21:34 | 000,080,392 | ---- | M] () [Auto | Running] -- C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE -- (ES lite Service)
SRV - [2007/06/25 07:47:12 | 001,552,680 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe -- (InCDsrv)


========== Driver Services (SafeList) ==========

DRV - [2012/01/16 09:58:25 | 000,016,608 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2012/01/16 09:58:17 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9F99AAFD-6B04-4C15-B464-9B1A7B51951F}\MpKsl800e5a92.sys -- (MpKsl800e5a92)
DRV - [2011/01/17 09:10:26 | 000,251,560 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pctgntdi.sys -- (pctgntdi)
DRV - [2010/12/31 09:36:40 | 000,069,392 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TFSysMon)
DRV - [2010/12/31 09:36:38 | 000,033,552 | --S- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2010/12/31 09:36:36 | 000,051,984 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2010/12/16 08:46:04 | 000,070,536 | ---- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pctplsg.sys -- (pctplsg)
DRV - [2010/12/10 13:24:12 | 000,239,168 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/07/16 14:59:54 | 000,656,320 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pctEFA.sys -- (pctEFA)
DRV - [2010/07/16 14:59:54 | 000,338,880 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\pctDS.sys -- (pctDS)
DRV - [2008/11/21 21:53:00 | 001,204,128 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2008/02/14 03:04:06 | 004,676,096 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/01/03 08:10:16 | 000,105,856 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/06/25 07:47:12 | 000,038,440 | ---- | M] (Nero AG) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm)
DRV - [2007/06/25 07:47:12 | 000,036,776 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass)
DRV - [2007/06/25 07:47:02 | 000,119,080 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.live.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = www.live.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll (DeviceVM Inc.)
IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{cb84136f-9c44-433a-9048-c5cd9df1dc16}: C:\Program Files\PC Tools Security\BDT\Firefox\ [2012/01/13 16:14:32 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2012/01/16 09:56:10 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe (Nero AG)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [MFNetworkScanUtility] C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE (CANON INC.)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [PCTools FGuard] C:\Program Files\PC Tools Security\BDT\FGuard.exe (Threat Expert Ltd.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe (Nero AG)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\steve\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\steve\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.appl...ex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1234561590796 (WUWebControl Class)
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} https://www1.gotomee...ets/g2mdlax.cab (GoToMeeting/GoToWebinar Web Starter)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} http://dclive.future...eivers/FMSI.cab (Futuremark SystemInfo)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://hiltonhotels...bex/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.10.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{ED2DA8D7-FF24-42EE-B5EC-FBA5FAE0B57C}: DhcpNameServer = 10.1.10.1
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToMyPC: DllName - (C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll) - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/13 15:17:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/01/23 18:45:44 | 000,000,000 | ---- | M] () - F:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/05/31 16:17:24 | 000,000,118 | ---- | M] () - H:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{74ac1887-0822-11df-b582-001fd0ad5421}\Shell - "" = AutoRun
O33 - MountPoints2\{74ac1887-0822-11df-b582-001fd0ad5421}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{74ac1887-0822-11df-b582-001fd0ad5421}\Shell\AutoRun\command - "" = K:\LaunchU3.exe -a
O33 - MountPoints2\{942e5bf0-bb6f-11df-b59e-001fd0ad5421}\Shell\AutoRun\command - "" = K:\MULTIM~1.EXE
O33 - MountPoints2\{942e5bf0-bb6f-11df-b59e-001fd0ad5421}\Shell\doubleTwist\command - "" = K:\MULTIM~1.EXE
O33 - MountPoints2\{c83e732d-0f4f-11de-b558-001fd0ad5421}\Shell - "" = AutoRun
O33 - MountPoints2\{c83e732d-0f4f-11de-b558-001fd0ad5421}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c83e732d-0f4f-11de-b558-001fd0ad5421}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL /2009InterimPlan/pptview.exe /L "playlist.txt"
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/16 09:55:47 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/01/16 09:54:14 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTL.exe
[2012/01/15 10:24:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\update
[2012/01/14 18:23:54 | 004,713,472 | ---- | C] (AVAST Software) -- C:\Documents and Settings\steve\Desktop\aswMBR.exe
[2012/01/14 18:03:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Desktop\RK_Quarantine
[2012/01/14 18:02:02 | 000,000,000 | ---D | C] -- G:\My Documents old\anti virus
[2012/01/14 14:12:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\Performance
[2012/01/14 14:12:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\Microsoft Corporation
[2012/01/14 14:12:13 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor
[2012/01/14 13:53:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\Product_RM
[2012/01/13 22:36:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Local Settings\Application Data\Threat Expert
[2012/01/13 16:23:54 | 000,069,392 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfSysMon.sys
[2012/01/13 16:23:54 | 000,051,984 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfFsMon.sys
[2012/01/13 16:23:54 | 000,033,552 | --S- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\TfNetMon.sys
[2012/01/13 16:14:31 | 002,000,848 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2012/01/13 16:14:31 | 001,533,904 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2012/01/13 16:14:31 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2012/01/13 15:19:20 | 000,656,320 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctEFA.sys
[2012/01/13 15:19:20 | 000,338,880 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctDS.sys
[2012/01/13 15:19:16 | 000,251,560 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2012/01/13 15:19:04 | 000,239,168 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2012/01/13 15:19:04 | 000,160,448 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2012/01/13 15:19:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PC Tools Security
[2012/01/13 15:18:52 | 000,070,536 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2012/01/13 15:18:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/01/13 15:18:20 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2012/01/13 15:18:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2012/01/13 15:18:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\PC Tools
[2012/01/13 15:17:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2012/01/13 13:32:44 | 000,000,000 | R--D | C] -- C:\Documents and Settings\steve\Recent
[2012/01/13 06:12:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\steve\Start Menu\Programs\System Check
[2011/12/19 15:42:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Futuremark Shared
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/16 10:06:29 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{BB73D801-7157-4769-9E13-A1753497B9A0}.job
[2012/01/16 10:06:00 | 000,000,580 | -H-- | M] () -- C:\WINDOWS\tasks\DataUpload.job
[2012/01/16 10:03:17 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/01/16 09:58:47 | 000,012,598 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/16 09:58:32 | 000,000,616 | -H-- | M] () -- C:\WINDOWS\tasks\ConfigExec.job
[2012/01/16 09:58:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/16 09:56:10 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/01/16 09:54:15 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTL.exe
[2012/01/16 09:28:35 | 000,001,324 | ---- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\d3d9caps.dat
[2012/01/16 01:00:00 | 000,000,354 | -H-- | M] () -- C:\WINDOWS\tasks\UHMgt 1275938506.job
[2012/01/15 10:17:55 | 000,154,768 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/01/15 10:07:20 | 000,111,872 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/01/15 09:52:26 | 004,713,472 | ---- | M] (AVAST Software) -- C:\Documents and Settings\steve\Desktop\aswMBR.exe
[2012/01/15 03:00:00 | 000,000,382 | ---- | M] () -- C:\WINDOWS\tasks\ErrorEND.job
[2012/01/14 14:12:14 | 000,001,862 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2012/01/14 13:53:24 | 000,002,087 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\rminstall[1].exe.lnk
[2012/01/13 15:19:29 | 000,634,956 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2012/01/13 15:19:01 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2012/01/13 15:15:54 | 000,512,992 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\sdsetup_revwire207.exe
[2012/01/13 06:12:39 | 000,000,896 | ---- | M] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/01/12 13:10:34 | 000,001,772 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2012/01/12 03:03:42 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/01/02 12:37:56 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\Microsoft Office Excel 2007.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/01/16 09:56:03 | 000,000,896 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/01/14 18:05:05 | 000,001,836 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickBooks Pro 2009.lnk
[2012/01/14 18:05:05 | 000,001,772 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2012/01/14 18:05:05 | 000,000,862 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Canon MF Toolbox 4.9.lnk
[2012/01/14 18:05:05 | 000,000,847 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/01/14 18:05:05 | 000,000,835 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2012/01/14 18:05:05 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Picasa 3.lnk
[2012/01/14 18:05:05 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Picasa 3.lnk
[2012/01/14 18:05:05 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/01/14 18:05:04 | 000,002,109 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
[2012/01/14 18:05:04 | 000,001,846 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk
[2012/01/14 18:05:04 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2012/01/14 18:05:04 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2012/01/14 18:05:03 | 000,002,463 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Access.lnk
[2012/01/14 18:05:03 | 000,001,986 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN.lnk
[2012/01/14 18:05:03 | 000,001,723 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/01/14 18:05:02 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2012/01/14 18:05:01 | 000,000,740 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Acrobat.com.lnk
[2012/01/14 18:03:24 | 000,111,872 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/01/14 14:12:14 | 000,001,868 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows 7 Upgrade Advisor.lnk
[2012/01/14 14:12:14 | 000,001,862 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows 7 Upgrade Advisor.lnk
[2012/01/14 13:53:24 | 000,002,087 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\rminstall[1].exe.lnk
[2012/01/14 11:22:45 | 000,000,858 | ---- | C] () -- C:\Documents and Settings\steve\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/14 00:37:13 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2012/01/13 16:14:32 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2012/01/13 16:14:31 | 000,002,125 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2012/01/13 16:14:31 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2012/01/13 16:14:31 | 000,000,879 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2012/01/13 16:14:31 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2012/01/13 15:19:21 | 000,634,956 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2012/01/13 15:19:01 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2012/01/13 15:17:02 | 000,512,992 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\sdsetup_revwire207.exe
[2010/08/23 09:21:20 | 000,000,323 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP36.INI
[2010/07/07 12:06:56 | 000,114,504 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/04/08 13:37:56 | 000,003,584 | -H-- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/25 12:37:36 | 000,001,793 | -H-- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/07/20 16:17:50 | 000,001,324 | ---- | C] () -- C:\Documents and Settings\steve\Local Settings\Application Data\d3d9caps.dat
[2009/03/11 13:05:48 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2009/03/01 10:25:42 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2009/02/21 13:07:19 | 000,000,069 | -H-- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/02/16 18:22:47 | 000,000,090 | -H-- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/02/16 17:24:11 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/16 11:54:28 | 000,000,976 | -H-- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2009/02/16 11:07:16 | 000,000,373 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP20.INI
[2009/02/16 11:04:12 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2009/02/16 11:04:00 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2009/02/16 11:03:07 | 000,000,416 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2009/02/13 15:29:26 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2009/02/13 15:28:49 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll
[2009/02/13 15:19:07 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/02/13 15:14:21 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/02/13 08:16:46 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/02/13 08:15:35 | 000,154,768 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/14 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 06:00:00 | 000,503,718 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 06:00:00 | 000,095,086 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 06:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007/09/27 10:51:02 | 000,020,698 | -H-- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | -H-- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | -H-- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2003/05/14 14:20:44 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\HPBVNSTP.dll
[2002/12/19 15:20:26 | 000,000,209 | ---- | C] () -- C:\WINDOWS\System32\HPBVNSTP.dat

