Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Suspected malware due to Zango being present

Started by THX1136 , Jan 25 2012 02:15 PM

  • Please log in to reply

#1
THX1136
Posted 25 January 2012 - 02:15 PM

THX1136

    Member

  • Member
  • PipPip
  • 60 posts
Hello, I was directed here by the Mod in this thread - http://www.geekstogo...ze/page__st__15

He directed me to come here and follow the directions given. I downloaded OTL and did the scan described in step 2. I am now at step three with this post. OTL generated 2 docs in Notepad which I have saved and those will follow this post.

What prompted this journey was the fact that my manager had completely filled his HD. I've taken it upon myself to get things back up and running. I started here: http://www.geekstogo...pair-in-xp-pro/ This was after the defrag steps taken in the thread mentioned at the top of this post - (end date 01/08/12).

This got me to a place where XP is running well with most of the original issues resolved. I started the first mentioned thread (top of post) as I could not defrag the HD in a manner I was used to seeing. It is still highly fragmented. I then went to the second step - thread mentioned in above paragraph - as I figured I needed to try a repair of XP or perhaps a clean install. Ztruker took me through the process and resolved many issues.

I was contacted again by you folks to see if my "OS size" question thread had been resolved. I started in on that. The Mod took me through some steps which resulted in the discovery of Zango. This presented a "red flag" for him and now I'm here.

A note: the scans show a "networked" drive - "U" drive. I believe this to be the exact same drive as the C drive. I draw that conclusion due to the identical nature of the "stats" for the drive. I do not know that a "physical" U drive exists at this point. This PC was originally on an in office network which is no longer the case. It is being used as a stand alone PC - or at least it is intended to be stand alone. Originally there were 3 PCs networked. That network does not formally exist to my knowledge as 2 of the PCs are no longer working nor connected in any manner. We do have a "production" PC that was not connected to the network to my knowledge. I use this PC daily and am not able to interact with my manager's PC in any manner. It has it's own unique software and is only connected to our NexGen automation system.

Thank you in advance for any help you can offer. I really appreciate your time and efforts. OTL scan results follow.

OTL logfile created on: 1/25/2012 1:29:49 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = \\Kfff2k3\user\crohloff\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 507.32 Mb Available Physical Memory | 49.57% Memory free
2.41 Gb Paging File | 2.08 Gb Available in Paging File | 86.21% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.49 Gb Total Space | 11.25 Gb Free Space | 15.10% Space Free | Partition Type: NTFS
Drive E: | 74.49 Gb Total Space | 73.08 Gb Free Space | 98.11% Space Free | Partition Type: NTFS
Drive U: | 74.49 Gb Total Space | 11.25 Gb Free Space | 15.10% Space Free | Partition Type: *NT5CSC

Computer Name: RECEPT-WS | User Name: crohloff | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/01/25 13:29:00 | 000,584,192 | ---- | M] (OldTimer Tools) -- \\Kfff2k3\user\crohloff\My Documents\Downloads\OTL.exe
PRC - [2012/01/05 03:48:46 | 001,047,024 | ---- | M] (Google Inc.) -- C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/01/17 17:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 17:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/22 04:25:21 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
PRC - [2006/11/03 19:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2004/11/15 04:20:20 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE


========== Modules (No Company Name) ==========

MOD - [2012/01/05 03:48:44 | 000,411,120 | ---- | M] () -- C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Chrome\Application\16.0.912.75\ppgooglenaclpluginchrome.dll
MOD - [2012/01/05 03:48:43 | 003,767,792 | ---- | M] () -- C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Chrome\Application\16.0.912.75\pdf.dll
MOD - [2012/01/05 03:47:19 | 000,122,880 | ---- | M] () -- C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Chrome\Application\16.0.912.75\avutil-51.dll
MOD - [2012/01/05 03:47:18 | 000,222,208 | ---- | M] () -- C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Chrome\Application\16.0.912.75\avformat-53.dll
MOD - [2012/01/05 03:47:17 | 001,746,432 | ---- | M] () -- C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Chrome\Application\16.0.912.75\avcodec-53.dll
MOD - [2012/01/05 01:06:01 | 008,593,056 | ---- | M] () -- C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Chrome\Application\16.0.912.75\gcswf32.dll
MOD - [2011/07/07 08:50:14 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2009/11/05 07:39:40 | 000,087,552 | ---- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll


========== Win32 Services (SafeList) ==========

SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - [2010/09/27 14:50:44 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2010/05/31 11:31:10 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/04/13 12:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/11/17 05:05:38 | 002,297,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/03 22:29:28 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/07/16 00:19:52 | 000,070,400 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2001/08/17 12:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Chrome\Application\16.0.912.75\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Chrome\Application\16.0.912.75\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Chrome\Application\16.0.912.75\gcswf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Nexon Game Controller (Enabled) = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.3_0\
CHR - Extension: Google Search = C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.16_0\
CHR - Extension: Gmail = C:\Documents and Settings\crohloff\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Zango) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.75.0\HostIE.dll File not found
O3 - HKLM\..\Toolbar: (Zango) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.75.0\HostIE.dll File not found
O4 - HKLM..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24 File not found
O4 - HKLM..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe File not found
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" File not found
O4 - HKLM..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" File not found
O4 - HKLM..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" File not found
O4 - HKLM..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray File not found
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime File not found
O4 - HKLM..\Run: [SeekmoOE] C:\Program Files\Seekmo\bin\10.0.431.0\OEAddOn.exe File not found
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Aim6] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = File not found
O4 - Startup: C:\Documents and Settings\crohloff\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 1 = net use Q: /delete (Microsoft Corporation)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 2 = net use Q: \\kfff2k3\Accounting (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL File not found
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.appl...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} http://picture.vzw.c...loadControl.cab (Verizon Wireless Media Upload)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} http://www.gis.co.po...s/ACGM/Acgm.cab (ActiveCGM Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.70.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KFFF.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A0B208A5-E87B-4FC9-B458-4ABAB8A60DCE}: DhcpNameServer = 192.168.70.1
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL File not found
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\crohloff\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\crohloff\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/09/27 15:54:20 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{f0801829-32e0-11e0-a3bd-000fea28c351}\Shell - "" = AutoRun
O33 - MountPoints2\{f0801829-32e0-11e0-a3bd-000fea28c351}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f0801829-32e0-11e0-a3bd-000fea28c351}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2099/01/01 12:00:00 | 000,000,000 | R--D | C] -- \\Kfff2k3\user\crohloff\My Documents\My Videos
[2099/01/01 12:00:00 | 000,000,000 | R--D | C] -- \\Kfff2k3\user\crohloff\My Documents\My Pictures
[2099/01/01 12:00:00 | 000,000,000 | R--D | C] -- \\Kfff2k3\user\crohloff\My Documents\My Music
[2099/01/01 12:00:00 | 000,000,000 | -HSD | C] -- \\Kfff2k3\user\crohloff\My Documents\RECYCLER
[2099/01/01 12:00:00 | 000,000,000 | ---D | C] -- \\Kfff2k3\user\crohloff\My Documents\Downloads
[2012/01/25 13:26:34 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\crohloff\Desktop\OTL.exe
[2012/01/25 03:00:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2012/01/24 16:44:17 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2012/01/18 10:09:26 | 000,000,000 | ---D | C] -- C:\Temp
[2012/01/16 12:57:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2012/01/16 12:56:59 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Security Scan
[2012/01/16 12:56:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2012/01/16 12:55:18 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2012/01/16 12:54:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2012/01/16 11:48:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2012/01/14 03:14:18 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2012/01/14 03:13:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\SHELLNEW
[2012/01/14 03:13:24 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Works
[2012/01/14 03:13:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2012/01/13 13:09:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2012/01/13 13:02:02 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2012/01/10 11:27:56 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia330.dll
[2012/01/10 11:27:56 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia001.dll
[2012/01/10 11:26:13 | 000,054,528 | ---- | C] (Philips Semiconductors GmbH) -- C:\WINDOWS\System32\dllcache\cap7146.sys
[2012/01/10 11:14:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Games
[2012/01/10 11:13:38 | 000,000,000 | ---D | C] -- C:\Program Files\MSN
[2012/01/10 10:36:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ReinstallBackups
[2012/01/10 04:15:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\msapps
[2012/01/09 16:44:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/01/09 16:36:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\crohloff\Application Data\Auslogics
[2012/01/09 16:36:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Auslogics
[2012/01/09 16:36:06 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2012/01/05 17:03:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\crohloff\Start Menu\Programs\Google Chrome
[2012/01/05 15:21:08 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2012/01/02 08:59:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office
[2012/01/02 08:59:57 | 000,000,000 | ---D | C] -- C:\Program Files\ORKTOOLS
[2011/12/29 17:06:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\crohloff\Local Settings\Application Data\WMTools Downloaded Files
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 \\Kfff2k3\user\crohloff\My Documents\*.tmp files -> \\Kfff2k3\user\crohloff\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/01/25 13:32:02 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{D67791F9-59A1-4712-8289-0376237523BE}.job
[2012/01/25 13:26:31 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\crohloff\Desktop\OTL.exe
[2012/01/25 13:26:00 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/25 13:05:00 | 000,000,990 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-308248587-1703384483-2866846594-1152UA.job
[2012/01/25 03:02:25 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/01/25 01:46:04 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/01/24 17:05:00 | 000,000,938 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-308248587-1703384483-2866846594-1152Core.job
[2012/01/24 16:52:30 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\crohloff\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/01/24 16:52:28 | 000,013,868 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/01/24 16:52:27 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/01/24 16:51:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/01/24 16:51:38 | 1073,270,784 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/20 14:28:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/01/18 12:10:53 | 000,863,665 | ---- | M] () -- C:\Documents and Settings\crohloff\Desktop\InsuranceInGoodHandsWithRadio.pdf
[2012/01/18 12:07:36 | 000,805,845 | ---- | M] () -- C:\Documents and Settings\crohloff\Desktop\IMAG0600.jpg
[2012/01/17 03:46:12 | 000,446,042 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/01/17 03:46:12 | 000,073,248 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/01/17 03:41:45 | 000,251,088 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/01/16 12:56:02 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/01/16 11:48:43 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2012/01/16 11:31:51 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/01/14 08:24:57 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/01/14 08:24:57 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/01/13 13:12:45 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2012/01/13 13:06:50 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2012/01/10 11:44:16 | 000,013,846 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2012/01/10 11:29:21 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2012/01/10 11:24:29 | 000,025,065 | ---- | M] () -- C:\WINDOWS\System32\wmpscheme.xml
[2012/01/10 11:24:24 | 000,299,552 | ---- | M] () -- C:\WINDOWS\WMSysPrx.prx
[2012/01/10 11:20:40 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2012/01/10 11:14:18 | 000,023,348 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/01/10 11:13:53 | 000,000,535 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2012/01/06 23:06:21 | 000,002,309 | ---- | M] () -- C:\Documents and Settings\crohloff\Desktop\Google Chrome.lnk
[2012/01/06 23:06:21 | 000,002,287 | ---- | M] () -- C:\Documents and Settings\crohloff\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/12/29 17:13:01 | 000,000,169 | ---- | M] () -- C:\WINDOWS\RtlRack.ini
[2011/12/29 17:02:09 | 000,000,011 | ---- | M] () -- C:\WINDOWS\P_ACS6
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 \\Kfff2k3\user\crohloff\My Documents\*.tmp files -> \\Kfff2k3\user\crohloff\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 010,352,516 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\SYATP 10 - RADIO EDITS (MP3s).zip
[2099/01/01 12:00:00 | 009,574,988 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\sarahyoung-jesuscalling.zip
[2099/01/01 12:00:00 | 009,159,224 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Wordsower International-Jason Nightingale draft.mp3
[2099/01/01 12:00:00 | 003,674,952 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\USBankLobbyCeiling#1.JPG
[2099/01/01 12:00:00 | 003,376,954 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\USBankLobbyCeiling#2(floor).JPG
[2099/01/01 12:00:00 | 003,036,390 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\WTRU_LB_Liners_2.mp3
[2099/01/01 12:00:00 | 002,613,207 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\WTRU_LB_ID.mp3
[2099/01/01 12:00:00 | 002,565,141 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\WTRU_PB_ID.mp3
[2099/01/01 12:00:00 | 001,658,225 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Print Ads_Full Page.jpg
[2099/01/01 12:00:00 | 001,465,602 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\qrtpageAdWOF.pdf
[2099/01/01 12:00:00 | 000,668,202 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Stu Promo for 2011.wav
[2099/01/01 12:00:00 | 000,572,872 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Salemtalkclock.pdf
[2099/01/01 12:00:00 | 000,408,627 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\sunrise_aspen_colorado.jpg
[2099/01/01 12:00:00 | 000,279,894 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Rohloff Photo.bmp
[2099/01/01 12:00:00 | 000,259,720 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\StationManager-NeedDocumentation.pdf
[2099/01/01 12:00:00 | 000,233,060 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Rohloff Flight to NRB and Back.MDI
[2099/01/01 12:00:00 | 000,162,672 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Rohloff Flight plan to NRB.pdf
[2099/01/01 12:00:00 | 000,122,461 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Putting_Off_Procrastination.pdf
[2099/01/01 12:00:00 | 000,094,908 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\ProLifeTownhallFlyerOctober2010.pdf
[2099/01/01 12:00:00 | 000,052,610 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Program Guide inside Oct 2010.pdf
[2099/01/01 12:00:00 | 000,038,570 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\The Goal of God's Love -John Piper.pdf
[2099/01/01 12:00:00 | 000,036,339 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Rohloff Business Card.JPG
[2012/01/18 12:10:50 | 000,863,665 | ---- | C] () -- C:\Documents and Settings\crohloff\Desktop\InsuranceInGoodHandsWithRadio.pdf
[2012/01/18 12:03:10 | 000,805,845 | ---- | C] () -- C:\Documents and Settings\crohloff\Desktop\IMAG0600.jpg
[2012/01/16 12:56:02 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2012/01/16 12:56:02 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/01/10 11:44:16 | 000,013,846 | ---- | C] () -- C:\WINDOWS\System32\wpa.bak
[2012/01/10 11:27:45 | 000,175,104 | ---- | C] () -- C:\WINDOWS\System32\dllcache\pintlcsa.dll
[2012/01/10 11:27:09 | 001,158,818 | ---- | C] () -- C:\WINDOWS\System32\dllcache\korwbrkr.lex
[2012/01/10 11:26:57 | 000,059,392 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imscinst.exe
[2012/01/10 11:26:56 | 000,196,665 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imjpinst.exe
[2012/01/10 11:26:53 | 000,134,339 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imekr.lex
[2012/01/10 11:26:44 | 013,463,552 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hwxjpn.dll
[2012/01/10 11:26:38 | 000,108,827 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hanja.lex
[2012/01/10 11:26:16 | 000,173,568 | ---- | C] () -- C:\WINDOWS\System32\dllcache\chtskf.dll
[2012/01/10 11:24:27 | 000,025,065 | ---- | C] () -- C:\WINDOWS\System32\wmpscheme.xml
[2012/01/10 11:24:24 | 000,299,552 | ---- | C] () -- C:\WINDOWS\WMSysPrx.prx
[2012/01/10 11:13:56 | 000,001,844 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN Explorer.lnk
[2012/01/10 11:13:56 | 000,000,769 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2012/01/10 10:24:16 | 000,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2012/01/10 10:24:16 | 000,013,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2012/01/10 10:24:16 | 000,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2012/01/10 10:24:16 | 000,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2012/01/10 10:24:15 | 000,797,189 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2012/01/10 10:24:15 | 000,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2012/01/05 17:03:19 | 000,002,309 | ---- | C] () -- C:\Documents and Settings\crohloff\Desktop\Google Chrome.lnk
[2012/01/05 17:00:42 | 000,000,990 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-308248587-1703384483-2866846594-1152UA.job
[2012/01/05 17:00:42 | 000,000,938 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-308248587-1703384483-2866846594-1152Core.job
[2012/01/05 15:22:52 | 000,002,287 | ---- | C] () -- C:\Documents and Settings\crohloff\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/01/05 15:21:15 | 000,000,890 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/01/05 15:21:14 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/03 09:33:20 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\crohloff\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/02 13:15:39 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2008/09/11 08:38:31 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI
[2008/03/04 15:05:32 | 000,000,765 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2007/07/18 14:31:26 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/07/18 14:29:53 | 000,000,058 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/06/01 09:19:00 | 000,001,778 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/05/11 09:19:43 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2006/04/07 10:39:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2006/02/09 13:29:56 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\ZSHP1020.EXE
[2006/02/09 13:29:54 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\VSHP1020.DLL
[2005/11/23 10:26:21 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2005/10/06 13:35:10 | 000,000,172 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2005/09/29 07:11:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/09/28 08:14:36 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2005/09/28 07:12:59 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2005/09/28 07:12:55 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/09/28 07:12:55 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2005/09/27 15:56:43 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/09/27 15:51:20 | 000,023,348 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/09/26 23:32:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/09/26 23:31:03 | 000,251,088 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/04 06:00:00 | 000,446,042 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 06:00:00 | 000,073,248 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 06:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/06/02 20:31:38 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2003/06/02 20:30:20 | 000,282,624 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.exe
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/23 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 06:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 06:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/10 17:37:54 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

========== LOP Check ==========

[2009/12/11 14:40:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2009/12/15 10:30:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nexon
[2009/08/13 10:24:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NexonUS
[2005/12/15 12:12:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
[2009/01/08 10:51:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SeekmoSA
[2012/01/25 08:55:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/07/18 14:35:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/01/22 16:29:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2011/11/22 15:18:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\crohloff\Application Data\Amazon
[2012/01/09 17:12:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\crohloff\Application Data\Auslogics
[2011/11/22 15:54:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\crohloff\Application Data\Dropbox
[2011/09/28 14:03:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\crohloff\Application Data\FileZilla
[2011/11/22 13:48:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\crohloff\Application Data\MSNInstaller
[2011/07/07 09:27:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\crohloff\Application Data\OpenOffice.org
[2012/01/25 01:46:04 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2012/01/25 13:32:02 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{D67791F9-59A1-4712-8289-0376237523BE}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:07BF512B

< End of report >


OTL Extras logfile created on: 1/25/2012 1:29:49 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = \\Kfff2k3\user\crohloff\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 507.32 Mb Available Physical Memory | 49.57% Memory free
2.41 Gb Paging File | 2.08 Gb Available in Paging File | 86.21% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.49 Gb Total Space | 11.25 Gb Free Space | 15.10% Space Free | Partition Type: NTFS
Drive E: | 74.49 Gb Total Space | 73.08 Gb Free Space | 98.11% Space Free | Partition Type: NTFS
Drive U: | 74.49 Gb Total Space | 11.25 Gb Free Space | 15.10% Space Free | Partition Type: *NT5CSC

Computer Name: RECEPT-WS | User Name: crohloff | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1"
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1"
Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1"
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"Enabled" = 1
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"135:TCP:*:Enabled:Offer Remote Assistance - Port" = 135:TCP:*:Enabled:Offer Remote Assistance - Port

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = LocalSubnet

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = *

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
"AllowUserPrefMerge" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\crohloff\Local Settings\Temp\7zS4.tmp\SymNRT.exe" = C:\Documents and Settings\crohloff\Local Settings\Temp\7zS4.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool
"C:\Documents and Settings\crohloff\Local Settings\Temp\7zS1C.tmp\SymNRT.exe" = C:\Documents and Settings\crohloff\Local Settings\Temp\7zS1C.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{1D5355BA-562B-4C29-83C0-1D0ED41B2D87}" = TinyZIP
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{23E5032B-56CA-4C19-A72E-B50161DB82CA}" = Shadow Copy Client
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 29
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HydraVision
"{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}" = Google Earth
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{90240409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Resource Kit
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240BB}" = WinZip 14.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"ATI Display Driver" = ATI Display Driver
"Backyard Football" = Backyard Football
"CutePDF Writer Installation" = CutePDF Writer 2.8
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Telos ProFiler Client" = Telos ProFiler Client
"ViewpointMediaPlayer" = Viewpoint Media Player
"WGA" = Windows Genuine Advantage Validation Tool
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/24/2012 6:56:51 PM | Computer Name = RECEPT-WS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2012 2:51:54 AM | Computer Name = RECEPT-WS | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 1/25/2012 10:21:41 AM | Computer Name = RECEPT-WS | Source = Application Hang | ID = 1002
Description = Hanging application helpctr.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2012 10:21:44 AM | Computer Name = RECEPT-WS | Source = Application Hang | ID = 1001
Description = Fault bucket 724433971.

Error - 1/25/2012 10:51:54 AM | Computer Name = RECEPT-WS | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 1/25/2012 10:56:22 AM | Computer Name = RECEPT-WS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2012 10:56:23 AM | Computer Name = RECEPT-WS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2012 10:56:24 AM | Computer Name = RECEPT-WS | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2012 10:56:26 AM | Computer Name = RECEPT-WS | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 1/25/2012 10:56:33 AM | Computer Name = RECEPT-WS | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

[ System Events ]
Error - 1/24/2012 7:36:57 PM | Computer Name = RECEPT-WS | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 60 minutes. NtpClient has no source of accurate
time.

Error - 1/24/2012 8:36:57 PM | Computer Name = RECEPT-WS | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 120 minutes. NtpClient has no source of accurate
time.

Error - 1/24/2012 10:36:58 PM | Computer Name = RECEPT-WS | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 240 minutes. NtpClient has no source of accurate
time.

Error - 1/24/2012 10:51:59 PM | Computer Name = RECEPT-WS | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain KFFF due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 1/25/2012 2:36:58 AM | Computer Name = RECEPT-WS | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 480 minutes. NtpClient has no source of accurate
time.

Error - 1/25/2012 2:57:00 AM | Computer Name = RECEPT-WS | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain KFFF due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 1/25/2012 6:57:03 AM | Computer Name = RECEPT-WS | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain KFFF due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 1/25/2012 10:36:59 AM | Computer Name = RECEPT-WS | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 960 minutes. NtpClient has no source of accurate
time.

Error - 1/25/2012 11:02:02 AM | Computer Name = RECEPT-WS | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain KFFF due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 1/25/2012 3:06:56 PM | Computer Name = RECEPT-WS | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain KFFF due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.


< End of report >
  • 0

Advertisements

#2
RKinner
Posted 26 January 2012 - 01:34 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
OK. We will clean up the obvious stuff then run some scans, do a disk check and look at your event logs to see if there is anything we need to worry about. There's no hurry on my end - I don't keep track of these. Just wait for an email to tell me that I have a reply. Please copy and paste your logs. Do not attach them unless they are too big to post. Multiple posts are fine.

Uninstall:

Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 5 (Old Javas - obsolete and dangerous to have plus each one wastes about 100 Meg of hard drive space.)
Logmein (appears broken anyway)

Copy the text in the code box by highlighting and Ctrl + c 


:processes
killallprocesses

:OTL
O2 - BHO: (Zango) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.75.0\HostIE.dll File not found
O3 - HKLM\..\Toolbar: (Zango) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.75.0\HostIE.dll File not found
O4 - HKLM..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24 File not found
O4 - HKLM..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe File not found
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" File not found
O4 - HKLM..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" File not found
O4 - HKLM..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" File not found
O4 - HKLM..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray File not found
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime File not found
O4 - HKLM..\Run: [SeekmoOE] C:\Program Files\Seekmo\bin\10.0.431.0\OEAddOn.exe File not found
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [Aim6] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = File not found
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 1 = net use Q: /delete (Microsoft Corporation)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 2 = net use Q: \\kfff2k3\Accounting (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL File not found
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL File not found
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL File not found
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O33 - MountPoints2\{f0801829-32e0-11e0-a3bd-000fea28c351}\Shell - "" = AutoRun
O33 - MountPoints2\{f0801829-32e0-11e0-a3bd-000fea28c351}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f0801829-32e0-11e0-a3bd-000fea28c351}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a

:files
xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
C:\Program Files\Zango
    
:Commands
[RESETHOSTS]
[EMPTYTEMP]
[purity]
[Reboot]
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it from your browser or from the Downloads folder:!:

:!: Disable your Antivirus software when downloading or running Combofix. Right click on the Avast Ball and select Avast! Shields Control and Disable Until Computer is Restarted

Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
change the a-v scan to None.
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application.

Reboot.

The disk check will run and will probably take an hour or more to finish.

Start, Run, sfc /scannow, OK

SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.

Start, Run, sigverif, OK

Press Start. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.


I don't see an anti-virus.

Let's install the free Avast:

http://www.avast.com...ivirus-download

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
See if you can find C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswboot.txt
I think that's where they hide the log file in XP. If so, copy and paste it into a reply.

Ron
  • 1

#3
THX1136
Posted 26 January 2012 - 07:22 PM

THX1136

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
I need some clarification. I started in on the process and got to downloading ComboFix. It is not on the PC (In fact Ztruker advised I remove it if it was there in the thread I included in my first post.)

My question is: Where is "Avast Ball"? I do not find it. I did a search for "Avast" with nothing found. I noticed loading it was the last step in the process you gave me. I did not want to proceed further and make matters worse - or more complicated - by loading it before ComboFix. I was going to assume I could just do the ComboFix step and not concern myself with Avast, but wanted your input before proceeding. FYI, the PC did have Symantec, but I was advised to remove it by Ztruker in the thread I referenced in my first post.

Also: Is it okay to remove stuff after I've used it and saved the Notepad file?

Thanks for your help.
  • 0

#4
RKinner
Posted 26 January 2012 - 08:12 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
You are in the big leagues now. Combofix is one of our major tools so you need to get it and run it.

The Avast Ball will show up once you download and install Avast but that's the last step so please do the steps in order.
  • 0

#5
THX1136
Posted 28 January 2012 - 05:19 PM

THX1136

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
I finished the process. I will do the logs in order - each in a different post for clarity.

First off, I did the unistalls you suggested. There was no Logmein either in "Add/Remove" or through search results.

This is the OTL log results:


All processes killed
========== PROCESSES ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DIGServices deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DIGStream deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\iTunesHelper deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\LogMeIn GUI deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MessengerPlus3 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NapsterShell deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\QuickTime Task deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SeekmoOE deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SoundMan deleted successfully.
C:\WINDOWS\SOUNDMAN.EXE moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched deleted successfully.
File C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Aim6 deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\1 deleted successfully.
C:\WINDOWS\System32\net.exe moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\2 deleted successfully.
File net use Q: \\kfff2k3\Accounting not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-itss\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A9007C0-4076-11D3-8789-0000F8105754}\ deleted successfully.
File {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL File not found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\mso-offdap\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3D9F03FA-7A94-11D3-BE81-0050048385D1}\ deleted successfully.
File {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL File not found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f0801829-32e0-11e0-a3bd-000fea28c351}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f0801829-32e0-11e0-a3bd-000fea28c351}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f0801829-32e0-11e0-a3bd-000fea28c351}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f0801829-32e0-11e0-a3bd-000fea28c351}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f0801829-32e0-11e0-a3bd-000fea28c351}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f0801829-32e0-11e0-a3bd-000fea28c351}\ not found.
File E:\LaunchU3.exe -a not found.
========== FILES ==========
< xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C >
0 File(s) copied
E:\cmd.bat deleted successfully.
E:\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C >
0 File(s) copied
E:\cmd.bat deleted successfully.
E:\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C >
0 File(s) copied
E:\cmd.bat deleted successfully.
E:\cmd.txt deleted successfully.
< xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C >
0 File(s) copied
E:\cmd.bat deleted successfully.
E:\cmd.txt deleted successfully.
File\Folder C:\Program Files\Zango not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: crohloff
->Temp folder emptied: 851883 bytes
->Temporary Internet Files folder emptied: 15253984 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 140754062 bytes
->Flash cache emptied: 858 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56475 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 36400 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1138618 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3348661 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 15234712 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 80374 bytes
RecycleBin emptied: 1061495405 bytes

Total Files Cleaned = 1,181.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 01262012_162959

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#6
THX1136
Posted 28 January 2012 - 05:21 PM

THX1136

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Here is the log for the Malware run:


Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.26.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
crohloff :: RECEPT-WS [administrator]

Protection: Enabled

1/26/2012 4:45:40 PM
mbam-log-2012-01-26 (16-45-40).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 181217
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 22
HKCR\AppID\{4A40E8FC-C7E4-4F57-9FA4-85DD77402897} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKCR\CLSID\{1F158A1E-A687-4a11-9679-B3AC64B86A1C} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKCR\TypeLib\{FBB40FDF-B715-4342-AB82-244ECC66E979} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1F158A1E-A687-4A11-9679-B3AC64B86A1C} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKCR\CLSID\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKCR\CLSID\{914A8F99-38E4-47ec-B875-2B0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKCR\TypeLib\{995E885E-3FF5-4f66-A107-8BFB3A0F8F12} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKCR\Interface\{BD5258AF-20AE-4BD3-B748-B2851ACA7335} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKCR\Seekmo.DesktopFlash.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKCR\Seekmo.DesktopFlash (Adware.Seekmo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{914A8F99-38E4-47EC-B875-2B0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{914A8F99-38E4-47EC-B875-2B0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKCR\CLSID\{E313F5DC-CFE7-4568-84A4-C76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKCR\SeekmoAX.UserProfiles.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKCR\SeekmoAX.UserProfiles (Adware.Seekmo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E313F5DC-CFE7-4568-84A4-C76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} (Adware.Zango) -> Quarantined and deleted successfully.
HKCR\SeekmoAX.ClientDetector (Adware.Seekmo) -> Quarantined and deleted successfully.
HKCR\SeekmoAX.ClientDetector.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKCR\AppID\SeekmoSA_df.exe (Adware.Seekmo) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform|Zango 10.3.75.0 (Adware.Zango) -> Data: -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Documents and Settings\All Users\Application Data\SeekmoSA (Adware.Seekmo) -> Quarantined and deleted successfully.

Files Detected: 5
C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEULA.mht (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat (Adware.Seekmo) -> Quarantined and deleted successfully.

(end)
  • 0

#7
THX1136
Posted 28 January 2012 - 05:22 PM

THX1136

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
This is the ComboFix log:


ComboFix 12-01-27.01 - crohloff 01/27/2012 16:26:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.419 [GMT -6:00]
Running from: c:\documents and settings\crohloff\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\3840_enu_win2k_xpinfu.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\alcrmv.exe
c:\windows\msxml6-KB973686-enu-x86.LOG
.
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-27 08:21 . 2012-01-27 08:21 56200 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{32F30774-84B2-49B6-B6E4-3088BC286C90}\offreg.dll
2012-01-27 08:19 . 2012-01-06 04:19 6557240 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{32F30774-84B2-49B6-B6E4-3088BC286C90}\mpengine.dll
2012-01-26 22:43 . 2012-01-26 22:43 -------- d-----w- c:\documents and settings\crohloff\Application Data\Malwarebytes
2012-01-26 22:43 . 2012-01-26 22:43 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-26 22:43 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-24 22:44 . 2012-01-24 22:45 -------- dc-h--w- c:\windows\ie8
2012-01-18 16:09 . 2012-01-18 16:09 -------- dc----w- C:\Temp
2012-01-17 04:11 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-01-17 04:10 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-01-17 04:10 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-01-17 04:07 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-01-17 04:02 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-01-17 04:02 . 2010-12-09 15:15 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2012-01-17 04:01 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-01-17 04:00 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2012-01-16 18:57 . 2012-01-16 18:57 -------- dc----w- c:\documents and settings\All Users\Application Data\McAfee
2012-01-16 18:56 . 2012-01-16 18:58 -------- d-----w- c:\program files\McAfee Security Scan
2012-01-16 18:56 . 2012-01-16 18:56 -------- d-----w- c:\program files\Common Files\Adobe AIR
2012-01-16 17:59 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-01-16 17:57 . 2011-11-04 19:20 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-01-16 17:57 . 2011-11-04 19:20 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-01-16 17:57 . 2011-11-04 19:20 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-01-14 09:14 . 2012-01-14 09:14 -------- d-----w- c:\program files\MSXML 6.0
2012-01-14 09:13 . 2012-01-14 09:13 -------- d-----w- c:\windows\SHELLNEW
2012-01-14 09:13 . 2012-01-14 09:13 -------- d-----w- c:\program files\Microsoft Works
2012-01-14 09:13 . 2012-01-14 09:13 -------- d-----w- c:\program files\Microsoft.NET
2012-01-13 22:17 . 2009-07-31 16:05 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2012-01-13 22:17 . 2008-04-13 17:27 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2012-01-13 22:16 . 2008-04-14 00:12 10752 ------w- c:\windows\system32\smtpapi.dll
2012-01-13 22:16 . 2008-04-14 00:12 9728 ------w- c:\windows\system32\rwnh.dll
2012-01-13 21:46 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-01-13 21:46 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-01-13 21:41 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-01-13 21:41 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-01-13 21:36 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2012-01-13 21:36 . 2010-06-14 07:41 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2012-01-13 21:03 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2012-01-13 21:03 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2012-01-13 21:03 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2012-01-13 21:02 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2012-01-13 19:11 . 2008-04-14 00:12 380416 ------w- c:\windows\system32\irprops.cpl
2012-01-13 19:11 . 2009-08-07 01:24 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-01-13 19:09 . 2012-01-14 09:09 -------- d-----w- c:\windows\ServicePackFiles
2012-01-10 17:27 . 2001-08-18 04:36 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2012-01-10 17:26 . 2001-08-23 12:00 8704 -c--a-w- c:\windows\system32\dllcache\infoctrs.dll
2012-01-10 17:25 . 2001-08-23 12:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2012-01-10 17:25 . 2001-08-23 12:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2012-01-10 17:25 . 2001-08-23 12:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2012-01-10 17:25 . 2001-08-23 12:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2012-01-10 17:25 . 2001-08-23 12:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2012-01-10 17:25 . 2001-08-23 12:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2012-01-10 16:37 . 2008-04-13 18:45 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2012-01-10 16:37 . 2008-04-13 18:45 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2012-01-10 16:37 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-01-10 16:36 . 2001-08-17 18:11 66591 ----a-w- c:\windows\system32\drivers\el90xbc5.sys
2012-01-10 16:26 . 2008-04-14 00:12 129536 ----a-w- c:\windows\system32\ksproxy.ax
2012-01-10 16:26 . 2008-04-14 00:11 4096 ----a-w- c:\windows\system32\ksuser.dll
2012-01-10 16:26 . 2008-04-14 00:13 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2012-01-10 16:26 . 2008-04-13 18:32 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys
2012-01-10 16:24 . 2008-04-14 00:12 741376 ----a-w- c:\program files\Common Files\Microsoft Shared\Speech\sapi.dll
2012-01-10 16:24 . 2008-04-13 18:54 11264 ----a-w- c:\windows\system32\drivers\irenum.sys
2012-01-10 16:24 . 2001-08-23 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-01-10 16:24 . 2001-08-23 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-01-10 16:24 . 2001-08-23 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-01-10 16:24 . 2001-08-23 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2012-01-10 16:24 . 2008-04-14 00:12 146432 ----a-w- c:\windows\system\winspool.drv
2012-01-10 16:24 . 2008-04-14 00:12 74752 ----a-w- c:\windows\system32\storprop.dll
2012-01-10 10:15 . 2012-01-10 10:15 -------- d-----w- c:\windows\msapps
2012-01-09 22:36 . 2012-01-09 23:12 -------- d-----w- c:\documents and settings\crohloff\Application Data\Auslogics
2012-01-09 22:36 . 2012-01-09 22:36 -------- d-----w- c:\program files\Auslogics
2012-01-05 21:21 . 2012-01-05 22:44 -------- d-----w- c:\program files\Google
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-12-29 23:06 . 2011-12-29 23:06 -------- d-----w- c:\documents and settings\crohloff\Local Settings\Application Data\WMTools Downloaded Files
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-06 04:19 . 2006-05-10 14:46 6557240 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-12-07 16:08 . 2011-12-02 23:28 236576 ------w- c:\windows\system32\MpSigStub.exe
2011-12-01 14:56 . 2011-12-01 14:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2001-08-23 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2001-08-23 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2001-08-23 12:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:20 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2001-08-23 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2001-08-23 12:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2001-08-23 12:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2001-08-23 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="e:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\crohloff\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-09-27 20:49 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/26/2012 4:43 PM 652872]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/26/2012 4:43 PM 20464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2012 3:21 PM 136176]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2012 3:21 PM 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPFILTERDRIVER
*NewlyCreated* - MBAMPROTECTOR
*NewlyCreated* - MBAMSERVICE
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-05 21:21]
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-05 21:21]
.
2012-01-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-308248587-1703384483-2866846594-1152Core.job
- c:\documents and settings\crohloff\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-05 23:00]
.
2012-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-308248587-1703384483-2866846594-1152UA.job
- c:\documents and settings\crohloff\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-05 23:00]
.
2012-01-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
2012-01-27 c:\windows\Tasks\User_Feed_Synchronization-{D67791F9-59A1-4712-8289-0376237523BE}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.70.1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Backyard Football - c:\hegames\football\Uninst.isu
AddRemove-Telos ProFiler Client - c:\progra~1\TELOSS~1\PROFIL~1\UNWISE.EXE
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe
AddRemove-Winamp - c:\program files\Winamp\UninstWA.exe
AddRemove-Winamp Detect - c:\program files\Winamp Detect\UninstWaDetect.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-27 16:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(468)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\msxml3.dll
.
Completion time: 2012-01-27 16:35:30
ComboFix-quarantined-files.txt 2012-01-27 22:35
.
Pre-Run: 13,039,026,176 bytes free
Post-Run: 13,343,834,112 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - DEC46CF11ED46C585DB5087E8D48D0EC
  • 0

#8
THX1136
Posted 28 January 2012 - 05:23 PM

THX1136

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
This is the TDSS log:


16:39:51.0671 0700 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
16:39:52.0421 0700 ============================================================
16:39:52.0421 0700 Current date / time: 2012/01/27 16:39:52.0421
16:39:52.0421 0700 SystemInfo:
16:39:52.0421 0700
16:39:52.0421 0700 OS Version: 5.1.2600 ServicePack: 3.0
16:39:52.0421 0700 Product type: Workstation
16:39:52.0421 0700 ComputerName: RECEPT-WS
16:39:52.0421 0700 UserName: crohloff
16:39:52.0421 0700 Windows directory: C:\WINDOWS
16:39:52.0421 0700 System windows directory: C:\WINDOWS
16:39:52.0421 0700 Processor architecture: Intel x86
16:39:52.0421 0700 Number of processors: 2
16:39:52.0421 0700 Page size: 0x1000
16:39:52.0421 0700 Boot type: Normal boot
16:39:52.0421 0700 ============================================================
16:39:53.0968 0700 Drive \Device\Harddisk0\DR0 - Size: 0x12A04E9E00 (74.50 Gb), SectorSize: 0x200, Cylinders: 0x25FD, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
16:39:54.0000 0700 Drive \Device\Harddisk1\DR1 - Size: 0x12A04E9E00 (74.50 Gb), SectorSize: 0x200, Cylinders: 0x25FD, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
16:39:54.0046 0700 Initialize success
16:40:06.0078 2872 ============================================================
16:40:06.0078 2872 Scan started
16:40:06.0078 2872 Mode: Manual;
16:40:06.0078 2872 ============================================================
16:40:06.0562 2872 Abiosdsk - ok
16:40:06.0593 2872 abp480n5 - ok
16:40:06.0640 2872 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:40:06.0640 2872 ACPI - ok
16:40:06.0671 2872 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:40:06.0671 2872 ACPIEC - ok
16:40:06.0687 2872 adpu160m - ok
16:40:06.0718 2872 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:40:06.0718 2872 aec - ok
16:40:06.0750 2872 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
16:40:06.0750 2872 AFD - ok
16:40:06.0765 2872 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
16:40:06.0765 2872 agp440 - ok
16:40:06.0781 2872 Aha154x - ok
16:40:06.0796 2872 aic78u2 - ok
16:40:06.0812 2872 aic78xx - ok
16:40:06.0906 2872 ALCXWDM (933933288df5ed26d1928215c97d05c7) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
16:40:06.0921 2872 ALCXWDM - ok
16:40:06.0953 2872 AliIde - ok
16:40:06.0968 2872 amsint - ok
16:40:06.0984 2872 asc - ok
16:40:07.0000 2872 asc3350p - ok
16:40:07.0015 2872 asc3550 - ok
16:40:07.0046 2872 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:40:07.0046 2872 AsyncMac - ok
16:40:07.0078 2872 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:40:07.0078 2872 atapi - ok
16:40:07.0093 2872 Atdisk - ok
16:40:07.0140 2872 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
16:40:07.0156 2872 ati2mtag - ok
16:40:07.0171 2872 atimtag - ok
16:40:07.0187 2872 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:40:07.0187 2872 Atmarpc - ok
16:40:07.0234 2872 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:40:07.0234 2872 audstub - ok
16:40:07.0296 2872 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:40:07.0296 2872 Beep - ok
16:40:07.0375 2872 catchme - ok
16:40:07.0453 2872 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:40:07.0453 2872 cbidf2k - ok
16:40:07.0453 2872 cd20xrnt - ok
16:40:07.0500 2872 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:40:07.0500 2872 Cdaudio - ok
16:40:07.0531 2872 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:40:07.0531 2872 Cdfs - ok
16:40:07.0562 2872 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:40:07.0562 2872 Cdrom - ok
16:40:07.0562 2872 Changer - ok
16:40:07.0593 2872 CmdIde - ok
16:40:07.0625 2872 Cpqarray - ok
16:40:07.0640 2872 dac2w2k - ok
16:40:07.0656 2872 dac960nt - ok
16:40:07.0671 2872 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:40:07.0671 2872 Disk - ok
16:40:07.0718 2872 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:40:07.0734 2872 dmboot - ok
16:40:07.0765 2872 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
16:40:07.0765 2872 dmio - ok
16:40:07.0796 2872 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:40:07.0796 2872 dmload - ok
16:40:07.0812 2872 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:40:07.0812 2872 DMusic - ok
16:40:07.0843 2872 dpti2o - ok
16:40:07.0859 2872 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:40:07.0859 2872 drmkaud - ok
16:40:07.0875 2872 EagleNT - ok
16:40:07.0890 2872 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
16:40:07.0906 2872 EL90XBC - ok
16:40:07.0937 2872 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:40:07.0937 2872 Fastfat - ok
16:40:08.0015 2872 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
16:40:08.0015 2872 Fdc - ok
16:40:08.0031 2872 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:40:08.0031 2872 Fips - ok
16:40:08.0046 2872 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:40:08.0046 2872 Flpydisk - ok
16:40:08.0125 2872 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
16:40:08.0125 2872 FltMgr - ok
16:40:08.0171 2872 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:40:08.0171 2872 Fs_Rec - ok
16:40:08.0187 2872 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:40:08.0187 2872 Ftdisk - ok
16:40:08.0218 2872 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
16:40:08.0218 2872 gameenum - ok
16:40:08.0234 2872 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:40:08.0234 2872 Gpc - ok
16:40:08.0265 2872 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:40:08.0265 2872 HidUsb - ok
16:40:08.0281 2872 hpn - ok
16:40:08.0296 2872 hpt3xx - ok
16:40:08.0343 2872 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
16:40:08.0343 2872 HTTP - ok
16:40:08.0359 2872 i2omgmt - ok
16:40:08.0375 2872 i2omp - ok
16:40:08.0390 2872 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:40:08.0390 2872 i8042prt - ok
16:40:08.0421 2872 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:40:08.0421 2872 Imapi - ok
16:40:08.0437 2872 ini910u - ok
16:40:08.0468 2872 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
16:40:08.0468 2872 IntelIde - ok
16:40:08.0500 2872 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:40:08.0515 2872 intelppm - ok
16:40:08.0562 2872 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
16:40:08.0562 2872 Ip6Fw - ok
16:40:08.0593 2872 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:40:08.0593 2872 IpFilterDriver - ok
16:40:08.0609 2872 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:40:08.0609 2872 IpInIp - ok
16:40:08.0625 2872 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:40:08.0640 2872 IpNat - ok
16:40:08.0656 2872 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:40:08.0656 2872 IPSec - ok
16:40:08.0718 2872 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:40:08.0718 2872 IRENUM - ok
16:40:08.0750 2872 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:40:08.0750 2872 isapnp - ok
16:40:08.0765 2872 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:40:08.0765 2872 Kbdclass - ok
16:40:08.0781 2872 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
16:40:08.0781 2872 kbdhid - ok
16:40:08.0796 2872 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:40:08.0796 2872 kmixer - ok
16:40:08.0859 2872 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
16:40:08.0859 2872 KSecDD - ok
16:40:08.0875 2872 lbrtfdc - ok
16:40:08.0921 2872 LMIInfo - ok
16:40:08.0984 2872 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
16:40:08.0984 2872 lmimirr - ok
16:40:09.0000 2872 LMIRfsClientNP - ok
16:40:09.0015 2872 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
16:40:09.0015 2872 LMIRfsDriver - ok
16:40:09.0046 2872 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
16:40:09.0046 2872 MBAMProtector - ok
16:40:09.0078 2872 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:40:09.0078 2872 mnmdd - ok
16:40:09.0125 2872 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:40:09.0125 2872 Modem - ok
16:40:09.0140 2872 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:40:09.0140 2872 Mouclass - ok
16:40:09.0171 2872 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:40:09.0171 2872 mouhid - ok
16:40:09.0187 2872 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:40:09.0187 2872 MountMgr - ok
16:40:09.0203 2872 mraid35x - ok
16:40:09.0218 2872 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:40:09.0234 2872 MRxDAV - ok
16:40:09.0281 2872 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:40:09.0281 2872 MRxSmb - ok
16:40:09.0328 2872 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:40:09.0328 2872 Msfs - ok
16:40:09.0359 2872 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:40:09.0375 2872 MSKSSRV - ok
16:40:09.0421 2872 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:40:09.0421 2872 MSPCLOCK - ok
16:40:09.0437 2872 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:40:09.0437 2872 MSPQM - ok
16:40:09.0468 2872 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:40:09.0468 2872 mssmbios - ok
16:40:09.0500 2872 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
16:40:09.0500 2872 Mup - ok
16:40:09.0531 2872 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
16:40:09.0531 2872 NDIS - ok
16:40:09.0562 2872 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:40:09.0562 2872 NdisTapi - ok
16:40:09.0593 2872 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:40:09.0593 2872 Ndisuio - ok
16:40:09.0625 2872 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:40:09.0625 2872 NdisWan - ok
16:40:09.0640 2872 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
16:40:09.0640 2872 NDProxy - ok
16:40:09.0671 2872 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:40:09.0671 2872 NetBIOS - ok
16:40:09.0687 2872 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:40:09.0687 2872 NetBT - ok
16:40:09.0718 2872 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:40:09.0734 2872 Npfs - ok
16:40:09.0765 2872 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:40:09.0765 2872 Ntfs - ok
16:40:09.0828 2872 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:40:09.0828 2872 Null - ok
16:40:09.0875 2872 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:40:09.0875 2872 NwlnkFlt - ok
16:40:09.0921 2872 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:40:09.0921 2872 NwlnkFwd - ok
16:40:09.0953 2872 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
16:40:09.0953 2872 Parport - ok
16:40:09.0968 2872 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:40:09.0968 2872 PartMgr - ok
16:40:10.0000 2872 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:40:10.0000 2872 ParVdm - ok
16:40:10.0015 2872 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:40:10.0031 2872 PCI - ok
16:40:10.0031 2872 PCIDump - ok
16:40:10.0062 2872 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:40:10.0062 2872 PCIIde - ok
16:40:10.0093 2872 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
16:40:10.0093 2872 Pcmcia - ok
16:40:10.0109 2872 PDCOMP - ok
16:40:10.0109 2872 PDFRAME - ok
16:40:10.0125 2872 PDRELI - ok
16:40:10.0140 2872 PDRFRAME - ok
16:40:10.0156 2872 perc2 - ok
16:40:10.0171 2872 perc2hib - ok
16:40:10.0218 2872 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:40:10.0218 2872 PptpMiniport - ok
16:40:10.0250 2872 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
16:40:10.0250 2872 Processor - ok
16:40:10.0296 2872 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:40:10.0296 2872 PSched - ok
16:40:10.0328 2872 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:40:10.0328 2872 Ptilink - ok
16:40:10.0406 2872 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
16:40:10.0406 2872 PxHelp20 - ok
16:40:10.0421 2872 ql1080 - ok
16:40:10.0437 2872 Ql10wnt - ok
16:40:10.0453 2872 ql12160 - ok
16:40:10.0468 2872 ql1240 - ok
16:40:10.0484 2872 ql1280 - ok
16:40:10.0500 2872 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:40:10.0500 2872 RasAcd - ok
16:40:10.0515 2872 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:40:10.0515 2872 Rasl2tp - ok
16:40:10.0531 2872 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:40:10.0546 2872 RasPppoe - ok
16:40:10.0562 2872 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:40:10.0562 2872 Raspti - ok
16:40:10.0609 2872 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:40:10.0609 2872 Rdbss - ok
16:40:10.0625 2872 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:40:10.0625 2872 RDPCDD - ok
16:40:10.0656 2872 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:40:10.0656 2872 rdpdr - ok
16:40:10.0734 2872 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
16:40:10.0734 2872 RDPWD - ok
16:40:10.0781 2872 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:40:10.0781 2872 redbook - ok
16:40:10.0843 2872 RTL8023xp (2377f31cbb8277807c3351302cf133e9) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
16:40:10.0843 2872 RTL8023xp - ok
16:40:10.0875 2872 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:40:10.0875 2872 Secdrv - ok
16:40:10.0890 2872 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:40:10.0906 2872 serenum - ok
16:40:10.0921 2872 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
16:40:10.0921 2872 Serial - ok
16:40:10.0953 2872 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:40:10.0953 2872 Sfloppy - ok
16:40:10.0968 2872 Simbad - ok
16:40:10.0984 2872 Sparrow - ok
16:40:11.0015 2872 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:40:11.0015 2872 splitter - ok
16:40:11.0031 2872 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:40:11.0031 2872 sr - ok
16:40:11.0078 2872 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
16:40:11.0078 2872 Srv - ok
16:40:11.0093 2872 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:40:11.0093 2872 swenum - ok
16:40:11.0125 2872 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:40:11.0125 2872 swmidi - ok
16:40:11.0140 2872 symc810 - ok
16:40:11.0156 2872 symc8xx - ok
16:40:11.0171 2872 sym_hi - ok
16:40:11.0187 2872 sym_u3 - ok
16:40:11.0203 2872 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:40:11.0203 2872 sysaudio - ok
16:40:11.0250 2872 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:40:11.0265 2872 Tcpip - ok
16:40:11.0312 2872 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:40:11.0312 2872 TDPIPE - ok
16:40:11.0343 2872 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:40:11.0359 2872 TDTCP - ok
16:40:11.0359 2872 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:40:11.0359 2872 TermDD - ok
16:40:11.0390 2872 TosIde - ok
16:40:11.0437 2872 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:40:11.0437 2872 Udfs - ok
16:40:11.0437 2872 ultra - ok
16:40:11.0500 2872 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:40:11.0500 2872 Update - ok
16:40:11.0562 2872 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:40:11.0562 2872 usbccgp - ok
16:40:11.0640 2872 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:40:11.0640 2872 usbehci - ok
16:40:11.0656 2872 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:40:11.0656 2872 usbhub - ok
16:40:11.0671 2872 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:40:11.0671 2872 usbprint - ok
16:40:11.0687 2872 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
16:40:11.0687 2872 usbscan - ok
16:40:11.0703 2872 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:40:11.0703 2872 USBSTOR - ok
16:40:11.0718 2872 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:40:11.0718 2872 usbuhci - ok
16:40:11.0750 2872 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:40:11.0750 2872 VgaSave - ok
16:40:11.0750 2872 ViaIde - ok
16:40:11.0781 2872 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:40:11.0781 2872 VolSnap - ok
16:40:11.0812 2872 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:40:11.0812 2872 Wanarp - ok
16:40:11.0828 2872 WDICA - ok
16:40:11.0843 2872 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:40:11.0843 2872 wdmaud - ok
16:40:11.0921 2872 WpdUsb (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
16:40:11.0921 2872 WpdUsb - ok
16:40:11.0953 2872 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
16:40:11.0953 2872 WS2IFSL - ok
16:40:11.0984 2872 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:40:11.0984 2872 WudfPf - ok
16:40:12.0015 2872 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:40:12.0015 2872 WudfRd - ok
16:40:12.0046 2872 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
16:40:12.0203 2872 \Device\Harddisk0\DR0 - ok
16:40:12.0203 2872 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
16:40:12.0515 2872 \Device\Harddisk1\DR1 - ok
16:40:12.0531 2872 Boot (0x1200) (88883e4f1311c6f3fc90d3a0b925c93d) \Device\Harddisk0\DR0\Partition0
16:40:12.0531 2872 \Device\Harddisk0\DR0\Partition0 - ok
16:40:12.0531 2872 Boot (0x1200) (8c5d4af78f5b000a877dafb129e6e647) \Device\Harddisk1\DR1\Partition0
16:40:12.0531 2872 \Device\Harddisk1\DR1\Partition0 - ok
16:40:12.0531 2872 ============================================================
16:40:12.0531 2872 Scan finished
16:40:12.0531 2872 ============================================================
16:40:12.0546 1756 Detected object count: 0
16:40:12.0546 1756 Actual detected object count: 0
  • 0

#9
THX1136
Posted 28 January 2012 - 05:31 PM

THX1136

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Here is the aswMBR log:


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-27 16:48:49
-----------------------------
16:48:49.046 OS Version: Windows 5.1.2600 Service Pack 3
16:48:49.046 Number of processors: 2 586 0x401
16:48:49.062 ComputerName: RECEPT-WS UserName: crohloff
16:48:49.437 Initialize success
16:48:56.984 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
16:48:56.984 Disk 0 Vendor: WDC_WD800JD-75LSA0 09.01D09 Size: 76292MB BusType: 3
16:48:56.984 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
16:48:56.984 Disk 1 Vendor: WDC_WD800JD-75LSA0 09.01D09 Size: 76292MB BusType: 3
16:48:56.984 Disk 0 MBR read successfully
16:48:57.000 Disk 0 MBR scan
16:48:57.000 Disk 0 Windows XP default MBR code
16:48:57.000 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76277 MB offset 63
16:48:57.000 Disk 0 scanning sectors +156216060
16:48:57.062 Disk 0 scanning C:\WINDOWS\system32\drivers
16:49:04.843 Service scanning
16:49:05.687 Modules scanning
16:49:08.578 Scan finished successfully
16:49:34.046 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
16:49:34.062 The log file has been saved successfully to "E:\aswMBR_no_trace.txt"


These are the files that showed up after running the "sigver":
soundman - c:\windows - exe
lmimirr.dll - c:\windows\system32 - DLL
lmimirr2.dll - same as above
lmimirr.sys - c:\windows\system32\drivers - SYS
cutepdfw.ppd - c:\windows\system32\spool\drivers\w32x86\3 - PPD
fxsadpi.dll - same as above - App Ext.
fxsdrv.dll - same as above
fxres.dll - same as above
fxstiff.dll - same as above
fxsui.dll - same as above
fxwzrd.dll - same as above

At the bottom there was this info:
files found - 3624
signed files - 2563
unsigned files - 11
files not scanned - 1050

All of these items predate the start of this process which was in the last of November 2010. I did mess up on the aswMBR scan and ran it with "trace" enabled. I ran a second without "trace". In both cases "Fix" was enabled.

Edited by THX1136, 28 January 2012 - 05:43 PM.

  • 0

#10
THX1136
Posted 28 January 2012 - 05:33 PM

THX1136

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Here is the VEW system log:

Vino's Event Viewer v01c run on Windows XP in English
Report run at 28/01/2012 12:53:16 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 28/01/2012 9:02:03 AM
Type: error Category: 0
Event: 5719 Source: NETLOGON
No Domain Controller is available for domain KFFF due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

Log: 'System' Date/Time: 28/01/2012 8:39:02 AM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 960 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 28/01/2012 5:02:02 AM
Type: error Category: 0
Event: 5719 Source: NETLOGON
No Domain Controller is available for domain KFFF due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

Log: 'System' Date/Time: 28/01/2012 12:57:02 AM
Type: error Category: 0
Event: 5719 Source: NETLOGON
No Domain Controller is available for domain KFFF due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

Log: 'System' Date/Time: 28/01/2012 12:39:01 AM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 480 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 8:53:54 PM
Type: error Category: 0
Event: 5719 Source: NETLOGON
No Domain Controller is available for domain KFFF due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

Log: 'System' Date/Time: 27/01/2012 8:39:00 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 240 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 6:39:00 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 120 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 5:39:00 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 59 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 5:09:00 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 29 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 5:04:18 PM
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort1, did not respond within the timeout period.

Log: 'System' Date/Time: 27/01/2012 5:04:07 PM
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort1, did not respond within the timeout period.

Log: 'System' Date/Time: 27/01/2012 4:54:05 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the path specified.

Log: 'System' Date/Time: 27/01/2012 4:53:59 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 4:53:58 PM
Type: error Category: 0
Event: 14325 Source: WMPNetworkSvc
Service 'WMPNetworkSvc' did not start correctly because QueryService encountered error '0x80004002'. In Windows Media Player, turn off media sharing, and then turn it back on.

Log: 'System' Date/Time: 27/01/2012 4:53:58 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 4:53:51 PM
Type: error Category: 0
Event: 5719 Source: NETLOGON
No Domain Controller is available for domain KFFF due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 28/01/2012 8:39:02 AM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 960 minutes.

Log: 'System' Date/Time: 28/01/2012 6:33:11 AM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 28/01/2012 12:39:01 AM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 480 minutes.

Log: 'System' Date/Time: 27/01/2012 8:39:00 PM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 240 minutes.

Log: 'System' Date/Time: 27/01/2012 6:39:00 PM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 120 minutes.

Log: 'System' Date/Time: 27/01/2012 5:39:00 PM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 60 minutes.

Log: 'System' Date/Time: 27/01/2012 5:09:43 PM
Type: warning Category: 0
Event: 11165 Source: DnsApi
The system failed to register host (A) resource records (RRs) for network adapter with settings: Adapter Name : {A0B208A5-E87B-4FC9-B458-4ABAB8A60DCE} Host Name : RECEPT-WS Primary Domain Suffix : KFFF.local DNS server list : 192.168.70.1 Sent update to server : <?> IP Address(es) : 192.168.70.210 The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for this name does not support the DNS dynamic update protocol. To register the DNS host (A) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

Log: 'System' Date/Time: 27/01/2012 5:09:00 PM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 30 minutes.

Log: 'System' Date/Time: 27/01/2012 4:53:59 PM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 15 minutes.

Log: 'System' Date/Time: 27/01/2012 4:53:58 PM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 15 minutes.


Here is the VEW app log:

Vino's Event Viewer v01c run on Windows XP in English
Report run at 28/01/2012 12:54:27 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 28/01/2012 9:02:03 AM
Type: error Category: 0
Event: 5719 Source: NETLOGON
No Domain Controller is available for domain KFFF due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

Log: 'System' Date/Time: 28/01/2012 8:39:02 AM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 960 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 28/01/2012 5:02:02 AM
Type: error Category: 0
Event: 5719 Source: NETLOGON
No Domain Controller is available for domain KFFF due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

Log: 'System' Date/Time: 28/01/2012 12:57:02 AM
Type: error Category: 0
Event: 5719 Source: NETLOGON
No Domain Controller is available for domain KFFF due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

Log: 'System' Date/Time: 28/01/2012 12:39:01 AM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 480 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 8:53:54 PM
Type: error Category: 0
Event: 5719 Source: NETLOGON
No Domain Controller is available for domain KFFF due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

Log: 'System' Date/Time: 27/01/2012 8:39:00 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 240 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 6:39:00 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 120 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 5:39:00 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 59 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 5:09:00 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 29 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 5:04:18 PM
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort1, did not respond within the timeout period.

Log: 'System' Date/Time: 27/01/2012 5:04:07 PM
Type: error Category: 0
Event: 9 Source: atapi
The device, \Device\Ide\IdePort1, did not respond within the timeout period.

Log: 'System' Date/Time: 27/01/2012 4:54:05 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the path specified.

Log: 'System' Date/Time: 27/01/2012 4:53:59 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 4:53:58 PM
Type: error Category: 0
Event: 14325 Source: WMPNetworkSvc
Service 'WMPNetworkSvc' did not start correctly because QueryService encountered error '0x80004002'. In Windows Media Player, turn off media sharing, and then turn it back on.

Log: 'System' Date/Time: 27/01/2012 4:53:58 PM
Type: error Category: 0
Event: 29 Source: W32Time
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.

Log: 'System' Date/Time: 27/01/2012 4:53:51 PM
Type: error Category: 0
Event: 5719 Source: NETLOGON
No Domain Controller is available for domain KFFF due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 28/01/2012 8:39:02 AM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 960 minutes.

Log: 'System' Date/Time: 28/01/2012 6:33:11 AM
Type: warning Category: 0
Event: 36 Source: W32Time
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

Log: 'System' Date/Time: 28/01/2012 12:39:01 AM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 480 minutes.

Log: 'System' Date/Time: 27/01/2012 8:39:00 PM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 240 minutes.

Log: 'System' Date/Time: 27/01/2012 6:39:00 PM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 120 minutes.

Log: 'System' Date/Time: 27/01/2012 5:39:00 PM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 60 minutes.

Log: 'System' Date/Time: 27/01/2012 5:09:43 PM
Type: warning Category: 0
Event: 11165 Source: DnsApi
The system failed to register host (A) resource records (RRs) for network adapter with settings: Adapter Name : {A0B208A5-E87B-4FC9-B458-4ABAB8A60DCE} Host Name : RECEPT-WS Primary Domain Suffix : KFFF.local DNS server list : 192.168.70.1 Sent update to server : <?> IP Address(es) : 192.168.70.210 The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for this name does not support the DNS dynamic update protocol. To register the DNS host (A) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

Log: 'System' Date/Time: 27/01/2012 5:09:00 PM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 30 minutes.

Log: 'System' Date/Time: 27/01/2012 4:53:59 PM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 15 minutes.

Log: 'System' Date/Time: 27/01/2012 4:53:58 PM
Type: warning Category: 0
Event: 14 Source: W32Time
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 15 minutes.
  • 0

Advertisements

#11
THX1136
Posted 28 January 2012 - 05:38 PM

THX1136

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Finally the results of the Boot time scan: This showed no viruses. When I looked where you directed it was blank. I also did a search for the file you named - aswboot.txt - and it was not found.

I let all scans run without interruption, allowing for any reboots etc.

What should be my next step - if there is one? What software that I downloaded in this process can be safely removed? Is there any that would be worth keeping? Free would be the operative word in this determination for me as I am doing this for my manager's PC. Hopefully I got all the info you requested - I was bouncing back and forth to make sure I mentioned everything you asked for.

Thanks for the help so far. I appreciate your time on this.

Edited by THX1136, 28 January 2012 - 05:44 PM.

  • 0

#12
RKinner
Posted 29 January 2012 - 02:37 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Do you have the administrator from the domain this thing was originally on? We need that to remove it from the domain.

Drive U: is a copy of C: - perhaps someone has mapped a network drive back to itself and enabled Client Side Caching

1. Click Start, and then click Control Panel.
2. Click Network and Internet, and then click Offline Files.
3. On the General tab, click View your offline files.
4. In the Offline Files folder, right-click the cache of the offline files
that you want to delete, and then click Delete Offline Copy.

Another possibility:
shift + CTRL and click the delete files in the offline folder options.

Do you have any idea how you got files with dates of 2099?

[2099/01/01 12:00:00 | 010,352,516 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\SYATP 10 - RADIO EDITS (MP3s).zip
[2099/01/01 12:00:00 | 009,574,988 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\sarahyoung-jesuscalling.zip
[2099/01/01 12:00:00 | 009,159,224 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Wordsower International-Jason Nightingale draft.mp3
[2099/01/01 12:00:00 | 003,674,952 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\USBankLobbyCeiling#1.JPG
[2099/01/01 12:00:00 | 003,376,954 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\USBankLobbyCeiling#2(floor).JPG
[2099/01/01 12:00:00 | 003,036,390 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\WTRU_LB_Liners_2.mp3
[2099/01/01 12:00:00 | 002,613,207 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\WTRU_LB_ID.mp3
[2099/01/01 12:00:00 | 002,565,141 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\WTRU_PB_ID.mp3
[2099/01/01 12:00:00 | 001,658,225 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Print Ads_Full Page.jpg
[2099/01/01 12:00:00 | 001,465,602 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\qrtpageAdWOF.pdf
[2099/01/01 12:00:00 | 000,668,202 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Stu Promo for 2011.wav
[2099/01/01 12:00:00 | 000,572,872 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Salemtalkclock.pdf
[2099/01/01 12:00:00 | 000,408,627 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\sunrise_aspen_colorado.jpg
[2099/01/01 12:00:00 | 000,279,894 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Rohloff Photo.bmp
[2099/01/01 12:00:00 | 000,259,720 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\StationManager-NeedDocumentation.pdf
[2099/01/01 12:00:00 | 000,233,060 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Rohloff Flight to NRB and Back.MDI
[2099/01/01 12:00:00 | 000,162,672 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Rohloff Flight plan to NRB.pdf
[2099/01/01 12:00:00 | 000,122,461 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Putting_Off_Procrastination.pdf
[2099/01/01 12:00:00 | 000,094,908 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\ProLifeTownhallFlyerOctober2010.pdf
[2099/01/01 12:00:00 | 000,052,610 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Program Guide inside Oct 2010.pdf
[2099/01/01 12:00:00 | 000,038,570 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\The Goal of God's Love -John Piper.pdf
[2099/01/01 12:00:00 | 000,036,339 | ---- | C] () -- \\Kfff2k3\user\crohloff\My Documents\Rohloff Business Card.JPG

See if you can sync the clock:
http://csg.trinhall..../tips/ntp/winxp
  • 0

#13
THX1136
Posted 29 January 2012 - 09:43 PM

THX1136

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Here's is what I know for sure. The computer used to be networked internally with 2 other PCs. When the new owners bought the station there was only one employee - my manager. At that point in time he did not use the network. One PC was removed and put in storage. The other experienced major problems and is currently not in use. The PC my manager is using now is, for all intents and purposes, a stand alone. Chris leaves the PC on all the time and I've been performing all the tasks logging in under his login. There is no other person who would be identified as an "administrator" other than Chris. The folks that originally owned the station are long gone.

When I first started removing files from the C drive to make room there were several other users listed when I viewed the drive. This, I am assuming, was the other folks and their "identity" on this internal network. I removed everything with the exception of Chris since he is the lone user at this point and the parent his folder was in. Since I am at home I do not know the name of that folder. (I think it was identified as RECEPT) I don't know if this answers your first question. For some reason I'm not clear how this sort of thing works exactly as far as how it was configured - I just have an understanding of what the network is, or in this case was. You may have to talk to me like a 10 year old on this aspect.

As far as the files with the 2099 date goes: Chris had been using Dropbox. When we found the HD completely full (looked at the C drive's "properties" which showed 0% free space) he deleted what he thought was the "local" Dropbox files. (This may not be an accurate way to describe this.) His thought was that since the files in the cloud would still be there he chose to delete the local files. These 2099 dated files may be renegade files from the original Dropbox folder on his PC. At least that would be my best guess as the time of the computer is current and accurate to my knowledge. Also, I do have access to the Dropbox from the Production PC and those files are in the cloud as I recognize some of the file names. The sunrise_apsen_colorado jpg is Chris' current desktop picture I believe. The Production PC and Chris' are not networked. Chris used Logmein to remotely change things on the Production PC as far as our on air automation goes. That was his only way to "work" on the Production PC from his PC.

You have confirmed my suspicion that the U drive is a mirror or duplicate of the C drive. I have been wondering how to "dismantle" that arrangement of the original internal network. I will try your suggestions and post when completed with the results. I apologize for not having more information for you. I started working at the station as a volunteer in mid 2010 and have only been full time since 9/11. The station changed hands in early 2010 so I am just piecing together what bits I know - which is not much.

Edited by THX1136, 29 January 2012 - 09:52 PM.

  • 0

#14
RKinner
Posted 30 January 2012 - 12:49 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Reason I asked about the domain administrator password is that you need it to safely remove a PC from a domain (and this one thinks it is part of a domain.)

I asked you to try and get it to synchronize with network time in order to get rid of some of the errors that we are getting.
  • 0

#15
THX1136
Posted 30 January 2012 - 08:04 AM

THX1136

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
I tried to synchronize the clock and it failed. I did not follow up with CSG.

I do not have "Network and Internet" in the Control Panel. I have Network Connections and Internet Options. I did look for anything with "offline files" designated and found nothing. I did a search for offline files and it turned up nothing.

I will ask my manager if he knows the domain administrator password. My guess on this is "no". I will post with any additional info I get.

Thank you for your patience and help.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP