[blueblue]

Hi again, I was able to get the Panda program but have another problem. For vaccinating the external drive, it has to disable the autorun and if the file structure is NTFS (hope I got that right), the option to do this says that part is a Beta, so it's not fully developed yet, I had to decide during install if I wanted it, skipped it and didn't check that option, I was prompted to read the help file, which I'm GLAD I did, because, being the process is irreversible, and could cause problems, they advise to back up the drive. But I couldn't go back and click on that option to allow it for that file structure, I could reinstall it after backing up. Then I found more problems when I tried creating a special account to stick the backup on, I feel more secure doing this but I have another idea if I cant. I created it but it won't load. I have to find out why. While looking in the firewall, then I found somethng very suspicious I meant to mention awhile ago and forgot about. There's 4 programs that are dated 1899, which makes me very suspicious. I have them blocked, and have them in a file to show you if you want to see them. Three seem to be associated with the system management, one is a Windows system driver. Meanwhile I thought the other program that didn't work in win 7 might work on the xp machine if I wanna take the chance to transfer it over, I could possibly get it protected, and my external drive. What's your opinion on all this? Sorry for the delay in resolving all this, I wanna get this fixed already, it's taking time away from fixing my friend's machine. Sincerely, bb

[Advertisements]

Hi blueblue,

Let's try this. Insert your USB. Start VRT by Kaspersky again as you did last time. On configuration select only your removable drive and scan it with VRT. Post results after the scan.

[maliprog]

Hi blueblue,

Let's try this. Insert your USB. Start VRT by Kaspersky again as you did last time. On configuration select only your removable drive and scan it with VRT. Post results after the scan.

[blueblue]

Hi, the program just finished scanning the external drive, it took 7 hours. What was found is what I most recently backed up, many of those programs I should've deleted.. I can't get the other report to open that says what was done to those files. These are low threats. Here's the log as you requested. Status: Vulnerability (events: 9) 3/5/2012 1:32:58 PM Vulnerability vulnerability http://www.securelis...dvisories/48089 D:\$RECYCLE.BIN\S-1-5-21-861964490-322295869-921149580-1001\$RE1OOSA\FirefoxPortable\App\Firefox\tbb-firefox.exe Low 3/5/2012 1:34:15 PM Vulnerability vulnerability http://www.securelis...dvisories/48089 D:\$RECYCLE.BIN\S-1-5-21-861964490-322295869-921149580-1001\$RY5RD5O\FirefoxPortable\App\Firefox\tbb-firefox.exe Low 3/5/2012 1:55:30 PM Vulnerability vulnerability http://www.securelis...dvisories/48089 D:\Acer\D\Tor Browser\FirefoxPortable\App\Firefox\firefox.exe Low 3/5/2012 1:55:42 PM Vulnerability vulnerability http://www.securelis...dvisories/48089 D:\Acer\D\Tor Browser\FirefoxPortable\App\Firefox\tbb-firefox.exe Low 3/5/2012 7:02:27 PM Vulnerability vulnerability http://www.securelis...dvisories/48089 D:\hold\Rainbow\Desktop\D\Tor Browser\FirefoxPortable\App\Firefox\firefox.exe Low 3/5/2012 7:02:36 PM Vulnerability vulnerability http://www.securelis...dvisories/48089 D:\hold\Rainbow\Desktop\D\Tor Browser\FirefoxPortable\App\Firefox\tbb-firefox.exe Low 3/5/2012 7:56:26 PM Vulnerability vulnerability http://www.securelis...dvisories/48009 D:\hold\Sunnybk21712\Program Files\Java\jre6\bin\java.exe Low 3/5/2012 8:03:54 PM Vulnerability vulnerability http://www.securelis...dvisories/48089 D:\hold\Sunnybk21712\Program Files\Mozilla Firefox\firefox.exe Low 3/5/2012 8:18:19 PM Vulnerability vulnerability http://www.securelis...dvisories/48089 D:\hold\Sunnybk21712\Program Files\Tor Browser\FirefoxPortable\App\Firefox\tbb-firefox.exe Low

[maliprog]

OK. We fixed your first PC and USB memory. Let's see what problems you have on your second PC. From this post all my steps is related to your second PC.

Step 1

Download OTL to your Desktop

• Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator"). Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 2

Download GMER from Here.  Note the file's name and save it to your root folder, such as C:.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 3

Please don't forget to include these items in your reply:

• OTL log
• OTL Extras log
• GMER log

It would be helpful if you could post each log in separate post

[blueblue]

Hi, here's the OTL log you requested. I saw you on awhile ago but I wasn't ready to post the logs. OTL logfile created on: 3/6/2012 5:22:01 PM - Run 1 OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\Ariel\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1013.23 Mb Total Physical Memory | 576.47 Mb Available Physical Memory | 56.89% Memory free 2.38 Gb Paging File | 2.01 Gb Available in Paging File | 84.50% Paging File free Paging file location(s): C:\pagefile.sys 0 0 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 39.07 Gb Total Space | 8.07 Gb Free Space | 20.67% Space Free | Partition Type: NTFS Drive D: | 106.07 Gb Total Space | 105.65 Gb Free Space | 99.60% Space Free | Partition Type: NTFS Drive E: | 465.76 Gb Total Space | 348.09 Gb Free Space | 74.74% Space Free | Partition Type: NTFS Computer Name: MIGET | User Name: Ariel | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012/02/25 15:34:46 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ariel\Desktop\OTL.exe PRC - [2009/07/02 17:36:52 | 000,017,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe PRC - [2009/02/06 16:02:16 | 000,170,496 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe PRC - [2009/02/06 16:02:14 | 000,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe PRC - [2008/07/29 17:45:12 | 000,684,032 | ---- | M] (Mirco-Star International CO., LTD.) -- C:\Program Files\System Control Manager\MGSysCtrl.exe PRC - [2008/06/09 19:26:52 | 000,159,744 | ---- | M] () -- C:\Program Files\System Control Manager\MSIService.exe PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2008/03/05 12:15:44 | 000,864,552 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe PRC - [2007/09/28 18:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe PRC - [2007/03/07 08:51:52 | 000,049,152 | ---- | M] () -- C:\WINDOWS\system32\LxrSII1s.exe ========== Modules (No Company Name) ========== MOD - [2008/07/18 15:39:04 | 000,053,248 | ---- | M] () -- C:\Program Files\System Control Manager\MGKBHook.dll MOD - [2008/06/09 19:26:52 | 000,159,744 | ---- | M] () -- C:\Program Files\System Control Manager\MSIService.exe MOD - [2008/02/22 01:43:10 | 000,192,512 | ---- | M] () -- C:\Program Files\System Control Manager\MSIWmiAcpi.dll MOD - [2007/03/07 08:51:52 | 000,049,152 | ---- | M] () -- C:\WINDOWS\system32\LxrSII1s.exe ========== Win32 Services (SafeList) ========== SRV - File not found [On_Demand | Stopped] -- -- (LiveUpdate) SRV - File not found [Disabled | Stopped] -- -- (HidServ) SRV - File not found [Disabled | Stopped] -- -- (Automatic LiveUpdate Scheduler) SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt) SRV - [2009/07/02 17:36:52 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc) SRV - [2009/02/06 16:02:14 | 000,109,056 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon) SRV - [2008/06/09 19:26:52 | 000,159,744 | ---- | M] () [Auto | Running] -- C:\Program Files\System Control Manager\MSIService.exe -- (Micro Star SCM) SRV - [2008/03/05 12:15:44 | 000,864,552 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe -- (InCDsrv) SRV - [2007/09/28 18:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service) SRV - [2007/03/07 08:51:52 | 000,049,152 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\LxrSII1s.exe -- (LxrSII1s) ========== Driver Services (SafeList) ========== DRV - [2008/07/10 12:33:40 | 000,306,176 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8187Se.sys -- (rtl8187Se) DRV - [2008/06/10 22:23:07 | 000,106,368 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp) DRV - [2008/06/10 22:23:01 | 000,156,160 | R--- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTS5121.sys -- (RSUSBSTOR) DRV - [2008/05/19 15:49:14 | 000,625,792 | R--- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2860.sys -- (RT80x86) DRV - [2008/05/07 23:21:40 | 004,739,072 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM) DRV - [2008/04/08 20:45:42 | 001,309,504 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416) DRV - [2008/03/05 12:15:42 | 000,039,208 | ---- | M] (Nero AG) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm) DRV - [2008/03/05 12:15:40 | 000,036,776 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass) DRV - [2008/03/05 12:15:36 | 000,108,328 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs) DRV - [2008/02/15 17:01:06 | 000,131,712 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (tosrfbd) DRV - [2008/01/31 17:55:06 | 000,074,240 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Tosrfhid.sys -- (Tosrfhid) DRV - [2008/01/22 22:57:48 | 000,054,144 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TosRfSnd.sys -- (TosRfSnd) DRV - [2007/11/29 11:45:44 | 000,036,608 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (tosrfbnp) DRV - [2007/10/18 16:25:00 | 000,041,856 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb) DRV - [2007/10/02 13:43:22 | 000,064,128 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom) DRV - [2007/07/12 05:58:54 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5) DRV - [2007/03/07 08:51:52 | 000,072,672 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LxrSII1d.sys -- (LxrSII1d) DRV - [2006/10/10 21:33:00 | 000,041,600 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte) DRV - [2005/01/07 07:42:00 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds) DRV - [2004/12/23 06:47:10 | 000,027,392 | R--- | M] (Ulead Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ULCDRHlp.sys -- (ULCDRHlp) DRV - [2002/04/11 19:21:38 | 000,013,335 | ---- | M] (Microsystems Corp) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbcm.sys -- (usbcm) DRV - [1997/06/17 04:00:00 | 000,004,064 | ---- | M] (Adobe Systems Incorporated) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ATMHELPR.SYS -- (ATMhelpr) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/14 11:58:25 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/14 21:02:03 | 000,000,000 | ---D | M] [2010/04/28 22:43:37 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2010/04/28 22:43:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010/04/12 16:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll O1 HOSTS File: ([2008/04/14 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Documents and Settings\Professor A\Desktop\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.) O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.) O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION) O4 - HKLM..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe (Mirco-Star International CO., LTD.) O4 - HKCU..\Run: [OM2_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe (OLYMPUS IMAGING CORP.) O4 - Startup: C:\Documents and Settings\Ariel\Start Menu\Programs\Startup\New Folder [2010/11/10 09:58:01 | 000,000,000 | ---D | M] O4 - Startup: C:\Documents and Settings\Ariel\Start Menu\Programs\Startup\New Folder (2) [2012/02/18 17:12:50 | 000,000,000 | ---D | M] O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = -1 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 File not found O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1265746264078 (MUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/07/20 16:32:34 | 000,000,049 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2009/07/20 16:32:34 | 000,000,029 | ---- | M] () - C:\AUTOEXEC.OLD -- [ NTFS ] O33 - MountPoints2\{e324a140-1786-11e0-9eec-ae4183546302}\Shell - "" = AutoRun O33 - MountPoints2\{e324a140-1786-11e0-9eec-ae4183546302}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{e324a140-1786-11e0-9eec-ae4183546302}\Shell\AutoRun\command - "" = E:\StartClickFreeBackup.exe O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: AppMgmt - File not found NetSvcs: HidServ - File not found NetSvcs: Ias - File not found NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found CREATERESTOREPOINT Restore point Set: OTL Restore Point ========== Files/Folders - Created Within 30 Days ========== [2012/03/06 17:01:55 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ariel\Desktop\OTL.exe [2012/02/26 15:30:00 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine [2012/02/26 15:26:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ariel\Desktop\tdsskiller [2012/02/18 17:13:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ariel\Desktop\Fix it portable [2012/02/18 13:00:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\delete [2012/02/18 12:38:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ariel\Desktop\delete [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012/03/06 17:26:00 | 000,000,434 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{D0835524-5A06-4A43-A28D-CEA00E6F6FA1}.job [2012/03/06 17:25:00 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{01F326A0-62B7-4D0C-862E-B1B4ADB2B952}.job [2012/03/06 16:34:36 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job [2012/03/06 16:29:29 | 000,000,466 | ---- | M] () -- C:\WINDOWS\tasks\Installation Diagnostics.job [2012/03/06 16:28:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2012/03/06 16:28:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2012/03/06 16:28:36 | 1062,526,976 | -HS- | M] () -- C:\hiberfil.sys [2012/03/06 16:17:47 | 000,302,592 | ---- | M] () -- C:\7olr1jwh.exe [2012/02/29 12:50:00 | 122,749,960 | ---- | M] () -- C:\Documents and Settings\Ariel\Desktop\setup_11.0.0.1245.x01_2012_02_29_21_04.exe [2012/02/25 15:34:46 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ariel\Desktop\OTL.exe [2012/02/16 15:27:37 | 000,006,321 | ---- | M] () -- C:\WINDOWS\IF40LE.INI [2012/02/16 14:11:38 | 000,000,077 | ---- | M] () -- C:\Documents and Settings\Ariel\default.pls [2012/02/16 14:11:28 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2012/02/12 14:09:21 | 000,001,731 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk [2012/02/12 14:01:29 | 000,076,251 | ---- | M] () -- C:\Documents and Settings\Ariel\My Documents\Copy of New ImageFolio Document.POF [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2012/03/06 17:01:37 | 122,749,960 | ---- | C] () -- C:\Documents and Settings\Ariel\Desktop\setup_11.0.0.1245.x01_2012_02_29_21_04.exe [2012/03/06 17:01:00 | 000,302,592 | ---- | C] () -- C:\7olr1jwh.exe [2012/02/16 11:59:52 | 001,140,616 | ---- | C] () -- C:\Documents and Settings\Ariel\My Documents\Copy (2) of StartClickFreeBackup.exe [2012/02/16 11:59:39 | 001,140,616 | ---- | C] () -- C:\Documents and Settings\Ariel\My Documents\Copy of StartClickFreeBackup.exe [2012/02/10 20:45:47 | 000,001,731 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk [2012/02/09 20:57:53 | 000,000,077 | ---- | C] () -- C:\Documents and Settings\Ariel\default.pls [2010/08/18 16:34:49 | 000,000,786 | ---- | C] () -- C:\WINDOWS\EZPHOTO.INI [2010/08/18 12:28:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PRESTOPM.INI [2010/08/06 23:15:19 | 000,000,052 | ---- | C] () -- C:\WINDOWS\PMVIEWER.INI [2010/06/09 12:56:45 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\bridf08b.dat [2010/06/09 12:46:04 | 000,032,142 | ---- | C] () -- C:\WINDOWS\maxlink.ini [2010/03/12 12:07:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat ========== LOP Check ========== [2009/06/29 22:31:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications [2011/01/10 14:42:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DvdTransformerV2 [2010/08/07 20:02:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\f-secure [2010/04/05 11:03:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\fssg [2009/01/02 22:48:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe [2011/01/12 18:24:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OfficeGuardianV2 [2009/08/15 18:56:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft [2009/06/25 09:09:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems [2010/08/18 15:23:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip [2009/01/09 07:07:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ariel\Application Data\F-Secure [2009/01/13 22:01:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ariel\Application Data\MSNInstaller [2010/08/09 09:57:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ariel\Application Data\OpenOffice.org [2010/09/04 15:04:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ariel\Application Data\PC-FAX TX [2010/09/27 17:53:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ariel\Application Data\ScanSoft [2010/12/12 22:47:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ariel\Application Data\V-Safe 100 [2012/03/06 16:29:29 | 000,000,466 | ---- | M] () -- C:\WINDOWS\Tasks\Installation Diagnostics.job [2010/08/19 20:23:00 | 000,000,106 | ---- | M] () -- C:\WINDOWS\Tasks\Low Battery Alarm Program.job [2012/03/06 16:34:36 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job [2012/01/23 09:38:09 | 000,000,232 | ---- | M] () -- C:\WINDOWS\Tasks\New Task.job [2010/11/05 17:15:53 | 000,000,382 | ---- | M] () -- C:\WINDOWS\Tasks\NSSstub.job [2012/03/06 17:25:00 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{01F326A0-62B7-4D0C-862E-B1B4ADB2B952}.job [2012/03/06 17:26:00 | 000,000,434 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{D0835524-5A06-4A43-A28D-CEA00E6F6FA1}.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > [2012/03/06 16:17:47 | 000,302,592 | ---- | M] () -- C:\7olr1jwh.exe < MD5 for: EXPLORER.EXE > [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe < MD5 for: USERINIT.EXE > [2005/03/25 08:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=29A1877F2D0EACFF20B6507A3C00F31B -- C:\WINDOWS\RE_DRIVE\RECOVERYCD_ISO\I386\SYSTEM32\USERINIT.EXE [2005/03/25 08:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=29A1877F2D0EACFF20B6507A3C00F31B -- C:\WINDOWS\RE_DRIVE\RECOVERYCD_ISO\STAGE\MININT\SYSTEM32\USERINIT.EXE [2008/04/14 07:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe [2008/04/14 07:00:00 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe < MD5 for: WINLOGON.EXE > [2005/03/25 08:00:00 | 000,508,928 | ---- | M] (Microsoft Corporation) MD5=325FD6D25FC1D77C363E87B445C8B023 -- C:\WINDOWS\RE_DRIVE\RECOVERYCD_ISO\I386\SYSTEM32\WINLOGON.EXE [2005/03/25 08:00:00 | 000,508,928 | ---- | M] (Microsoft Corporation) MD5=325FD6D25FC1D77C363E87B445C8B023 -- C:\WINDOWS\RE_DRIVE\RECOVERYCD_ISO\STAGE\MININT\SYSTEM32\WINLOGON.EXE [2008/04/14 07:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\dllcache\winlogon.exe [2008/04/14 07:00:00 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe ========== Alternate Data Streams ========== @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Ariel\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf:SummaryInformation < End of report >

[blueblue]

hi here's the extras log from OTL. Please remember, this machine doesn't go online by choice, we do not want it on the net. I copied the programs over and was able to use them there. OTL Extras logfile created on: 3/6/2012 5:22:01 PM - Run 1 OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\Ariel\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1013.23 Mb Total Physical Memory | 576.47 Mb Available Physical Memory | 56.89% Memory free 2.38 Gb Paging File | 2.01 Gb Available in Paging File | 84.50% Paging File free Paging file location(s): C:\pagefile.sys 0 0 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 39.07 Gb Total Space | 8.07 Gb Free Space | 20.67% Space Free | Partition Type: NTFS Drive D: | 106.07 Gb Total Space | 105.65 Gb Free Space | 99.60% Space Free | Partition Type: NTFS Drive E: | 465.76 Gb Total Space | 348.09 Gb Free Space | 74.74% Space Free | Partition Type: NTFS Computer Name: MIGET | User Name: Ariel | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* htmlfile [edit] -- Reg Error: Key error. piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 1 "FirewallDisableNotify" = 1 "UpdatesDisableNotify" = 1 "AntiVirusOverride" = 1 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 0 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 "3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\WINDOWS\system32\usmt\migwiz.exe" = C:\WINDOWS\system32\usmt\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard -- (Microsoft Corporation) "C:\Program Files\WinRAR 3.61 Multi\WinRAR.exe" = C:\Program Files\WinRAR 3.61 Multi\WinRAR.exe:*:Enabled:WinRAR "E:\bin\IA\Core\MDM_Util.exe" = E:\bin\IA\Core\MDM_Util.exe:*:Enabled:MDM_Util "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0E4BC542-9CFD-4E97-B586-9F1E5516E7B9}" = Microsoft IntelliPoint 6.1 "{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java™ 6 Update 20 "{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime "{2BC2781A-F7F6-452E-95EB-018A522F1B2C}" = PaperPort Image Printer "{2F5006EE-BFE5-4715-B2EC-F82EB2FF130D}" = ArcSoft MediaImpression "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{3A08B59E-A9F0-4F4D-B7E5-6875D7F13327}" = Brother MFL-Pro Suite MFC-290C "{45FCADDB-0B29-457E-83A1-D245C62A716C}" = OLYMPUS Master 2 "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support "{582287DA-0806-4AC0-BF19-C15E3A466034}" = LightScribe System Software 1.12.33.2 "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2 "{703C4409-D597-433A-9B17-E411D9236451}" = EZ-DUB Finder v1.3.45 "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7A8FF745-BBC5-482B-88E4-18D3178249A9}" = ScanSoft PaperPort 11 "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{9AE395DB-6BC3-4CA9-B894-351CB8DE915A}" = BurnRecovery "{A0A77CDC-2419-4D5C-AD2C-E09E5926B806}" = Microsoft Antimalware "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR "{A3BE3F1E-2472-4211-8735-E8239BE49D9F}" = Ulead Burn.Now 4.5 "{A3FEC306-FBFF-4B0D-95B9-F9C67C65079E}" = Brother MFL-Pro Suite "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3 "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9 "{B6C89654-A6A2-477C-873B-724EC1C56407}" = ScanSoft PaperPort 11 "{BA66DB29-E80A-4053-89F7-D7F8A5D21033}" = Nero 7 Essentials "{C8F7C1E5-0150-11D6-A96C-00D05908F85D}" = USB Driver "{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver "{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba "{D10CB652-9332-4242-B7A9-2D61570144F7}" = USB 2.0 Card Reader "{E80F62FF-5D3C-4A19-8409-9721F2928206}" = LiveUpdate (Symantec Corporation) "{ED9C5D25-55DF-48D8-9328-2AC0D75DE5D8}" = System Control Manager "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "4E1F54FAB25DB3EE9094949BF3DFDCF6E1CF07E6" = Windows Driver Package - Realtek (rtl8187Se) Net (07/10/2008 5.9067.0710.2008) "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe PhotoDeluxe 2.0" = Adobe PhotoDeluxe 2.0 "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "Adobe Type Manager 4.0" = Adobe Type Manager 4.0 "E0E22E828DBDB1F29F3D91CF328727F39AF8062B" = Windows Driver Package - Atheros (AR5416) Net (04/08/2008 7.6.0.200) "E920DD3E0FC6CCFF23A10B3AF7C6DC99BA39648C" = Windows Driver Package - Ralink Technology, Corp. (RT80x86) Net (05/19/2008 1.01.03.0000) "EZ-DUB5.0.2" = EZ-DUB "HDMI" = Intel® Graphics Media Accelerator Driver "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie8" = Windows Internet Explorer 8 "InstallShield_{A3BE3F1E-2472-4211-8735-E8239BE49D9F}" = Ulead Burn.Now 4.5 SE "Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3) "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "MSCSR" = Microsoft Speech Recognition Engine 4.0 (English) "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "PAUninstall" = Presto! PhotoAlbum "Steinberg Cubase LE" = Steinberg Cubase LE "tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 2/16/2012 12:57:38 PM | Computer Name = MIGET | Source = Application Error | ID = 1000 Description = Faulting application startclickfreebackup.exe, version 2.1.84.1, faulting module unknown, version 0.0.0.0, fault address 0x00000000. Error - 2/16/2012 12:59:00 PM | Computer Name = MIGET | Source = Application Error | ID = 1000 Description = Faulting application startclickfreebackup.exe, version 2.1.84.1, faulting module unknown, version 0.0.0.0, fault address 0x00000000. Error - 2/16/2012 12:59:09 PM | Computer Name = MIGET | Source = Application Error | ID = 1000 Description = Faulting application startclickfreebackup.exe, version 2.1.84.1, faulting module unknown, version 0.0.0.0, fault address 0x00000000. Error - 2/16/2012 1:00:46 PM | Computer Name = MIGET | Source = Application Error | ID = 1000 Description = Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000. Error - 2/16/2012 1:06:24 PM | Computer Name = MIGET | Source = Application Error | ID = 1000 Description = Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000. Error - 2/16/2012 2:34:49 PM | Computer Name = MIGET | Source = Application Error | ID = 1000 Description = Faulting application startclickfreebackup.exe, version 2.1.84.1, faulting module unknown, version 0.0.0.0, fault address 0x00000000. Error - 2/18/2012 1:26:32 PM | Computer Name = MIGET | Source = MPSampleSubmission | ID = 5000 Description = Error - 2/26/2012 4:29:28 PM | Computer Name = MIGET | Source = MPSampleSubmission | ID = 5000 Description = Error - 2/26/2012 6:12:51 PM | Computer Name = MIGET | Source = Ci | ID = 4118 Description = A content scan could not be completed on c:\. Error - 2/26/2012 6:12:51 PM | Computer Name = MIGET | Source = Ci | ID = 4118 Description = A content scan could not be completed on e:\. [ System Events ] Error - 2/26/2012 4:29:28 PM | Computer Name = MIGET | Source = Microsoft Antimalware | ID = 2001 Description = %%861 has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.83.1845.0 Update Source: %%859 Update Stage: %%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5802.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. Error - 2/26/2012 4:29:29 PM | Computer Name = MIGET | Source = Microsoft Antimalware | ID = 2001 Description = %%861 has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.83.1845.0 Update Source: %%851 Update Stage: %%852 Source Path: http://go.microsoft....DE-D861FCBCFCDE Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.5802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved Error - 2/26/2012 4:29:29 PM | Computer Name = MIGET | Source = Microsoft Antimalware | ID = 2001 Description = %%861 has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.83.1845.0 Update Source: %%851 Update Stage: %%852 Source Path: http://go.microsoft....DE-D861FCBCFCDE Signature Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.5802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved Error - 2/26/2012 4:29:29 PM | Computer Name = MIGET | Source = Microsoft Antimalware | ID = 2001 Description = %%861 has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.83.1845.0 Update Source: %%851 Update Stage: %%852 Source Path: http://go.microsoft....DE-D861FCBCFCDE Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.5802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved Error - 2/26/2012 4:29:29 PM | Computer Name = MIGET | Source = Microsoft Antimalware | ID = 2001 Description = %%861 has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.83.1845.0 Update Source: %%851 Update Stage: %%852 Source Path: http://go.microsoft....DE-D861FCBCFCDE Signature Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.5802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved Error - 3/6/2012 5:39:39 PM | Computer Name = MIGET | Source = Microsoft Antimalware | ID = 2001 Description = %%861 has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.83.1845.0 Update Source: %%859 Update Stage: %%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5802.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. Error - 3/6/2012 5:39:40 PM | Computer Name = MIGET | Source = Microsoft Antimalware | ID = 2001 Description = %%861 has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.83.1845.0 Update Source: %%851 Update Stage: %%852 Source Path: http://go.microsoft....DE-D861FCBCFCDE Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.5802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved Error - 3/6/2012 5:39:40 PM | Computer Name = MIGET | Source = Microsoft Antimalware | ID = 2001 Description = %%861 has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.83.1845.0 Update Source: %%851 Update Stage: %%852 Source Path: http://go.microsoft....DE-D861FCBCFCDE Signature Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.5802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved Error - 3/6/2012 5:39:40 PM | Computer Name = MIGET | Source = Microsoft Antimalware | ID = 2001 Description = %%861 has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.83.1845.0 Update Source: %%851 Update Stage: %%852 Source Path: http://go.microsoft....DE-D861FCBCFCDE Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.5802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved Error - 3/6/2012 5:39:40 PM | Computer Name = MIGET | Source = Microsoft Antimalware | ID = 2001 Description = %%861 has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.83.1845.0 Update Source: %%851 Update Stage: %%852 Source Path: http://go.microsoft....DE-D861FCBCFCDE Signature Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.5802.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved < End of report >

[maliprog]

OTL Log's that you posted is very hard to read. Please can you try to post them again so they keep OTL format. Additionally you can attach them to your next reply so I can read them formated.

[blueblue]

OK I'll attach them as you requested. Thank you for all your help. By the way, I ran the Panda program on the xp machine and it worked great, now my external drive is protected.  Here's the OTL log.

[blueblue]

Here's the Extras log. I don't see that they attached. Darn.

Edited by blueblue, 07 March 2012 - 09:32 AM.

[maliprog]

Hi blueblue,

Can you try to ZIP them then try to attach in your reply.

[blueblue]

OK I'll try it again. I thought I tried that once already but I'll do as you ask. here's the OTL log. It doesn't look like it went through again. I give up on trying this.

Edited by blueblue, 08 March 2012 - 08:32 PM.

[maliprog]

Is it possible to use USB and transfer logs to clean PC. Then upload it to me here.

[blueblue]

That is what I did. The logs came from the other machine, from a USB drive. I don't know what to do, this is frustrating, I know it's frustrating for you also. You've been very patient with me, it means a lot. By the way I still have things in quarentine, and I caught another thing yesterday, I think it's a false positive from TDSSkiller that was seen by another AV, one of the ones you had me use. So now I have 3 seperate prgrams with something in their quarentine. I wish I knew why I can't attach things here, I unblocked everything, too. I have NoScript. I also can't get the editor to let me write in color, but that's no big deal. Being unable to attach files IS a concern. I allowed all on the page, got the full editor, found where to attach files, clicked "Browse", found the files, and clicked to send the message, didn't see any "OK" button by the place to attach files, so I just hit the "Post" button. Sincerely, bb

[maliprog]

Try to use another browser (Internet Explorer) and try to post or attach logs.
Disable NoScript for now. It can block some of our features here.

Just to be clear.... You are posting logs from clean PC, the one we clean before?

[blueblue]

Hi. I'm using the clean computer, I copied the AV programs to the external drive and put them on the other machine. While there, I put the Panda program on and got my external drive protected. I ran the the scans on that machine, copied the longs to the external drive and put them on the clean machine. I hate Internet Explorer, but if I can't attach the files I'll have to use it just for that, but first I have to set up some security. Before doing that I wanna try something, disable NoScript completely just for this one time. I'll do it in awhile, it's late here and I am very tired. Thanks for your patience. Sincerely, bb