========== LOP Check ==========

[2010/02/01 15:49:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CitrixLogs
[2009/02/16 18:22:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2011/10/12 20:36:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ErrorEND
[2009/02/16 23:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2009/02/16 11:03:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/02/16 18:35:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 10
[2012/01/16 09:58:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/03/01 10:26:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Blackberry Desktop
[2010/08/25 17:26:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Canon
[2010/10/27 03:06:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Centra
[2012/01/16 09:59:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Dropbox
[2011/10/15 13:44:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\ElevatedDiagnostics
[2011/10/15 13:29:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\FixCleaner
[2010/08/17 11:14:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\mjusbsp
[2009/02/16 11:33:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\NewSoft
[2011/10/11 09:23:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\PC Cleaners
[2012/01/14 13:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Product_RM
[2009/03/01 08:53:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Research In Motion
[2010/10/27 03:06:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Saba
[2009/02/16 11:03:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\ScanSoft
[2011/05/26 12:02:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\webex
[2009/02/24 16:07:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Windows Desktop Search
[2009/04/12 09:05:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\steve\Application Data\Windows Search
[2012/01/16 09:58:32 | 000,000,616 | -H-- | M] () -- C:\WINDOWS\Tasks\ConfigExec.job
[2012/01/16 10:06:00 | 000,000,580 | -H-- | M] () -- C:\WINDOWS\Tasks\DataUpload.job
[2012/01/15 03:00:00 | 000,000,382 | ---- | M] () -- C:\WINDOWS\Tasks\ErrorEND.job
[2012/01/16 10:03:17 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2012/01/16 01:00:00 | 000,000,354 | -H-- | M] () -- C:\WINDOWS\Tasks\UHMgt 1275938506.job
[2012/01/16 10:06:29 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{BB73D801-7157-4769-9E13-A1753497B9A0}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\steve\Desktop\aswMBR.exe:SummaryInformation
@Alternate Data Stream - 184 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >
  • 0

#10
s0nginmyheart

s0nginmyheart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
Posted Image
  • 0

Advertisements


#11
s0nginmyheart

s0nginmyheart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fd

Kernel Drivers (total 137):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xB9F48000 fltMgr.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F29000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F03000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9EEB000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9ED9000 sr.sys
0xB9E9C000 PCTCore.sys
0xB9E45000 pctDS.sys
0xB9DA0000 pctEFA.sys
0xB9D8D000 TfSysMon.sys
0xB9D7C000 TfFsMon.sys
0xBA0F8000 PxHelp20.sys
0xB9D65000 KSecDD.sys
0xB9CD8000 Ntfs.sys
0xB9CAB000 NDIS.sys
0xBA108000 sbp2port.sys
0xBA118000 ohci1394.sys
0xBA128000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB9C91000 Mup.sys
0xBA158000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8C25000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB8C11000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8BE9000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB8BCF000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xBA428000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8BAB000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA430000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA438000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA168000 \SystemRoot\system32\DRIVERS\serial.sys
0xB9C49000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB8B97000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA178000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA188000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8B74000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA198000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA61C000 \SystemRoot\system32\DRIVERS\serscan.sys
0xBA6E1000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9C41000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8B5D000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB9238000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB9228000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA440000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8B24000 \SystemRoot\system32\DRIVERS\psched.sys
0xB9218000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA448000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA450000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA458000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xB8AF4000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB9208000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA460000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA468000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA61E000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8A96000 \SystemRoot\system32\DRIVERS\update.sys
0xB9C21000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB91E8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xA84A9000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA8485000 \SystemRoot\system32\drivers\portcls.sys
0xB91D8000 \SystemRoot\system32\drivers\drmk.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA628000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA478000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xA786E000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xA74FD000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xBA370000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA5B4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6EF000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5B6000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA378000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA380000 \SystemRoot\System32\drivers\vga.sys
0xBA5B8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5BA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA8986000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xA7421000 \SystemRoot\system32\drivers\InCDFs.sys
0xBA388000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA390000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA8982000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA740E000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA73B5000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA7340000 \??\C:\WINDOWS\system32\drivers\pctgntdi.sys
0xA731A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA76D0000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA7252000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA8475000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA7230000 \SystemRoot\System32\drivers\afd.sys
0xA76C0000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA7205000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA7195000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA3A0000 \SystemRoot\system32\drivers\InCDPass.sys
0xA7690000 \SystemRoot\System32\Drivers\Fips.SYS
0xA846D000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA7670000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA3A8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xA8469000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA8461000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA748D000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA7105000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA612000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA739D000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3E8000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7A7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1D9000 \SystemRoot\System32\igxpdx32.DLL
0xBF459000 \SystemRoot\System32\ATMFD.DLL
0xA68EC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA5EDE000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA616000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBA308000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xA5DE6000 \SystemRoot\system32\DRIVERS\srv.sys
0xA59E9000 \SystemRoot\system32\drivers\wdmaud.sys
0xA5BBE000 \SystemRoot\system32\drivers\sysaudio.sys
0xA4787000 \SystemRoot\System32\Drivers\HTTP.sys
0xA4888000 \??\C:\WINDOWS\gdrv.sys
0xBA3D0000 \??\C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9F99AAFD-6B04-4C15-B464-9B1A7B51951F}\MpKsl800e5a92.sys
0xA4533000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA2E8C000 \SystemRoot\system32\drivers\kmixer.sys
0xBA410000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 58):
0 System Idle Process
4 System
708 C:\WINDOWS\system32\smss.exe
756 csrss.exe
780 C:\WINDOWS\system32\winlogon.exe
824 C:\WINDOWS\system32\services.exe
836 C:\WINDOWS\system32\lsass.exe
1016 C:\WINDOWS\system32\svchost.exe
1084 svchost.exe
1204 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1240 C:\WINDOWS\system32\svchost.exe
1336 svchost.exe
1444 svchost.exe
1692 C:\WINDOWS\system32\spoolsv.exe
1988 svchost.exe
2028 C:\Program Files\LSI SoftModem\agrsmsvc.exe
2040 C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe
272 C:\Program Files\Gigabyte\EasySaver\essvr.exe
292 C:\Program Files\Citrix\GoToMyPC\g2svc.exe
408 C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
420 C:\Program Files\Citrix\GoToMyPC\g2comm.exe
504 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
664 C:\Program Files\Citrix\GoToMyPC\g2pre.exe
736 C:\Program Files\Citrix\GoToMyPC\g2tray.exe
1356 C:\Program Files\Common Files\Motive\McciCMService.exe
2268 C:\WINDOWS\explorer.exe
2732 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
3156 C:\WINDOWS\system32\svchost.exe
3184 wdfmgr.exe
3304 C:\WINDOWS\system32\searchindexer.exe
3484 C:\WINDOWS\system32\fxssvc.exe
3504 C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
4024 C:\WINDOWS\RTHDCPL.exe
4040 C:\WINDOWS\system32\igfxpers.exe
4060 C:\WINDOWS\system32\igfxsrvc.exe
252 C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT.EXE
512 C:\Program Files\Nero\Nero 7\InCD\InCD.exe
460 C:\WINDOWS\system32\hkcmd.exe
2596 C:\Program Files\Microsoft Security Client\msseces.exe
1856 alg.exe
2740 C:\Program Files\PC Tools Security\BDT\FGuard.exe
3032 C:\WINDOWS\system32\ctfmon.exe
3916 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
3056 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
3140 C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
2104 C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
2144 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
2176 C:\Documents and Settings\steve\Application Data\Dropbox\bin\Dropbox.exe
4308 C:\Program Files\Internet Explorer\iexplore.exe
5364 G:\My Documents old\anti virus\OTL.exe
4284 C:\WINDOWS\NOTEPAD.EXE
4292 C:\WINDOWS\NOTEPAD.EXE
4752 C:\Program Files\Internet Explorer\iexplore.exe
300 C:\WINDOWS\system32\searchprotocolhost.exe
1920 searchfilterhost.exe
4484 C:\WINDOWS\system32\searchprotocolhost.exe
5980 MpCmdRun.exe
3980 G:\My Documents old\anti virus\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000007`52c5e000 (NTFS)
\\.\H: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST31000333AS, Rev: CC1F
PhysicalDrive1 Model Number: ST31000333AS, Rev: CC1F
PhysicalDrive2 Model Number: MaxtorOneTouch, Rev: 0121

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive1 MBR Code Faked!
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
465 GB \\.\PhysicalDrive2 MBR Code Faked!
SHA1: CEECB0630DEB98A912C967BD5561D0F2BFE7D8C6


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi the size of the suspect MBR partition is a lot larger that I would normally expect so I would like to run one further check before we remove it

Please download MbrScan to your desktop

Run MbrScan
Place a tick in the asm Code box just below the report button
Press the scan button
Once it has completed then press the report button
[attachment=55394:Capture.JPG]

Copy and paste the generated report to your next post please
  • 0

#13
s0nginmyheart

s0nginmyheart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
MBRScan v1.0.6



OS             : Windows XP Home Service Pack 3 (32 bit)

PROCESSOR      : x86 Family 6 Model 15 Stepping 13, GenuineIntel

BOOT           : Normal Boot

DATE           : 2012/01/16 (ISO 8601) at 15:45:57

________________________________________________________________________________



DISK           : Device\Harddisk0\DR0 __ST31000333AS (CC1F)

BUS_TYPE       : (0x03)  P-ATA

USE_PIO        : YES

MAX_TRANSFER   : 128 Kb

ALIGNMENT_MASK : word aligned

________________________________________________________________________________



DISK           : Device\Harddisk1\DR1 __ST31000333AS (CC1F)

BUS_TYPE       : (0x03)  P-ATA

USE_PIO        : YES

MAX_TRANSFER   : 128 Kb

ALIGNMENT_MASK : word aligned

________________________________________________________________________________



DISK           : Device\Harddisk2\DR6 __Maxtor OneTouch (0121)

BUS_TYPE       : (0x04)  IEEE-1394

USE_PIO        : NO

MAX_TRANSFER   : 2044 Kb

ALIGNMENT_MASK : dword aligned

________________________________________________________________________________



Device\Harddisk0\DR0	931.5 Go  [Fixed] ==> XP MBR Code ==> PARTITION TABLE FAKED !!



MBR_MD5   : 70E587144FD5ADF4788062AC3DFF391C

MBR_SHA1  : 0A5F3364EE73B733AAD2EB44CC19A1FB643EDF35



Device\Harddisk0\Partition1	29.29 Go  	0x07 NTFS / HPFS

Device\Harddisk0\Partition2	10.00 Go  	0x17 Hidden HPFS/NTFS  __ BOOTABLE __

________________________________________________________________________________



Device\Harddisk1\DR1	931.5 Go  [Fixed] ==> XP MBR Code ==> PARTITION TABLE FAKED !!



MBR_MD5   : 7CF8554E21B21F5907E83D9F5C9AA738

MBR_SHA1  : A76382F546045E6F0E085C2F7E25327B11EC0D59



Device\Harddisk1\Partition1	29.29 Go  	0x07 NTFS / HPFS __ BOOTABLE __

Device\Harddisk1\Partition2	902.1 Go  	0x07 NTFS / HPFS

________________________________________________________________________________



Device\Harddisk2\DR6	465.8 Go  [Fixed] ==> Unknown MBR Code ... ==> PARTITION TABLE FAKED !!



MBR_MD5   : 2D5CED7FEAB48F80C6F919257E3801B4

MBR_SHA1  : D7DE7EE1A224EE8B0FB05EF47891BD19CEC9F3BF



Device\Harddisk2\Partition1	465.8 Go  	0x07 NTFS / HPFS __ BOOTABLE __

________________________________________________________________________________





_____FAKED   \Device\Harddisk0\DR0  



0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3.м.|P.P..|

0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04   ..PW.˽..

0x00000020   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5   8n.|.u.....

0x00000030   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B   ..It.8,t....

0x00000040   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88   <.t.....

0x00000050   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B   N.F.s*F..~..t.

0x00000060   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83   .~..t...u.F...

0x00000070   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB   F...V..!.s...

0x00000080   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0   .>}Ut..~..t.

0x00000090   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56   ...W.˿...V

0x000000A0   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC   ...r#.$?...

0x000000B0   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56   C..ֱ.B9V

0x000000C0   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C   .w#r.9F.s....|

0x000000D0   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A   .N..V..sQOtN2.

0x000000E0   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD   V...V.`UA

0x000000F0   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60   .r6.Uu0.t+a`

0x00000100   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A   j.j..v..v.j.h.|j

0x00000110   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B   .j.B..aas.Ot.

0x00000120   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61   2.V..aInva

0x00000130   6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61   lid partition ta

0x00000140   62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E   ble.Error loadin

0x00000150   67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74   g operating syst

0x00000160   65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61   em.Missing opera

0x00000170   74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00   ting system.....

0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001B0   00 00 00 00 00 2C 44 63 C3 58 87 27 00 00 00 01   .....,DcX.'....

0x000001C0   01 00 07 FE FF FF 3F 00 00 00 B1 62 A9 03 80 FE   .....?...b..

0x000001D0   FF FF 17 FE FF FF F0 62 A9 03 00 00 40 01 00 00   .....b[email protected]

0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............U



__ORIGINAL   \Device\Harddisk0\DR0  



0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3.м.|P.P..|

0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04   ..PW.˽..

0x00000020   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5   8n.|.u.....

0x00000030   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B   ..It.8,t....

0x00000040   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88   <.t.....

0x00000050   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B   N.F.s*F..~..t.

0x00000060   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83   .~..t...u.F...

0x00000070   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB   F...V..!.s...

0x00000080   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0   .>}Ut..~..t.

0x00000090   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56   ...W.˿...V

0x000000A0   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC   ...r#.$?...

0x000000B0   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56   C..ֱ.B9V

0x000000C0   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C   .w#r.9F.s....|

0x000000D0   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A   .N..V..sQOtN2.

0x000000E0   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD   V...V.`UA

0x000000F0   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60   .r6.Uu0.t+a`

0x00000100   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A   j.j..v..v.j.h.|j

0x00000110   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B   .j.B..aas.Ot.

0x00000120   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61   2.V..aInva

0x00000130   6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61   lid partition ta

0x00000140   62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E   ble.Error loadin

0x00000150   67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74   g operating syst

0x00000160   65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61   em.Missing opera

0x00000170   74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00   ting system.....

0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001B0   00 00 00 00 00 2C 44 63 C3 58 87 27 00 00 80 01   .....,DcX.'....

0x000001C0   01 00 07 FE FF FF 3F 00 00 00 B1 62 A9 03 00 00   .....?...b...

0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............U



__________________________16_BIT_ASM_CODE

   

0x0000    33c0            XOR AX, AX   

0x0002    8ed0            MOV SS, AX   

0x0004    bc 007c         MOV SP, 0x7c00   

0x0007    fb              STI   

0x0008    50              PUSH AX   

0x0009    07              POP ES   

0x000A    50              PUSH AX   

0x000B    1f              POP DS   

0x000C    fc              CLD   

0x000D    be 1b7c         MOV SI, 0x7c1b   

0x0010    bf 1b06         MOV DI, 0x61b   

0x0013    50              PUSH AX   

0x0014    57              PUSH DI   

0x0015    b9 e501         MOV CX, 0x1e5   

0x0018    f3 a4           REP MOVSB   

0x001A    cb              RETF   

0x001B    bd be07         MOV BP, 0x7be   

0x001E    b1 04           MOV CL, 0x4   

0x0020    386e 00         CMP [BP+0x0], CH   

0x0023    7c 09           JL 0x2e   

0x0025    75 13           JNZ 0x3a   

0x0027    83c5 10         ADD BP, 0x10   

0x002A    e2 f4           LOOP 0x20   

0x002C    cd 18           INT 0x18   

0x002E    8bf5            MOV SI, BP   

0x0030    83c6 10         ADD SI, 0x10   

0x0033    49              DEC CX   

0x0034    74 19           JZ 0x4f   

0x0036    382c            CMP [SI], CH   

0x0038    74 f6           JZ 0x30   

0x003A    a0 b507         MOV AL, [0x7b5]   

0x003D    b4 07           MOV AH, 0x7   

0x003F    8bf0            MOV SI, AX   

0x0041    ac              LODSB   

0x0042    3c 00           CMP AL, 0x0   

0x0044    74 fc           JZ 0x42   

0x0046    bb 0700         MOV BX, 0x7   

0x0049    b4 0e           MOV AH, 0xe   

0x004B    cd 10           INT 0x10   

0x004D    eb f2           JMP 0x41   

0x004F    884e 10         MOV [BP+0x10], CL   

0x0052    e8 4600         CALL 0x9b   

0x0055    73 2a           JAE 0x81   

0x0057    fe46 10         INC BYTE [BP+0x10]   

0x005A    807e 04 0b      CMP BYTE [BP+0x4], 0xb   

0x005E    74 0b           JZ 0x6b   

0x0060    807e 04 0c      CMP BYTE [BP+0x4], 0xc   

0x0064    74 05           JZ 0x6b   

0x0066    a0 b607         MOV AL, [0x7b6]   

0x0069    75 d2           JNZ 0x3d   

0x006B    8046 02 06      ADD BYTE [BP+0x2], 0x6   

0x006F    8346 08 06      ADD WORD [BP+0x8], 0x6   

0x0073    8356 0a 00      ADC WORD [BP+0xa], 0x0   

0x0077    e8 2100         CALL 0x9b   

0x007A    73 05           JAE 0x81   

0x007C    a0 b607         MOV AL, [0x7b6]   

0x007F    eb bc           JMP 0x3d   

0x0081    813e fe7d 55aa  CMP WORD [0x7dfe], 0xaa55   

0x0087    74 0b           JZ 0x94   

0x0089    807e 10 00      CMP BYTE [BP+0x10], 0x0   

0x008D    74 c8           JZ 0x57   

0x008F    a0 b707         MOV AL, [0x7b7]   

0x0092    eb a9           JMP 0x3d   

0x0094    8bfc            MOV DI, SP   

0x0096    1e              PUSH DS   

0x0097    57              PUSH DI   

0x0098    8bf5            MOV SI, BP   

0x009A    cb              RETF   

0x009B    bf 0500         MOV DI, 0x5   

0x009E    8a56 00         MOV DL, [BP+0x0]   

0x00A1    b4 08           MOV AH, 0x8   

0x00A3    cd 13           INT 0x13   

0x00A5    72 23           JB 0xca   

0x00A7    8ac1            MOV AL, CL   

0x00A9    24 3f           AND AL, 0x3f   

0x00AB    98              CBW   

0x00AC    8ade            MOV BL, DH   

0x00AE    8afc            MOV BH, AH   

0x00B0    43              INC BX   

0x00B1    f7e3            MUL BX   

0x00B3    8bd1            MOV DX, CX   

0x00B5    86d6            XCHG DH, DL   

0x00B7    b1 06           MOV CL, 0x6   

0x00B9    d2ee            SHR DH, CL   

0x00BB    42              INC DX   

0x00BC    f7e2            MUL DX   

0x00BE    3956 0a         CMP [BP+0xa], DX   

0x00C1    77 23           JA 0xe6   

0x00C3    72 05           JB 0xca   

0x00C5    3946 08         CMP [BP+0x8], AX   

0x00C8    73 1c           JAE 0xe6   

0x00CA    b8 0102         MOV AX, 0x201   

0x00CD    bb 007c         MOV BX, 0x7c00   

0x00D0    8b4e 02         MOV CX, [BP+0x2]   

0x00D3    8b56 00         MOV DX, [BP+0x0]   

0x00D6    cd 13           INT 0x13   

0x00D8    73 51           JAE 0x12b   

0x00DA    4f              DEC DI   

0x00DB    74 4e           JZ 0x12b   

0x00DD    32e4            XOR AH, AH   

0x00DF    8a56 00         MOV DL, [BP+0x0]   

0x00E2    cd 13           INT 0x13   

0x00E4    eb e4           JMP 0xca   

0x00E6    8a56 00         MOV DL, [BP+0x0]   

0x00E9    60              PUSHA   

0x00EA    bb aa55         MOV BX, 0x55aa   

0x00ED    b4 41           MOV AH, 0x41   

0x00EF    cd 13           INT 0x13   

0x00F1    72 36           JB 0x129   

0x00F3    81fb 55aa       CMP BX, 0xaa55   

0x00F7    75 30           JNZ 0x129   

0x00F9    f6c1 01         TEST CL, 0x1   

0x00FC    74 2b           JZ 0x129   

0x00FE    61              POPA   

0x00FF    60              PUSHA   

0x0100    6a 00           PUSH 0x0   

0x0102    6a 00           PUSH 0x0   

0x0104    ff76 0a         PUSH WORD [BP+0xa]   

0x0107    ff76 08         PUSH WORD [BP+0x8]   

0x010A    6a 00           PUSH 0x0   

0x010C    68 007c         PUSH 0x7c00   

0x010F    6a 01           PUSH 0x1   

0x0111    6a 10           PUSH 0x10   

0x0113    b4 42           MOV AH, 0x42   

0x0115    8bf4            MOV SI, SP   

0x0117    cd 13           INT 0x13   

0x0119    61              POPA   

0x011A    61              POPA   

0x011B    73 0e           JAE 0x12b   

0x011D    4f              DEC DI   

0x011E    74 0b           JZ 0x12b   

0x0120    32e4            XOR AH, AH   

0x0122    8a56 00         MOV DL, [BP+0x0]   

0x0125    cd 13           INT 0x13   

0x0127    eb d6           JMP 0xff   

0x0129    61              POPA   

0x012A    f9              STC   

0x012B    c3              RET   

0x012C    49              DEC CX   

0x012D    6e              OUTSB   

0x012E    76 61           JBE 0x191   

0x0130    6c              INSB   

0x0131    6964 20 7061    IMUL SP, [SI+0x20], 0x6170   

0x0136    72 74           JB 0x1ac   

0x0138    6974 69 6f6e    IMUL SI, [SI+0x69], 0x6e6f   

0x013D    2074 61         AND [SI+0x61], DH   

0x0140    626c 65         BOUND BP, [SI+0x65]   

0x0143    0045 72         ADD [DI+0x72], AL   

0x0146    72 6f           JB 0x1b7   

0x0148    72 20           JB 0x16a   

0x014A    6c              INSB   

0x014B    6f              OUTSW   

0x014C    61              POPA   

0x014D    64 696e 67 206f IMUL BP, FS:[BP+0x67], 0x6f20   

0x0153    70 65           JO 0x1ba   

0x0155    72 61           JB 0x1b8   

0x0157    74 69           JZ 0x1c2   

0x0159    6e              OUTSB   

0x015A    67 2073 79      AND [EBX+0x79], DH   

0x015E    73 74           JAE 0x1d4   

0x0160    65 6d           INS WORD GS:[DI], DX   

0x0162    004d 69         ADD [DI+0x69], CL   

0x0165    73 73           JAE 0x1da   

0x0167    696e 67 206f    IMUL BP, [BP+0x67], 0x6f20   

0x016C    70 65           JO 0x1d3   

0x016E    72 61           JB 0x1d1   

0x0170    74 69           JZ 0x1db   

0x0172    6e              OUTSB   

0x0173    67 2073 79      AND [EBX+0x79], DH   

0x0177    73 74           JAE 0x1ed   

0x0179    65 6d           INS WORD GS:[DI], DX   

0x017B    0000            ADD [BX+SI], AL   

0x017D    0000            ADD [BX+SI], AL   

0x017F    0000            ADD [BX+SI], AL   

0x0181    0000            ADD [BX+SI], AL   

0x0183    0000            ADD [BX+SI], AL   

0x0185    0000            ADD [BX+SI], AL   

0x0187    0000            ADD [BX+SI], AL   

0x0189    0000            ADD [BX+SI], AL   

0x018B    0000            ADD [BX+SI], AL   

0x018D    0000            ADD [BX+SI], AL   

0x018F    0000            ADD [BX+SI], AL   

0x0191    0000            ADD [BX+SI], AL   

0x0193    0000            ADD [BX+SI], AL   

0x0195    0000            ADD [BX+SI], AL   

0x0197    0000            ADD [BX+SI], AL   

0x0199    0000            ADD [BX+SI], AL   

0x019B    0000            ADD [BX+SI], AL   

0x019D    0000            ADD [BX+SI], AL   

0x019F    0000            ADD [BX+SI], AL   

0x01A1    0000            ADD [BX+SI], AL   

0x01A3    0000            ADD [BX+SI], AL   

0x01A5    0000            ADD [BX+SI], AL   

0x01A7    0000            ADD [BX+SI], AL   

0x01A9    0000            ADD [BX+SI], AL   

0x01AB    0000            ADD [BX+SI], AL   

0x01AD    0000            ADD [BX+SI], AL   

0x01AF    0000            ADD [BX+SI], AL   

0x01B1    0000            ADD [BX+SI], AL   

0x01B3    0000            ADD [BX+SI], AL   

0x01B5    2c 44           SUB AL, 0x44   

0x01B7    63c3            ARPL BX, AX   

0x01B9    58              POP AX   

0x01BA    8727            XCHG [BX], SP   

0x01BC    0000            ADD [BX+SI], AL   

0x01BE    0001            ADD [BX+DI], AL   

0x01C0    0100            ADD [BX+SI], AX   

0x01C2    07              POP ES   

0x01C3    fe              DB 0xfe   

0x01C4    ff              DB 0xff   

0x01C5    ff              DB 0xff   

0x01C6    3f              AAS   

0x01C7    0000            ADD [BX+SI], AL   

0x01C9    00b1 62a9       ADD [BX+DI-0x569e], DH   

0x01CD    0380 feff       ADD AX, [BX+SI-0x2]   

0x01D1    ff17            CALL [BX]   

0x01D3    fe              DB 0xfe   

0x01D4    ff              DB 0xff   

0x01D5    fff0            PUSH AX   

0x01D7    62a9 0300       BOUND BP, [BX+DI+0x3]   

0x01DB    0040 01         ADD [BX+SI+0x1], AL   

0x01DE    0000            ADD [BX+SI], AL   

0x01E0    0000            ADD [BX+SI], AL   

0x01E2    0000            ADD [BX+SI], AL   

0x01E4    0000            ADD [BX+SI], AL   

0x01E6    0000            ADD [BX+SI], AL   

0x01E8    0000            ADD [BX+SI], AL   

0x01EA    0000            ADD [BX+SI], AL   

0x01EC    0000            ADD [BX+SI], AL   

0x01EE    0000            ADD [BX+SI], AL   

0x01F0    0000            ADD [BX+SI], AL   

0x01F2    0000            ADD [BX+SI], AL   

0x01F4    0000            ADD [BX+SI], AL   

0x01F6    0000            ADD [BX+SI], AL   

0x01F8    0000            ADD [BX+SI], AL   

0x01FA    0000            ADD [BX+SI], AL   

0x01FC    0000            ADD [BX+SI], AL   

0x01FE    55              PUSH BP   

0x01FF    aa              STOSB   





_____FAKED   \Device\Harddisk1\DR1  



0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3.м.|P.P..|

0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04   ..PW.˽..

0x00000020   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5   8n.|.u.....

0x00000030   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B   ..It.8,t....

0x00000040   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88   <.t.....

0x00000050   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B   N.F.s*F..~..t.

0x00000060   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83   .~..t...u.F...

0x00000070   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB   F...V..!.s...

0x00000080   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0   .>}Ut..~..t.

0x00000090   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56   ...W.˿...V

0x000000A0   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC   ...r#.$?...

0x000000B0   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56   C..ֱ.B9V

0x000000C0   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C   .w#r.9F.s....|

0x000000D0   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A   .N..V..sQOtN2.

0x000000E0   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD   V...V.`UA

0x000000F0   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60   .r6.Uu0.t+a`

0x00000100   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A   j.j..v..v.j.h.|j

0x00000110   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B   .j.B..aas.Ot.

0x00000120   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61   2.V..aInva

0x00000130   6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61   lid partition ta

0x00000140   62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E   ble.Error loadin

0x00000150   67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74   g operating syst

0x00000160   65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61   em.Missing opera

0x00000170   74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00   ting system.....

0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001B0   00 00 00 00 00 2C 44 63 B3 FE B3 FE 00 00 80 01   .....,Dc....

0x000001C0   01 00 07 FE FF FF 3F 00 00 00 B1 62 A9 03 00 FE   .....?...b..

0x000001D0   FF FF 07 FE FF FF F0 62 A9 03 47 83 C4 70 00 00   .....b.G.p..

0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............U



__ORIGINAL   \Device\Harddisk1\DR1  



0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3.м.|P.P..|

0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04   ..PW.˽..

0x00000020   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5   8n.|.u.....

0x00000030   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B   ..It.8,t....

0x00000040   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88   <.t.....

0x00000050   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B   N.F.s*F..~..t.

0x00000060   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83   .~..t...u.F...

0x00000070   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB   F...V..!.s...

0x00000080   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0   .>}Ut..~..t.

0x00000090   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56   ...W.˿...V

0x000000A0   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC   ...r#.$?...

0x000000B0   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56   C..ֱ.B9V

0x000000C0   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C   .w#r.9F.s....|

0x000000D0   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A   .N..V..sQOtN2.

0x000000E0   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD   V...V.`UA

0x000000F0   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60   .r6.Uu0.t+a`

0x00000100   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A   j.j..v..v.j.h.|j

0x00000110   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B   .j.B..aas.Ot.

0x00000120   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61   2.V..aInva

0x00000130   6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61   lid partition ta

0x00000140   62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E   ble.Error loadin

0x00000150   67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74   g operating syst

0x00000160   65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61   em.Missing opera

0x00000170   74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00   ting system.....

0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001B0   00 00 00 00 00 2C 44 63 C3 58 87 27 00 00 80 01   .....,DcX.'....

0x000001C0   01 00 07 FE FF FF 3F 00 00 00 B1 62 A9 03 00 00   .....?...b...

0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............U



__________________________16_BIT_ASM_CODE

   

0x0000    33c0            XOR AX, AX   

0x0002    8ed0            MOV SS, AX   

0x0004    bc 007c         MOV SP, 0x7c00   

0x0007    fb              STI   

0x0008    50              PUSH AX   

0x0009    07              POP ES   

0x000A    50              PUSH AX   

0x000B    1f              POP DS   

0x000C    fc              CLD   

0x000D    be 1b7c         MOV SI, 0x7c1b   

0x0010    bf 1b06         MOV DI, 0x61b   

0x0013    50              PUSH AX   

0x0014    57              PUSH DI   

0x0015    b9 e501         MOV CX, 0x1e5   

0x0018    f3 a4           REP MOVSB   

0x001A    cb              RETF   

0x001B    bd be07         MOV BP, 0x7be   

0x001E    b1 04           MOV CL, 0x4   

0x0020    386e 00         CMP [BP+0x0], CH   

0x0023    7c 09           JL 0x2e   

0x0025    75 13           JNZ 0x3a   

0x0027    83c5 10         ADD BP, 0x10   

0x002A    e2 f4           LOOP 0x20   

0x002C    cd 18           INT 0x18   

0x002E    8bf5            MOV SI, BP   

0x0030    83c6 10         ADD SI, 0x10   

0x0033    49              DEC CX   

0x0034    74 19           JZ 0x4f   

0x0036    382c            CMP [SI], CH   

0x0038    74 f6           JZ 0x30   

0x003A    a0 b507         MOV AL, [0x7b5]   

0x003D    b4 07           MOV AH, 0x7   

0x003F    8bf0            MOV SI, AX   

0x0041    ac              LODSB   

0x0042    3c 00           CMP AL, 0x0   

0x0044    74 fc           JZ 0x42   

0x0046    bb 0700         MOV BX, 0x7   

0x0049    b4 0e           MOV AH, 0xe   

0x004B    cd 10           INT 0x10   

0x004D    eb f2           JMP 0x41   

0x004F    884e 10         MOV [BP+0x10], CL   

0x0052    e8 4600         CALL 0x9b   

0x0055    73 2a           JAE 0x81   

0x0057    fe46 10         INC BYTE [BP+0x10]   

0x005A    807e 04 0b      CMP BYTE [BP+0x4], 0xb   

0x005E    74 0b           JZ 0x6b   

0x0060    807e 04 0c      CMP BYTE [BP+0x4], 0xc   

0x0064    74 05           JZ 0x6b   

0x0066    a0 b607         MOV AL, [0x7b6]   

0x0069    75 d2           JNZ 0x3d   

0x006B    8046 02 06      ADD BYTE [BP+0x2], 0x6   

0x006F    8346 08 06      ADD WORD [BP+0x8], 0x6   

0x0073    8356 0a 00      ADC WORD [BP+0xa], 0x0   

0x0077    e8 2100         CALL 0x9b   

0x007A    73 05           JAE 0x81   

0x007C    a0 b607         MOV AL, [0x7b6]   

0x007F    eb bc           JMP 0x3d   

0x0081    813e fe7d 55aa  CMP WORD [0x7dfe], 0xaa55   

0x0087    74 0b           JZ 0x94   

0x0089    807e 10 00      CMP BYTE [BP+0x10], 0x0   

0x008D    74 c8           JZ 0x57   

0x008F    a0 b707         MOV AL, [0x7b7]   

0x0092    eb a9           JMP 0x3d   

0x0094    8bfc            MOV DI, SP   

0x0096    1e              PUSH DS   

0x0097    57              PUSH DI   

0x0098    8bf5            MOV SI, BP   

0x009A    cb              RETF   

0x009B    bf 0500         MOV DI, 0x5   

0x009E    8a56 00         MOV DL, [BP+0x0]   

0x00A1    b4 08           MOV AH, 0x8   

0x00A3    cd 13           INT 0x13   

0x00A5    72 23           JB 0xca   

0x00A7    8ac1            MOV AL, CL   

0x00A9    24 3f           AND AL, 0x3f   

0x00AB    98              CBW   

0x00AC    8ade            MOV BL, DH   

0x00AE    8afc            MOV BH, AH   

0x00B0    43              INC BX   

0x00B1    f7e3            MUL BX   

0x00B3    8bd1            MOV DX, CX   

0x00B5    86d6            XCHG DH, DL   

0x00B7    b1 06           MOV CL, 0x6   

0x00B9    d2ee            SHR DH, CL   

0x00BB    42              INC DX   

0x00BC    f7e2            MUL DX   

0x00BE    3956 0a         CMP [BP+0xa], DX   

0x00C1    77 23           JA 0xe6   

0x00C3    72 05           JB 0xca   

0x00C5    3946 08         CMP [BP+0x8], AX   

0x00C8    73 1c           JAE 0xe6   

0x00CA    b8 0102         MOV AX, 0x201   

0x00CD    bb 007c         MOV BX, 0x7c00   

0x00D0    8b4e 02         MOV CX, [BP+0x2]   

0x00D3    8b56 00         MOV DX, [BP+0x0]   

0x00D6    cd 13           INT 0x13   

0x00D8    73 51           JAE 0x12b   

0x00DA    4f              DEC DI   

0x00DB    74 4e           JZ 0x12b   

0x00DD    32e4            XOR AH, AH   

0x00DF    8a56 00         MOV DL, [BP+0x0]   

0x00E2    cd 13           INT 0x13   

0x00E4    eb e4           JMP 0xca   

0x00E6    8a56 00         MOV DL, [BP+0x0]   

0x00E9    60              PUSHA   

0x00EA    bb aa55         MOV BX, 0x55aa   

0x00ED    b4 41           MOV AH, 0x41   

0x00EF    cd 13           INT 0x13   

0x00F1    72 36           JB 0x129   

0x00F3    81fb 55aa       CMP BX, 0xaa55   

0x00F7    75 30           JNZ 0x129   

0x00F9    f6c1 01         TEST CL, 0x1   

0x00FC    74 2b           JZ 0x129   

0x00FE    61              POPA   

0x00FF    60              PUSHA   

0x0100    6a 00           PUSH 0x0   

0x0102    6a 00           PUSH 0x0   

0x0104    ff76 0a         PUSH WORD [BP+0xa]   

0x0107    ff76 08         PUSH WORD [BP+0x8]   

0x010A    6a 00           PUSH 0x0   

0x010C    68 007c         PUSH 0x7c00   

0x010F    6a 01           PUSH 0x1   

0x0111    6a 10           PUSH 0x10   

0x0113    b4 42           MOV AH, 0x42   

0x0115    8bf4            MOV SI, SP   

0x0117    cd 13           INT 0x13   

0x0119    61              POPA   

0x011A    61              POPA   

0x011B    73 0e           JAE 0x12b   

0x011D    4f              DEC DI   

0x011E    74 0b           JZ 0x12b   

0x0120    32e4            XOR AH, AH   

0x0122    8a56 00         MOV DL, [BP+0x0]   

0x0125    cd 13           INT 0x13   

0x0127    eb d6           JMP 0xff   

0x0129    61              POPA   

0x012A    f9              STC   

0x012B    c3              RET   

0x012C    49              DEC CX   

0x012D    6e              OUTSB   

0x012E    76 61           JBE 0x191   

0x0130    6c              INSB   

0x0131    6964 20 7061    IMUL SP, [SI+0x20], 0x6170   

0x0136    72 74           JB 0x1ac   

0x0138    6974 69 6f6e    IMUL SI, [SI+0x69], 0x6e6f   

0x013D    2074 61         AND [SI+0x61], DH   

0x0140    626c 65         BOUND BP, [SI+0x65]   

0x0143    0045 72         ADD [DI+0x72], AL   

0x0146    72 6f           JB 0x1b7   

0x0148    72 20           JB 0x16a   

0x014A    6c              INSB   

0x014B    6f              OUTSW   

0x014C    61              POPA   

0x014D    64 696e 67 206f IMUL BP, FS:[BP+0x67], 0x6f20   

0x0153    70 65           JO 0x1ba   

0x0155    72 61           JB 0x1b8   

0x0157    74 69           JZ 0x1c2   

0x0159    6e              OUTSB   

0x015A    67 2073 79      AND [EBX+0x79], DH   

0x015E    73 74           JAE 0x1d4   

0x0160    65 6d           INS WORD GS:[DI], DX   

0x0162    004d 69         ADD [DI+0x69], CL   

0x0165    73 73           JAE 0x1da   

0x0167    696e 67 206f    IMUL BP, [BP+0x67], 0x6f20   

0x016C    70 65           JO 0x1d3   

0x016E    72 61           JB 0x1d1   

0x0170    74 69           JZ 0x1db   

0x0172    6e              OUTSB   

0x0173    67 2073 79      AND [EBX+0x79], DH   

0x0177    73 74           JAE 0x1ed   

0x0179    65 6d           INS WORD GS:[DI], DX   

0x017B    0000            ADD [BX+SI], AL   

0x017D    0000            ADD [BX+SI], AL   

0x017F    0000            ADD [BX+SI], AL   

0x0181    0000            ADD [BX+SI], AL   

0x0183    0000            ADD [BX+SI], AL   

0x0185    0000            ADD [BX+SI], AL   

0x0187    0000            ADD [BX+SI], AL   

0x0189    0000            ADD [BX+SI], AL   

0x018B    0000            ADD [BX+SI], AL   

0x018D    0000            ADD [BX+SI], AL   

0x018F    0000            ADD [BX+SI], AL   

0x0191    0000            ADD [BX+SI], AL   

0x0193    0000            ADD [BX+SI], AL   

0x0195    0000            ADD [BX+SI], AL   

0x0197    0000            ADD [BX+SI], AL   

0x0199    0000            ADD [BX+SI], AL   

0x019B    0000            ADD [BX+SI], AL   

0x019D    0000            ADD [BX+SI], AL   

0x019F    0000            ADD [BX+SI], AL   

0x01A1    0000            ADD [BX+SI], AL   

0x01A3    0000            ADD [BX+SI], AL   

0x01A5    0000            ADD [BX+SI], AL   

0x01A7    0000            ADD [BX+SI], AL   

0x01A9    0000            ADD [BX+SI], AL   

0x01AB    0000            ADD [BX+SI], AL   

0x01AD    0000            ADD [BX+SI], AL   

0x01AF    0000            ADD [BX+SI], AL   

0x01B1    0000            ADD [BX+SI], AL   

0x01B3    0000            ADD [BX+SI], AL   

0x01B5    2c 44           SUB AL, 0x44   

0x01B7    63b3 feb3       ARPL [BP+DI-0x4c02], SI   

0x01BB    fe00            INC BYTE [BX+SI]   

0x01BD    0080 0101       ADD [BX+SI+0x101], AL   

0x01C1    0007            ADD [BX], AL   

0x01C3    fe              DB 0xfe   

0x01C4    ff              DB 0xff   

0x01C5    ff              DB 0xff   

0x01C6    3f              AAS   

0x01C7    0000            ADD [BX+SI], AL   

0x01C9    00b1 62a9       ADD [BX+DI-0x569e], DH   

0x01CD    0300            ADD AX, [BX+SI]   

0x01CF    fe              DB 0xfe   

0x01D0    ff              DB 0xff   

0x01D1    ff07            INC WORD [BX]   

0x01D3    fe              DB 0xfe   

0x01D4    ff              DB 0xff   

0x01D5    fff0            PUSH AX   

0x01D7    62a9 0347       BOUND BP, [BX+DI+0x4703]   

0x01DB    83c4 70         ADD SP, 0x70   

0x01DE    0000            ADD [BX+SI], AL   

0x01E0    0000            ADD [BX+SI], AL   

0x01E2    0000            ADD [BX+SI], AL   

0x01E4    0000            ADD [BX+SI], AL   

0x01E6    0000            ADD [BX+SI], AL   

0x01E8    0000            ADD [BX+SI], AL   

0x01EA    0000            ADD [BX+SI], AL   

0x01EC    0000            ADD [BX+SI], AL   

0x01EE    0000            ADD [BX+SI], AL   

0x01F0    0000            ADD [BX+SI], AL   

0x01F2    0000            ADD [BX+SI], AL   

0x01F4    0000            ADD [BX+SI], AL   

0x01F6    0000            ADD [BX+SI], AL   

0x01F8    0000            ADD [BX+SI], AL   

0x01FA    0000            ADD [BX+SI], AL   

0x01FC    0000            ADD [BX+SI], AL   

0x01FE    55              PUSH BP   

0x01FF    aa              STOSB   





_____FAKED   \Device\Harddisk2\DR6  



0x00000000   E8 12 01 B9 F0 01 BE 10 7C BF 10 06 57 F3 A4 C3   ....|..W

0x00000010   8B 4E 14 83 F9 0E 75 08 8D 5E 07 43 02 07 E2 FB   .N...u..^.C..

0x00000020   8C 56 0C 8C 56 0E 75 69 8A 56 10 84 D2 79 62 E8   .V..V.ui.V..yb

0x00000030   F6 00 BB AA 55 CD 13 72 6F 3B 5E 5C 75 6A D1 E9   .U.ro;^\uj

0x00000040   73 66 B4 42 C6 46 02 01 EB 66 89 B6 F6 FE 8A 44   sfBF..f..D

0x00000050   04 84 C0 74 0F 3C 05 74 0B 3C 0F 74 07 8A 14 80   ..t.<.t.<.t....

0x00000060   E2 80 75 CB 83 C6 10 06 C4 5C 08 89 5E 08 8C 46   .u...\..^..F

0x00000070   0A 07 FE 8E F9 FE 75 D2 B0 31 C6 46 D5 50 88 46   ...uҰ1FP.F

0x00000080   D2 BE 68 07 AC 84 C0 74 08 B4 0E B3 07 CD 10 EB   Ҿh..t....

0x00000090   F3 E8 81 00 88 46 11 BE AE 07 3C 05 75 C6 CD 16   ...F..<.u.

0x000000A0   33 D2 89 56 08 89 56 0A E8 7D 00 72 1B B8 01 02   3.V..V.}.r...

0x000000B0   BF 05 00 8B DC 56 50 50 32 E4 CD 13 58 8B F5 CD   ...VPP2.X.

0x000000C0   13 58 5E 73 03 4F 75 EB B0 32 72 B2 40 8A 66 11   .X^s.Ou2r@.f.

0x000000D0   9E 7B 04 C6 47 02 0E 72 35 75 0C 88 57 40 C4 4E   .{.[email protected]N

0x000000E0   08 89 4F 1C 8C 47 1E 79 06 8A 4E 12 88 4F 25 80   ..O..G.y..N..O%.

0x000000F0   C7 02 81 7F FE 55 AA 75 85 81 7F FC CD 19 75 09   ...Uu....u.

0x00000100   C6 47 FC E9 C7 47 FD 92 88 E8 1C 00 FF E4 74 CE   GG.....t

0x00000110   88 57 24 EB C9 5D 33 C0 8E D8 8E C0 8E D0 BC 00   .W$]3...м.

0x00000120   7C 55 BD A2 07 FC FB C3 B4 08 52 06 CD 13 07 33   |U.ô.R...3

0x00000130   DB 8A DE 8B 46 0A 33 D2 83 E1 3F F7 F1 91 97 8B   ..F.3.?...

0x00000140   46 08 F7 F7 42 87 CA 3B DA 72 17 43 F7 F3 8A F2   F.B.;r.C.

0x00000150   86 C5 D1 E8 D1 E8 0A C8 D0 CC D0 CC 0A F4 84 E4   ....

0x00000160   74 02 B4 41 5B 8A D3 C3 0D 0A 4D 42 52 20 45 72   t.A[...MBR Er

0x00000170   72 6F 72 20 00 0D 0A 00 72 65 73 73 20 61 6E 79   ror ....ress any

0x00000180   20 6B 65 79 20 74 6F 20 62 6F 6F 74 20 66 72 6F    key to boot fro

0x00000190   6D 20 66 6C 6F 70 70 79 2E 2E 2E 00 00 00 00 00   m floppy........

0x000001A0   00 00 10 00 01 00 00 7C 00 00 00 00 00 00 00 00   .......|........

0x000001B0   00 00 00 00 00 00 00 00 34 A1 13 DA 00 00 80 01   ........4.....

0x000001C0   01 00 07 FE FF FF 3F 00 00 00 02 4C 38 3A 00 00   .....?....L8:..

0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............U



__ORIGINAL   \Device\Harddisk2\DR6  



0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3.м.|P.P..|

0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04   ..PW.˽..

0x00000020   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5   8n.|.u.....

0x00000030   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B   ..It.8,t....

0x00000040   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88   <.t.....

0x00000050   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B   N.F.s*F..~..t.

0x00000060   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83   .~..t...u.F...

0x00000070   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB   F...V..!.s...

0x00000080   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0   .>}Ut..~..t.

0x00000090   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56   ...W.˿...V

0x000000A0   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC   ...r#.$?...

0x000000B0   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56   C..ֱ.B9V

0x000000C0   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C   .w#r.9F.s....|

0x000000D0   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A   .N..V..sQOtN2.

0x000000E0   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD   V...V.`UA

0x000000F0   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60   .r6.Uu0.t+a`

0x00000100   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A   j.j..v..v.j.h.|j

0x00000110   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B   .j.B..aas.Ot.

0x00000120   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61   2.V..aInva

0x00000130   6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61   lid partition ta

0x00000140   62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E   ble.Error loadin

0x00000150   67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74   g operating syst

0x00000160   65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61   em.Missing opera

0x00000170   74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00   ting system.....

0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001B0   00 00 00 00 00 2C 44 63 C3 58 87 27 00 00 80 01   .....,DcX.'....

0x000001C0   01 00 07 FE FF FF 3F 00 00 00 B1 62 A9 03 00 00   .....?...b...

0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............U



__________________________16_BIT_ASM_CODE

   

0x0000    e8 1201         CALL 0x115   

0x0003    b9 f001         MOV CX, 0x1f0   

0x0006    be 107c         MOV SI, 0x7c10   

0x0009    bf 1006         MOV DI, 0x610   

0x000C    57              PUSH DI   

0x000D    f3 a4           REP MOVSB   

0x000F    c3              RET   

0x0010    8b4e 14         MOV CX, [BP+0x14]   

0x0013    83f9 0e         CMP CX, 0xe   

0x0016    75 08           JNZ 0x20   

0x0018    8d5e 07         LEA BX, [BP+0x7]   

0x001B    43              INC BX   

0x001C    0207            ADD AL, [BX]   

0x001E    e2 fb           LOOP 0x1b   

0x0020    8c56 0c         MOV WORD [BP+0xc], SS   

0x0023    8c56 0e         MOV WORD [BP+0xe], SS   

0x0026    75 69           JNZ 0x91   

0x0028    8a56 10         MOV DL, [BP+0x10]   

0x002B    84d2            TEST DL, DL   

0x002D    79 62           JNS 0x91   

0x002F    e8 f600         CALL 0x128   

0x0032    bb aa55         MOV BX, 0x55aa   

0x0035    cd 13           INT 0x13   

0x0037    72 6f           JB 0xa8   

0x0039    3b5e 5c         CMP BX, [BP+0x5c]   

0x003C    75 6a           JNZ 0xa8   

0x003E    d1e9            SHR CX, 0x1   

0x0040    73 66           JAE 0xa8   

0x0042    b4 42           MOV AH, 0x42   

0x0044    c646 02 01      MOV BYTE [BP+0x2], 0x1   

0x0048    eb 66           JMP 0xb0   

0x004A    89b6 f6fe       MOV [BP-0x10a], SI   

0x004E    8a44 04         MOV AL, [SI+0x4]   

0x0051    84c0            TEST AL, AL   

0x0053    74 0f           JZ 0x64   

0x0055    3c 05           CMP AL, 0x5   

0x0057    74 0b           JZ 0x64   

0x0059    3c 0f           CMP AL, 0xf   

0x005B    74 07           JZ 0x64   

0x005D    8a14            MOV DL, [SI]   

0x005F    80e2 80         AND DL, 0x80   

0x0062    75 cb           JNZ 0x2f   

0x0064    83c6 10         ADD SI, 0x10   

0x0067    06              PUSH ES   

0x0068    c45c 08         LES BX, WORD [SI+0x8]   

0x006B    895e 08         MOV [BP+0x8], BX   

0x006E    8c46 0a         MOV WORD [BP+0xa], ES   

0x0071    07              POP ES   

0x0072    fe8e f9fe       DEC BYTE [BP-0x107]   

0x0076    75 d2           JNZ 0x4a   

0x0078    b0 31           MOV AL, 0x31   

0x007A    c646 d5 50      MOV BYTE [BP-0x2b], 0x50   

0x007E    8846 d2         MOV [BP-0x2e], AL   

0x0081    be 6807         MOV SI, 0x768   

0x0084    ac              LODSB   

0x0085    84c0            TEST AL, AL   

0x0087    74 08           JZ 0x91   

0x0089    b4 0e           MOV AH, 0xe   

0x008B    b3 07           MOV BL, 0x7   

0x008D    cd 10           INT 0x10   

0x008F    eb f3           JMP 0x84   

0x0091    e8 8100         CALL 0x115   

0x0094    8846 11         MOV [BP+0x11], AL   

0x0097    be ae07         MOV SI, 0x7ae   

0x009A    3c 05           CMP AL, 0x5   

0x009C    75 c6           JNZ 0x64   

0x009E    cd 16           INT 0x16   

0x00A0    33d2            XOR DX, DX   

0x00A2    8956 08         MOV [BP+0x8], DX   

0x00A5    8956 0a         MOV [BP+0xa], DX   

0x00A8    e8 7d00         CALL 0x128   

0x00AB    72 1b           JB 0xc8   

0x00AD    b8 0102         MOV AX, 0x201   

0x00B0    bf 0500         MOV DI, 0x5   

0x00B3    8bdc            MOV BX, SP   

0x00B5    56              PUSH SI   

0x00B6    50              PUSH AX   

0x00B7    50              PUSH AX   

0x00B8    32e4            XOR AH, AH   

0x00BA    cd 13           INT 0x13   

0x00BC    58              POP AX   

0x00BD    8bf5            MOV SI, BP   

0x00BF    cd 13           INT 0x13   

0x00C1    58              POP AX   

0x00C2    5e              POP SI   

0x00C3    73 03           JAE 0xc8   

0x00C5    4f              DEC DI   

0x00C6    75 eb           JNZ 0xb3   

0x00C8    b0 32           MOV AL, 0x32   

0x00CA    72 b2           JB 0x7e   

0x00CC    40              INC AX   

0x00CD    8a66 11         MOV AH, [BP+0x11]   

0x00D0    9e              SAHF   

0x00D1    7b 04           JNP 0xd7   

0x00D3    c647 02 0e      MOV BYTE [BX+0x2], 0xe   

0x00D7    72 35           JB 0x10e   

0x00D9    75 0c           JNZ 0xe7   

0x00DB    8857 40         MOV [BX+0x40], DL   

0x00DE    c44e 08         LES CX, WORD [BP+0x8]   

0x00E1    894f 1c         MOV [BX+0x1c], CX   

0x00E4    8c47 1e         MOV WORD [BX+0x1e], ES   

0x00E7    79 06           JNS 0xef   

0x00E9    8a4e 12         MOV CL, [BP+0x12]   

0x00EC    884f 25         MOV [BX+0x25], CL   

0x00EF    80c7 02         ADD BH, 0x2   

0x00F2    817f fe 55aa    CMP WORD [BX-0x2], 0xaa55   

0x00F7    75 85           JNZ 0x7e   

0x00F9    817f fc cd19    CMP WORD [BX-0x4], 0x19cd   

0x00FE    75 09           JNZ 0x109   

0x0100    c647 fc e9      MOV BYTE [BX-0x4], 0xe9   

0x0104    c747 fd 9288    MOV WORD [BX-0x3], 0x8892   

0x0109    e8 1c00         CALL 0x128   

0x010C    ffe4            JMP SP   

0x010E    74 ce           JZ 0xde   

0x0110    8857 24         MOV [BX+0x24], DL   

0x0113    eb c9           JMP 0xde   

0x0115    5d              POP BP   

0x0116    33c0            XOR AX, AX   

0x0118    8ed8            MOV DS, AX   

0x011A    8ec0            MOV ES, AX   

0x011C    8ed0            MOV SS, AX   

0x011E    bc 007c         MOV SP, 0x7c00   

0x0121    55              PUSH BP   

0x0122    bd a207         MOV BP, 0x7a2   

0x0125    fc              CLD   

0x0126    fb              STI   

0x0127    c3              RET   

0x0128    b4 08           MOV AH, 0x8   

0x012A    52              PUSH DX   

0x012B    06              PUSH ES   

0x012C    cd 13           INT 0x13   

0x012E    07              POP ES   

0x012F    33db            XOR BX, BX   

0x0131    8ade            MOV BL, DH   

0x0133    8b46 0a         MOV AX, [BP+0xa]   

0x0136    33d2            XOR DX, DX   

0x0138    83e1 3f         AND CX, 0x3f   

0x013B    f7f1            DIV CX   

0x013D    91              XCHG CX, AX   

0x013E    97              XCHG DI, AX   

0x013F    8b46 08         MOV AX, [BP+0x8]   

0x0142    f7f7            DIV DI   

0x0144    42              INC DX   

0x0145    87ca            XCHG DX, CX   

0x0147    3bda            CMP BX, DX   

0x0149    72 17           JB 0x162   

0x014B    43              INC BX   

0x014C    f7f3            DIV BX   

0x014E    8af2            MOV DH, DL   

0x0150    86c5            XCHG CH, AL   

0x0152    d1e8            SHR AX, 0x1   

0x0154    d1e8            SHR AX, 0x1   

0x0156    0ac8            OR CL, AL   

0x0158    d0cc            ROR AH, 0x1   

0x015A    d0cc            ROR AH, 0x1   

0x015C    0af4            OR DH, AH   

0x015E    84e4            TEST AH, AH   

0x0160    74 02           JZ 0x164   

0x0162    b4 41           MOV AH, 0x41   

0x0164    5b              POP BX   

0x0165    8ad3            MOV DL, BL   

0x0167    c3              RET   

0x0168    0d 0a4d         OR AX, 0x4d0a   

0x016B    42              INC DX   

0x016C    52              PUSH DX   

0x016D    2045 72         AND [DI+0x72], AL   

0x0170    72 6f           JB 0x1e1   

0x0172    72 20           JB 0x194   

0x0174    000d            ADD [DI], CL   

0x0176    0a00            OR AL, [BX+SI]   

0x0178    72 65           JB 0x1df   

0x017A    73 73           JAE 0x1ef   

0x017C    2061 6e         AND [BX+DI+0x6e], AH   

0x017F    79 20           JNS 0x1a1   

0x0181    6b65 79 20      IMUL SP, [DI+0x79], 0x20   

0x0185    74 6f           JZ 0x1f6   

0x0187    2062 6f         AND [BP+SI+0x6f], AH   

0x018A    6f              OUTSW   

0x018B    74 20           JZ 0x1ad   

0x018D    66              DB 0x66   

0x018D    66 72 6f        JB 0x1ff   

0x0190    6d              INSW   

0x0191    2066 6c         AND [BP+0x6c], AH   

0x0194    6f              OUTSW   

0x0195    70 70           JO 0x207   

0x0197    79 2e           JNS 0x1c7   

0x0199    2e              DB 0x2e   

0x019A    2e 0000         ADD CS:[BX+SI], AL   

0x019D    0000            ADD [BX+SI], AL   

0x019F    0000            ADD [BX+SI], AL   

0x01A1    0010            ADD [BX+SI], DL   

0x01A3    0001            ADD [BX+DI], AL   

0x01A5    0000            ADD [BX+SI], AL   

0x01A7    7c 00           JL 0x1a9   

0x01A9    0000            ADD [BX+SI], AL   

0x01AB    0000            ADD [BX+SI], AL   

0x01AD    0000            ADD [BX+SI], AL   

0x01AF    0000            ADD [BX+SI], AL   

0x01B1    0000            ADD [BX+SI], AL   

0x01B3    0000            ADD [BX+SI], AL   

0x01B5    0000            ADD [BX+SI], AL   

0x01B7    0034            ADD [SI], DH   

0x01B9    a1 13da         MOV AX, [0xda13]   

0x01BC    0000            ADD [BX+SI], AL   

0x01BE    8001 01         ADD BYTE [BX+DI], 0x1   

0x01C1    0007            ADD [BX], AL   

0x01C3    fe              DB 0xfe   

0x01C4    ff              DB 0xff   

0x01C5    ff              DB 0xff   

0x01C6    3f              AAS   

0x01C7    0000            ADD [BX+SI], AL   

0x01C9    0002            ADD [BP+SI], AL   

0x01CB    4c              DEC SP   

0x01CC    383a            CMP [BP+SI], BH   

0x01CE    0000            ADD [BX+SI], AL   

0x01D0    0000            ADD [BX+SI], AL   

0x01D2    0000            ADD [BX+SI], AL   

0x01D4    0000            ADD [BX+SI], AL   

0x01D6    0000            ADD [BX+SI], AL   

0x01D8    0000            ADD [BX+SI], AL   

0x01DA    0000            ADD [BX+SI], AL   

0x01DC    0000            ADD [BX+SI], AL   

0x01DE    0000            ADD [BX+SI], AL   

0x01E0    0000            ADD [BX+SI], AL   

0x01E2    0000            ADD [BX+SI], AL   

0x01E4    0000            ADD [BX+SI], AL   

0x01E6    0000            ADD [BX+SI], AL   

0x01E8    0000            ADD [BX+SI], AL   

0x01EA    0000            ADD [BX+SI], AL   

0x01EC    0000            ADD [BX+SI], AL   

0x01EE    0000            ADD [BX+SI], AL   

0x01F0    0000            ADD [BX+SI], AL   

0x01F2    0000            ADD [BX+SI], AL   

0x01F4    0000            ADD [BX+SI], AL   

0x01F6    0000            ADD [BX+SI], AL   

0x01F8    0000            ADD [BX+SI], AL   

0x01FA    0000            ADD [BX+SI], AL   

0x01FC    0000            ADD [BX+SI], AL   

0x01FE    55              PUSH BP   

0x01FF    aa              STOSB   




  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Well it does look as though it is the large one

[attachment=55402:diskmgmt.jpg]

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB)
Windows XP Recovery Console rc.iso

Create a bootable CD, 1 for Gparted and 1 for the Windows XP Recovery Console, from the ISO images. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

Posted Image
You should be here...
Press ENTER

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Posted Image
Choose your language and press ENTER. English is default [33]

Posted Image
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
Posted Image
According to your logs, the partition that you want to delete is10Gb
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:
Posted Image

Now you should be here:
Posted Image

Posted Image
Is "boot" next to your OS drive?

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:
Posted Image

Now double-click the Posted Image button.

You should receive a small pop up like this:
Posted Image
Choose reboot and then press OK.

Now reboot from the Windows XP Recovery Console CD and execute the following commands:

  • fixmbr \Device\HardDisk0
  • fixboot c:
  • exit

Once back in Windows.

Download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • Attach that file.

  • 0

#15
s0nginmyheart

s0nginmyheart

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 147 posts
What does the partition do, especially with 10 gigs? Do we lose that/ What happens to it?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP