Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HELP: Infected with Smart Fortress Malware


  • Please log in to reply

#1
beabruin

beabruin

    Member

  • Member
  • PipPip
  • 73 posts
I just updated my iTunes a couple of days ago and now I'm infected with Smart Fortress 2012. How can I uninstall this? I tried a quick Google search and installed RegClean Pro which only finds things and won't uninstall them until I pay a fee.
P.S. I forgot to mention I can only run in Safe Mode right now.

Edited by beabruin, 10 May 2012 - 06:00 AM.

  • 0

Advertisements


#2
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hello beabruin and welcome to GeeksToGo :)

My nickname is WhiteHat and I'm going to help you fix your problem.

Please note that I'm currently in training and my posts have to be approved by an expert before I reply.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.
  • Please do not try to fix anything without being asked
  • I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread.
  • I am currently reviewing your logs.


  • 0

#3
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

To download this files use the option Safe mode with network instead Safe Mode.

# Step 1 #

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • In Extra Registry, select Use SafeList
  • Under the Custom Scan box paste this in
    netsvcs
    msconfig
    drives
    %SYSTEMDRIVE%\*.*
    %systemdrive%\drivers\*.exe
    %systemroot%\system32\drivers\*.* /90
    %PROGRAMFILES%\*.*
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    C:\Windows\assembly\tmp\U /s
    HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /rs
    HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /64 /rs
    CREATERESTOREPOINT
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic
# Step 2 #

  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
Posted Image
  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
Posted Image
  • The report has been created on the desktop.

  • Next click on the ShortcutsFix
    Posted Image
  • The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Edited by WhiteHat, 10 May 2012 - 06:56 PM.

  • 0

#4
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
Here is the OTL Log
***
OTL logfile created on: 5/11/2012 7:17:22 AM - Run 2
OTL by OldTimer - Version 3.2.42.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.49 Gb Total Physical Memory | 3.19 Gb Available Physical Memory | 91.38% Memory free
4.09 Gb Paging File | 3.91 Gb Available in Paging File | 95.59% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 451.71 Gb Free Space | 96.98% Space Free | Partition Type: NTFS

Computer Name: 2UA148097C22911 | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/10 08:53:48 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2011/07/20 09:32:00 | 000,193,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1c5132.sys -- (e1cexpress) Intel®
DRV - [2011/01/14 10:29:00 | 006,312,040 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/07/23 11:31:00 | 000,044,800 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2008/02/22 13:22:54 | 000,009,136 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2008/02/22 13:22:38 | 000,094,384 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2008/02/22 13:22:38 | 000,034,832 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2008/02/22 13:22:36 | 000,097,584 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2008/02/22 13:22:36 | 000,026,032 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2008/02/22 13:22:34 | 000,032,208 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2008/02/22 13:22:34 | 000,014,256 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2008/02/22 13:22:32 | 000,104,240 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/05/11 15:00:14 | 000,045,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2007/02/08 23:05:30 | 000,028,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/02/08 23:05:30 | 000,012,856 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/07/14 13:45:20 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/09/17 12:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/04 01:29:28 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsear...om/?useie5=1&q=
IE - HKLM\..\SearchScopes,DefaultScope = {2D49ADE0-39F0-45CF-9231-A78D0729DB9C}
IE - HKLM\..\SearchScopes\{2D49ADE0-39F0-45CF-9231-A78D0729DB9C}: "URL" = http://www.mirarsear...Terms}&a=SEARCH


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsear...om/?useie5=1&q=
IE - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\..\SearchScopes,DefaultScope = {2D49ADE0-39F0-45CF-9231-A78D0729DB9C}
IE - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\..\SearchScopes\{2D49ADE0-39F0-45CF-9231-A78D0729DB9C}: "URL" = http://www.mirarsear...Terms}&a=SEARCH
IE - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()


[2009/07/21 08:19:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/07/21 08:19:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\[email protected]

O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Mirar) - {67320C37-8521-435E-B146-999EBB63682D} - C:\WINDOWS\system32\win2d78.dll ()
O3 - HKLM\..\Toolbar: (Mirar) - {67320C36-8521-435E-B146-999EBB63682D} - C:\WINDOWS\system32\win2d78.dll ()
O3 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\..\Toolbar\WebBrowser: (Mirar) - {67320C36-8521-435E-B146-999EBB63682D} - C:\WINDOWS\system32\win2d78.dll ()
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [psintf] C:\Documents and Settings\Administrator\Local Settings\Temp\psintf.dll (Midiman/M-Audio)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [rpietq] C:\Documents and Settings\Administrator\Local Settings\Temp\rpietq.dll (DT Soft Ltd)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500..\Run: [DealAssistant] C:\Documents and Settings\Administrator\Application Data\DealAssistant\dealassistant.exe ()
O4 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500..\Run: [RDReminder] C:\Program Files\RegClean Pro\RegCleanPro.exe (Systweak Inc)
O4 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500..\Run: [SfKg6wIPuSpdcduD7] C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\rclbs.exe ()
O4 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500..\Run: [SystweakASP] C:\Program Files\RegClean Pro\SystweakASP.exe (Systweak Inc )
O4 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500..\RunOnce: [B7E858A7212C2CDD4B8F79632830AC72] C:\Documents and Settings\All Users.WINDOWS\Application Data\B7E858A7212C2CDD4B8F79632830AC72\B7E858A7212C2CDD4B8F79632830AC72.exe ()
O4 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (Adobe Systems, Inc.)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1269283802421 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 216.183.102.115 66.179.168.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3E5C7FE4-3447-490A-A127-142327B6C2E2}: DhcpNameServer = 216.183.102.115 66.179.168.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9BBF7F24-4CEA-4E8C-ABB9-78F02348E22A}: DhcpNameServer = 216.183.102.115 66.179.168.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{ED3F804D-F551-4B66-91B8-852051C57F91}: DhcpNameServer = 216.183.102.115 66.179.168.118
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Soap Bubbles.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Soap Bubbles.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/10 17:19:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c12eb8b3-9a9a-11e1-8a72-f5b409d9bb9d}\Shell - "" = AutoRun
O33 - MountPoints2\{c12eb8b3-9a9a-11e1-8a72-f5b409d9bb9d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c12eb8b3-9a9a-11e1-8a72-f5b409d9bb9d}\Shell\AutoRun\command - "" = E:\DTLplus_Launcher.exe
O33 - MountPoints2\{e9912fc7-4790-11dc-a599-c658ed5773e7}\Shell - "" = AutoRun
O33 - MountPoints2\{e9912fc7-4790-11dc-a599-c658ed5773e7}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e9912fc7-4790-11dc-a599-c658ed5773e7}\Shell\AutoRun\command - "" = E:\LaunchU3.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


CREATERESTOREPOINT
Unable to start System Restore Service. Error code 10

========== Files/Folders - Created Within 30 Days ==========

[2012/05/10 08:53:48 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2012/05/10 08:48:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Systweak
[2012/05/10 08:48:32 | 000,017,280 | ---- | C] (Systweak Inc., (www.systweak.com)) -- C:\WINDOWS\System32\roboot.exe
[2012/05/10 08:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\RegClean Pro
[2012/05/10 08:48:31 | 000,000,000 | ---D | C] -- C:\Program Files\RegClean Pro
[2012/05/10 08:35:45 | 000,604,776 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvuninst.exe
[2012/05/10 08:34:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\RTCOM
[2012/05/10 08:33:26 | 002,180,712 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\MicCal.exe
[2012/05/10 08:33:26 | 001,489,512 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RtlUpd.exe
[2012/05/10 08:33:26 | 000,891,496 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\RTSndMgr.CPL
[2012/05/10 08:33:25 | 006,312,040 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys
[2012/05/10 08:33:14 | 000,193,704 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\drivers\e1c5132.sys
[2012/05/10 08:33:14 | 000,081,600 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\NicInstC.dll
[2012/05/10 08:33:14 | 000,068,264 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\e1cmsg.dll
[2012/05/10 08:33:14 | 000,028,272 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\NicCo2.dll
[2012/05/10 08:33:02 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\devcon.exe
[2012/05/10 08:31:50 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/05/10 08:26:14 | 000,000,000 | ---D | C] -- C:\SG
[2012/05/10 08:22:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Smart Fortress 2012
[2012/05/10 08:19:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\B7E858A7212C2CDD4B8F79632830AC72
[2012/05/03 14:39:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\F4D55F17212C2CDD4BC5A3242830AC72
[2012/05/03 11:41:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\iTunes
[2012/05/03 11:40:52 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/05/03 11:08:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\QuickTime
[2012/05/03 11:08:15 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2012/05/03 10:53:55 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2012/05/03 10:41:15 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/10 08:53:48 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2012/05/10 08:48:32 | 000,000,725 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\RegClean Pro.lnk
[2012/05/10 08:43:42 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/05/10 08:43:42 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/05/10 08:39:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/10 08:22:06 | 000,001,384 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Smart Fortress 2012.lnk
[2012/05/10 08:19:01 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/03 11:51:50 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Safari.lnk
[2012/05/03 11:51:50 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2012/05/03 11:41:13 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2012/05/03 10:41:19 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/05/02 14:35:37 | 000,000,178 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\PD+Rescue v1 Prefs
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/10 08:48:32 | 000,000,725 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\RegClean Pro.lnk
[2012/05/10 08:33:30 | 000,007,191 | ---- | C] () -- C:\WINDOWS\System32\nvinfo.pb
[2012/05/10 08:33:14 | 000,003,108 | ---- | C] () -- C:\WINDOWS\System32\e1c5132.din
[2012/05/10 08:22:06 | 000,001,384 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Smart Fortress 2012.lnk
[2012/05/03 11:41:13 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2012/05/03 10:00:06 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

========== Custom Scans ==========

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed\thard disk media
Interface type: IDE
Media Type: Fixed\thard disk media
Model: ST3500413AS
Partitions: 1
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 466.00GB
Starting Offset: 32256
Hidden sectors: 0


< %SYSTEMDRIVE%\*.* >
[2007/08/10 17:19:58 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/07/08 13:08:43 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2007/08/10 17:19:58 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/08/10 18:28:52 | 000,001,344 | ---- | M] () -- C:\i386.lnk
[2007/08/10 17:19:58 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/08/10 17:19:58 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2007/08/10 18:52:59 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2007/08/10 18:52:58 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2012/05/10 08:39:26 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2008/07/01 12:18:25 | 000,000,791 | ---- | M] () -- C:\Version Control.txt

< %systemdrive%\drivers\*.exe >

< %systemroot%\system32\drivers\*.* /90 >

< %PROGRAMFILES%\*.* >

< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[2001/08/23 07:00:00 | 001,000,960 | ---- | M] (Microsoft Corporation) MD5=5A26FC6010886D25B3E412493DD95ED8 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2007/06/13 07:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\explorer.exe
[2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\system32\dllcache\explorer.exe
[2004/08/04 03:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
[2004/08/04 03:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe

< MD5 for: SVCHOST.EXE >
[2001/08/23 07:00:00 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=0F7D9C87B0CE1FA520473119752C6F79 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
[2008/04/13 20:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe
[2004/08/04 03:56:58 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2004/08/04 03:56:58 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 03:56:58 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2004/08/04 03:56:58 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\userinit.exe
[2001/08/23 07:00:00 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=585398603F570F9705774D65D292E5D1 -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 03:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2004/08/04 03:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\winlogon.exe
[2001/08/23 07:00:00 | 000,430,080 | ---- | M] (Microsoft Corporation) MD5=2B0E480E975EE51F2D5CE5F068FED6E2 -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe

< C:\Windows\assembly\tmp\U /s >

< HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2004/08/04 03:56:58 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2004/08/04 03:56:58 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2004/08/04 03:56:58 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "%programfiles%\Internet Explorer\iexplore.exe" [2004/08/04 03:56:52 | 000,093,184 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)

< HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2004/08/04 03:56:58 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2004/08/04 03:56:58 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2004/08/04 03:56:58 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "%programfiles%\Internet Explorer\iexplore.exe" [2004/08/04 03:56:52 | 000,093,184 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)

< End of report >
***
Here is the OTL Extras Log:
***
OTL Extras logfile created on: 5/11/2012 7:17:22 AM - Run 2
OTL by OldTimer - Version 3.2.42.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.49 Gb Total Physical Memory | 3.19 Gb Available Physical Memory | 91.38% Memory free
4.09 Gb Paging File | 3.91 Gb Available in Paging File | 95.59% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 451.71 Gb Free Space | 96.98% Space Free | Partition Type: NTFS

Computer Name: 2UA148097C22911 | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{1E5E2F9A-17D3-45CA-8FF0-B0C2927D4B03}" = MobileMe Control Panel
"{23B8A91D-680B-462B-87AD-3D70F7341731}" = iTunes
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 17
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{67320C36-8521-435E-B146-999EBB63682D}" = Mirar
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{6D172D0A-B9F1-4046-AFAB-8599288545BF}" = Safari
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"NVIDIA Drivers" = NVIDIA Drivers
"PD+Rescue for iPod_is1" = PD+Rescue for iPod v1.5.2
"PROSet" = Intel® PRO Network Connections Drivers
"RegClean Pro_is1" = RegClean Pro
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 2

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2557125706-1604667511-1493721487-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"DealAssistant" = DealAssistant
"Smart Fortress 2012" = Smart Fortress 2012

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/3/2012 10:38:30 AM | Computer Name = 2UA8280MHY10049 | Source = MsiInstaller | ID = 11722
Description = Product: Apple Software Update -- Error 1722. There is a problem with
this Windows Installer package. A program run as part of the setup did not finish
as expected. Contact your support personnel or package vendor. Action SoftwareUpdate_RegServer,
location: C:\Program Files\Apple Software Update\SoftwareUpdate.exe, command: /RegServer


Error - 5/3/2012 10:53:27 AM | Computer Name = 2UA8280MHY10049 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 5/3/2012 10:53:27 AM | Computer Name = 2UA8280MHY10049 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 5/3/2012 10:53:33 AM | Computer Name = 2UA8280MHY10049 | Source = Bonjour Service | ID = 100
Description = 460: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/3/2012 10:53:33 AM | Computer Name = 2UA8280MHY10049 | Source = Bonjour Service | ID = 100
Description = 472: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/3/2012 10:53:33 AM | Computer Name = 2UA8280MHY10049 | Source = Bonjour Service | ID = 100
Description = 484: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/3/2012 10:53:33 AM | Computer Name = 2UA8280MHY10049 | Source = Bonjour Service | ID = 100
Description = 496: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/3/2012 10:53:33 AM | Computer Name = 2UA8280MHY10049 | Source = Bonjour Service | ID = 100
Description = 508: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/3/2012 10:53:33 AM | Computer Name = 2UA8280MHY10049 | Source = Bonjour Service | ID = 100
Description = 228: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/10/2012 8:49:06 AM | Computer Name = 2UA148097C22911 | Source = MsiInstaller | ID = 1008
Description = The installation of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-QEMRS.tmp\dotnetfx20\netfx.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

[ System Events ]
Error - 5/10/2012 8:44:09 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/10/2012 8:45:43 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/10/2012 8:45:44 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/10/2012 8:45:47 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/10/2012 8:48:32 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/10/2012 8:50:35 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/10/2012 8:50:36 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/10/2012 8:50:36 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/10/2012 8:50:36 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/10/2012 8:50:39 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >
***
Here is the RogueKiller Log #1
***
RogueKiller V7.4.4 [05/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User: Administrator [Admin rights]
Mode: Scan -- Date: 05/11/2012 07:29:25

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] DTLplus_Launcher.exe -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DTLocker+-E\DTLplus_Launcher.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 9 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : DealAssistant (C:\Documents and Settings\Administrator\Application Data\DealAssistant\dealassistant.exe) -> FOUND
[SUSP PATH] HKCU\[...]\Run : SfKg6wIPuSpdcduD7 (C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\rclbs.exe) -> FOUND
[BLACKLIST DLL] HKLM\[...]\Run : rpietq (rundll32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rpietq.dll",MatrixDecompose) -> FOUND
[BLACKLIST DLL] HKLM\[...]\Run : psintf (rundll32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\psintf.dll",GetImageFormatAttribute) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2557125706-1604667511-1493721487-500[...]\Run : DealAssistant (C:\Documents and Settings\Administrator\Application Data\DealAssistant\dealassistant.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2557125706-1604667511-1493721487-500[...]\Run : SfKg6wIPuSpdcduD7 (C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\rclbs.exe) -> FOUND
[SUSP PATH] HKCU\[...]\RunOnce : B7E858A7212C2CDD4B8F79632830AC72 (C:\Documents and Settings\All Users.WINDOWS\Application Data\B7E858A7212C2CDD4B8F79632830AC72\B7E858A7212C2CDD4B8F79632830AC72.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-2557125706-1604667511-1493721487-500[...]\RunOnce : B7E858A7212C2CDD4B8F79632830AC72 (C:\Documents and Settings\All Users.WINDOWS\Application Data\B7E858A7212C2CDD4B8F79632830AC72\B7E858A7212C2CDD4B8F79632830AC72.exe) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500413AS +++++
--- User ---
[MBR] 16ea7c4041a437d59d137c35dcb1eb82
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Kingston DTLocker+ USB Device +++++
--- User ---
[MBR] 638676ea4aeb1442a3de366143f8fbf9
[BSP] ef3177ea6997481f5647d45aa222b26f : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 8064 | Size: 3832 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt



***
Here is the RogueKiller Log #2
***
RogueKiller V7.4.4 [05/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User: Administrator [Admin rights]
Mode: Remove -- Date: 05/11/2012 07:30:29

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] DTLplus_Launcher.exe -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DTLocker+-E\DTLplus_Launcher.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 6 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : DealAssistant (C:\Documents and Settings\Administrator\Application Data\DealAssistant\dealassistant.exe) -> DELETED
[SUSP PATH] HKCU\[...]\Run : SfKg6wIPuSpdcduD7 (C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\rclbs.exe) -> DELETED
[BLACKLIST DLL] HKLM\[...]\Run : rpietq (rundll32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rpietq.dll",MatrixDecompose) -> DELETED
[BLACKLIST DLL] HKLM\[...]\Run : psintf (rundll32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\psintf.dll",GetImageFormatAttribute) -> DELETED
[SUSP PATH] HKCU\[...]\RunOnce : B7E858A7212C2CDD4B8F79632830AC72 (C:\Documents and Settings\All Users.WINDOWS\Application Data\B7E858A7212C2CDD4B8F79632830AC72\B7E858A7212C2CDD4B8F79632830AC72.exe) -> DELETED
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500413AS +++++
--- User ---
[MBR] 16ea7c4041a437d59d137c35dcb1eb82
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Kingston DTLocker+ USB Device +++++
--- User ---
[MBR] 638676ea4aeb1442a3de366143f8fbf9
[BSP] ef3177ea6997481f5647d45aa222b26f : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 8064 | Size: 3832 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



***
Here is the RogueKiller Log #3
***
RogueKiller V7.4.4 [05/08/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User: Administrator [Admin rights]
Mode: Shortcuts HJfix -- Date: 05/11/2012 07:30:55

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] DTLplus_Launcher.exe -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DTLocker+-E\DTLplus_Launcher.exe -> KILLED [TermProc]

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 6 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 24 / Fail 0
My documents: Success 18 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 528 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\CdRom1 -- 0x5 --> Skipped
[F:] \Device\Harddisk1\DP(1)0-0+3 -- 0x2 --> Restored

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt



***
  • 0

#5
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
FYI - I reboot the PC after running the OTL & RogueKiller apps. I am now able to browse the web in normal mode (not Safe Boot with Networking). I did notice Smart Fortress is still installed but not taking over my PC. I also noticed RegClean Pro scans automatically when Windows starts but is not as detrimental as Smart Fortress was. I'm sure there is still work to do.
  • 0

#6
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

# Step 1 #

Please, go to Start > Control Panel > and click in Add or Remove Programs. The remove these softwares below:
  • Smart Fortress 2012


# Step 2 #

Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :Commands
    [CREATERESTOREPOINT]
    
    :OTL
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.mirarsear...om/?useie5=1&q=
    IE - HKLM\..\SearchScopes,DefaultScope = {2D49ADE0-39F0-45CF-9231-A78D0729DB9C}
    IE - HKLM\..\SearchScopes\{2D49ADE0-39F0-45CF-9231-A78D0729DB9C}: "URL" = http://www.mirarsear...Terms}&a=SEARCH
    IE -  HKU\S-1-5-21-2557125706-1604667511-1493721487-500\SOFTWARE\Microsoft\Internet  Explorer\Main,Search Bar = http://www.mirarsear...om/?useie5=1&q=
    IE -  HKU\S-1-5-21-2557125706-1604667511-1493721487-500\..\SearchScopes\{2D49ADE0-39F0-45CF-9231-A78D0729DB9C}:  "URL" = http://www.mirarsear...Terms}&a=SEARCH
    O2 - BHO: (Mirar) - {67320C37-8521-435E-B146-999EBB63682D} - C:\WINDOWS\system32\win2d78.dll ()
    O3 - HKLM\..\Toolbar: (Mirar) - {67320C36-8521-435E-B146-999EBB63682D} - C:\WINDOWS\system32\win2d78.dll ()
    O3 -  HKU\S-1-5-21-2557125706-1604667511-1493721487-500\..\Toolbar\WebBrowser:  (Mirar) - {67320C36-8521-435E-B146-999EBB63682D} -  C:\WINDOWS\system32\win2d78.dll ()
    O4 - HKLM..\Run: [psintf] C:\Documents and Settings\Administrator\Local Settings\Temp\psintf.dll (Midiman/M-Audio)
    O4 - HKLM..\Run: [rpietq] C:\Documents and Settings\Administrator\Local Settings\Temp\rpietq.dll (DT Soft Ltd)
    O4 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500..\Run:  [DealAssistant] C:\Documents and Settings\Administrator\Application  Data\DealAssistant\dealassistant.exe ()
    O4 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500..\Run:  [SfKg6wIPuSpdcduD7] C:\Documents and Settings\Administrator\Application  Data\Microsoft\Windows\rclbs.exe ()
    O4 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500..\RunOnce:  [B7E858A7212C2CDD4B8F79632830AC72] C:\Documents and Settings\All  Users.WINDOWS\Application  Data\B7E858A7212C2CDD4B8F79632830AC72\B7E858A7212C2CDD4B8F79632830AC72.exe  ()
    [2012/05/10 08:48:32 | 000,017,280 | ---- | C] (Systweak Inc., (www.systweak.com)) -- C:\WINDOWS\System32\roboot.exe
    [2012/05/10 08:26:14 | 000,000,000 | ---D | C] -- C:\SG
    [2012/05/10 08:22:06 | 000,000,000 | ---D | C] -- C:\Documents and  Settings\Administrator\Start Menu\Programs\Smart Fortress 2012
    [2012/05/10 08:19:04 | 000,000,000 | ---D | C] -- C:\Documents and  Settings\All Users.WINDOWS\Application  Data\B7E858A7212C2CDD4B8F79632830AC72
    [2012/05/03 14:39:54 | 000,000,000 | ---D | C] -- C:\Documents and  Settings\All Users.WINDOWS\Application  Data\F4D55F17212C2CDD4BC5A3242830AC72
    [2012/05/10 08:22:06 | 000,001,384 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Smart Fortress 2012.lnk
    
    :Reg
    HKU\S-1-5-21-2557125706-1604667511-1493721487-500\Software\Microsoft\Windows\CurrentVersion\Run
    "RDReminder"=-
    "SystweakASP"=-
    
    :Commands
    [EMPTYTEMP]
    [EMPTYFLASH]
    
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

# Step 3 #

Posted Image Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be
    prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.


Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2
prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

  • 0

#7
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
I am unable to remove Smart Fortress 2012. I tried twice. AFter reboot, I tried again and it will not uninstall. Should I continue with steps 2 & 3 as requested?
  • 0

#8
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts

Should I continue with steps 2 & 3 as requested?

Yes.

:thumbsup:
  • 0

#9
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
***
I am unable to run to successful completion, the OTL Custom Scan (RunFix). I've run it several times in normal startup mode including overnight. When I check the Task Manager, I show two instances of OTL running but Not Responding. I had to end the processes & reboot. I also tried it several times in Safe Mode with & without networking with the same results (Not Responding) and ending up doing a reboot. I believe it is stalling at the line:
.
:Reg
HKU\S-1-5-21-2557125706-1604667511-1493721487-500\Software\Microsoft\Windows\CurrentVersion\Run
.

I did continue with the Malwarebytes step.
I'm also unable to uninstall Smart Fortress 2012. Also, RegClean Pro also runs automatically upon reboot.
***
Here's the Malwarebytes Log:
*
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.16.04

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Administrator :: 2UA148097C22911 [administrator]

Protection: Enabled

5/16/2012 9:44:32 AM
mbam-log-2012-05-16 (09-44-32).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 277751
Time elapsed: 9 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Fortress 2012 (Trojan.LameShield) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\DealAssistant (Trojan.Agent) -> Quarantined and deleted successfully.
HKCU\Software\IEBarProperties (Adware.Mirar) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DealAssistant (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Search Bar (Hijack.SearchPage) -> Bad: (http://www.mirarsear...om/?useie5=1&q=) Good: (http://www.google.com) -> Quarantined and repaired successfully.

Folders Detected: 1
C:\Documents and Settings\Administrator\Application Data\DealAssistant (Trojan.Agent) -> Quarantined and deleted successfully.

Files Detected: 11
C:\Documents and Settings\Administrator\Application Data\DealAssistant\dealassistant.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\RK_Quarantine\B7E858A7212C2CDD4B8F79632830AC72.exe.vir (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\RK_Quarantine\dealassistant.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\RK_Quarantine\rpietq.dll.vir (Trojan.Medfos) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\993.exe (Adware.Mirar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\da.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\B7E858A7212C2CDD4B8F79632830AC72\B7E858A7212C2CDD4B8F79632830AC72.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\F4D55F17212C2CDD4BC5A3242830AC72\F4D55F17212C2CDD4BC5A3242830AC72.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\05152012_133327\C_Documents and Settings\Administrator\Local Settings\Temp\rpietq.dll (Trojan.Medfos) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\DealAssistant\config.cfg (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\DealAssistant\DAUninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)
  • 0

#10
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi beabruin,

I believe it is stalling at the line:

My mistake, sorry about that.

I need you to run OTL again.

# Step 1 #

  • Double click on the icon Posted Image to run OTL. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • In Extra Registry, select Use SafeList ( <<< Important)
  • Under the Custom Scan box paste this in
    netsvcs
    msconfig
    drives
    %SYSTEMDRIVE%\*.*
    %systemdrive%\drivers\*.exe
    %systemroot%\system32\drivers\*.* /90
    %PROGRAMFILES%\*.*
    C:\Windows\assembly\tmp\U /s
    HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /rs
    HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /64 /rs
    CREATERESTOREPOINT
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

Edited by WhiteHat, 16 May 2012 - 06:50 PM.

  • 0

Advertisements


#11
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
*
Here's the OTL Custom Scan log:
*
OTL logfile created on: 5/21/2012 9:41:02 AM - Run 3
OTL by OldTimer - Version 3.2.42.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.49 Gb Total Physical Memory | 2.77 Gb Available Physical Memory | 79.42% Memory free
4.08 Gb Paging File | 3.54 Gb Available in Paging File | 86.75% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 450.85 Gb Free Space | 96.80% Space Free | Partition Type: NTFS

Computer Name: 2UA148097C22911 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/10 08:53:48 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2012/05/07 15:32:22 | 005,925,760 | ---- | M] (Systweak) -- C:\Program Files\Advanced System Protector\AdvancedSystemProtector.exe
PRC - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/04/04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.) -- C:\Program Files\Safari\Safari.exe
PRC - [2012/03/22 11:40:42 | 000,014,184 | ---- | M] (Apple Inc.) -- C:\Program Files\Safari\Apple Application Support\WebKit2WebProcess.exe
PRC - [2010/02/18 11:43:20 | 000,490,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2009/07/01 12:37:06 | 000,037,888 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/30 12:00:00 | 001,116,920 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/11 08:16:58 | 001,945,600 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\27ed0d33bd5db24fb7a59f1d8843a565\System.Web.Services.ni.dll
MOD - [2012/05/11 08:16:44 | 000,684,032 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\d43c9974bd4dba43b0c38f9fb7ccd0fb\System.Transactions.ni.dll
MOD - [2012/05/11 08:16:42 | 000,659,456 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\0beb627bf906124ab05e9d4469589d79\System.EnterpriseServices.ni.dll
MOD - [2012/05/11 08:16:40 | 001,716,224 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\280b83d56c735840b5597dce08497442\System.Deployment.ni.dll
MOD - [2012/05/11 08:16:39 | 000,962,560 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\4a5eb0b73363c3458f1f9393832ea172\System.Configuration.ni.dll
MOD - [2012/05/11 08:06:24 | 006,688,768 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\43124c109934ec4fbcb46329ae4bf038\System.Data.ni.dll
MOD - [2012/05/11 08:06:20 | 005,640,192 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\4bfa570b5d3913459e3efa3ed922dd53\System.Xml.ni.dll
MOD - [2012/05/11 08:06:16 | 013,107,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\abf906d80b18ae4d82b921af7a53a6d3\System.Windows.Forms.ni.dll
MOD - [2012/05/11 08:06:10 | 001,626,112 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\a34ae03929e90a418ab4d0672d15c989\System.Drawing.ni.dll
MOD - [2012/05/11 08:06:08 | 008,093,696 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\4734c7810fa1fa4b9710809e00eb382f\System.ni.dll
MOD - [2012/05/11 08:06:03 | 011,415,552 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\70f6bb8d62281144b0983b61664f2787\mscorlib.ni.dll
MOD - [2012/05/11 08:05:50 | 000,260,096 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
MOD - [2012/05/11 08:05:49 | 000,368,640 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
MOD - [2012/05/11 08:05:48 | 002,878,976 | ---- | M] () -- C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2012/05/11 08:05:47 | 000,114,688 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
MOD - [2012/05/07 15:32:30 | 001,709,440 | ---- | M] () -- C:\Program Files\Advanced System Protector\aspsys.dll
MOD - [2012/03/22 11:40:50 | 000,087,912 | ---- | M] () -- C:\Program Files\Safari\Apple Application Support\zlib1.dll
MOD - [2012/03/22 11:40:28 | 001,242,472 | ---- | M] () -- C:\Program Files\Safari\Apple Application Support\libxml2.dll
MOD - [2012/02/20 21:29:04 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/02/20 21:28:42 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/11/11 18:22:10 | 000,886,272 | ---- | M] () -- C:\Program Files\Advanced System Protector\System.Data.SQLite.dll
MOD - [2011/06/23 10:42:48 | 000,168,448 | ---- | M] () -- C:\Program Files\Advanced System Protector\unrar.dll
MOD - [2009/07/01 12:37:06 | 000,037,888 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
MOD - [2008/02/22 13:22:32 | 000,055,792 | ---- | M] () -- C:\WINDOWS\system32\DLAAPI_W.DLL


========== Win32 Services (SafeList) ==========

SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/05/11 07:28:46 | 000,014,080 | ---- | M] () [Kernel | On_Demand | Unknown] -- C:\WINDOWS\system32\drivers\TrueSight.sys -- (TrueSight)
DRV - [2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/07/20 09:32:00 | 000,193,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1c5132.sys -- (e1cexpress) Intel®
DRV - [2011/01/14 10:29:00 | 006,312,040 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/07/23 11:31:00 | 000,044,800 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2008/02/22 13:22:54 | 000,009,136 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2008/02/22 13:22:38 | 000,094,384 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2008/02/22 13:22:38 | 000,034,832 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2008/02/22 13:22:36 | 000,097,584 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2008/02/22 13:22:36 | 000,026,032 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2008/02/22 13:22:34 | 000,032,208 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2008/02/22 13:22:34 | 000,014,256 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2008/02/22 13:22:32 | 000,104,240 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/05/11 15:00:14 | 000,045,056 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2007/02/08 23:05:30 | 000,028,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/02/08 23:05:30 | 000,012,856 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/07/14 13:45:20 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004/09/17 12:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/04 01:29:28 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKLM\..\SearchScopes,DefaultScope =


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\..\SearchScopes,DefaultScope = {2D49ADE0-39F0-45CF-9231-A78D0729DB9C}
IE - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()


[2009/07/21 08:19:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/07/21 08:19:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\[email protected]

O1 HOSTS File: ([2001/08/23 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Advanced System Protector] C:\Program Files\Advanced System Protector\advancedsystemprotector.exe (Systweak)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500..\Run: [Advanced System Protector] C:\Program Files\Advanced System Protector\advancedsystemprotector.exe (Systweak)
O4 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500..\Run: [RDReminder] C:\Program Files\RegClean Pro\RegCleanPro.exe (Systweak Inc)
O4 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\macromed\Flash\NPSWF32_FlashUtil.exe (Adobe Systems, Inc.)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2557125706-1604667511-1493721487-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1269283802421 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 216.183.102.115 66.179.168.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3E5C7FE4-3447-490A-A127-142327B6C2E2}: DhcpNameServer = 216.183.102.115 66.179.168.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9BBF7F24-4CEA-4E8C-ABB9-78F02348E22A}: DhcpNameServer = 216.183.102.115 66.179.168.118
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{ED3F804D-F551-4B66-91B8-852051C57F91}: DhcpNameServer = 216.183.102.115 66.179.168.118
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Soap Bubbles.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Soap Bubbles.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/10 17:19:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c12eb8b3-9a9a-11e1-8a72-f5b409d9bb9d}\Shell - "" = AutoRun
O33 - MountPoints2\{c12eb8b3-9a9a-11e1-8a72-f5b409d9bb9d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c12eb8b3-9a9a-11e1-8a72-f5b409d9bb9d}\Shell\AutoRun\command - "" = E:\DTLplus_Launcher.exe
O33 - MountPoints2\{e9912fc7-4790-11dc-a599-c658ed5773e7}\Shell - "" = AutoRun
O33 - MountPoints2\{e9912fc7-4790-11dc-a599-c658ed5773e7}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{e9912fc7-4790-11dc-a599-c658ed5773e7}\Shell\AutoRun\command - "" = E:\LaunchU3.exe
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\DTLplus_Launcher.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


CREATERESTOREPOINT
Unable to start System Restore Service. Error code 1056

========== Files/Folders - Created Within 30 Days ==========

[2012/05/16 09:43:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2012/05/16 09:43:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/05/16 09:43:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2012/05/16 09:43:00 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/05/16 09:43:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/05/16 09:42:24 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\My Documents\mbam-setup-1.61.0.1400.exe
[2012/05/15 13:33:27 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/05/11 08:09:27 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2012/05/11 08:08:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Systweak
[2012/05/11 08:06:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Advanced System Protector
[2012/05/11 08:06:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Systweak
[2012/05/11 08:06:32 | 000,000,000 | ---D | C] -- C:\Program Files\Advanced System Protector
[2012/05/11 08:05:45 | 000,000,000 | R-SD | C] -- C:\WINDOWS\assembly
[2012/05/11 08:05:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\Microsoft.NET
[2012/05/11 08:05:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Lang
[2012/05/11 07:28:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\RK_Quarantine
[2012/05/10 08:53:48 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2012/05/10 08:48:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Systweak
[2012/05/10 08:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\RegClean Pro
[2012/05/10 08:48:31 | 000,000,000 | ---D | C] -- C:\Program Files\RegClean Pro
[2012/05/10 08:35:45 | 000,604,776 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvuninst.exe
[2012/05/10 08:34:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\RTCOM
[2012/05/10 08:33:26 | 002,180,712 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\MicCal.exe
[2012/05/10 08:33:26 | 001,489,512 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RtlUpd.exe
[2012/05/10 08:33:26 | 000,891,496 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\RTSndMgr.CPL
[2012/05/10 08:33:25 | 006,312,040 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys
[2012/05/10 08:33:14 | 000,193,704 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\drivers\e1c5132.sys
[2012/05/10 08:33:14 | 000,081,600 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\NicInstC.dll
[2012/05/10 08:33:14 | 000,068,264 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\e1cmsg.dll
[2012/05/10 08:33:14 | 000,028,272 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\NicCo2.dll
[2012/05/10 08:33:02 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\devcon.exe
[2012/05/10 08:31:50 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/05/10 08:22:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Smart Fortress 2012
[2012/05/10 08:19:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\B7E858A7212C2CDD4B8F79632830AC72
[2012/05/03 14:39:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\F4D55F17212C2CDD4BC5A3242830AC72
[2012/05/03 11:41:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\iTunes
[2012/05/03 11:40:52 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/05/03 11:08:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\QuickTime
[2012/05/03 11:08:15 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2012/05/03 10:53:55 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/21 09:33:16 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Safari.lnk
[2012/05/19 22:47:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/05/16 10:02:24 | 000,392,626 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/05/16 10:02:24 | 000,058,800 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/05/16 09:58:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/16 09:43:02 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/16 09:42:32 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\My Documents\mbam-setup-1.61.0.1400.exe
[2012/05/16 08:59:56 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/15 15:27:52 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/14 10:41:57 | 000,002,205 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2012/05/11 08:09:42 | 000,292,700 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2012/05/11 08:09:42 | 000,000,001 | ---- | M] () -- C:\WINDOWS\System32\nvdrssel.bin
[2012/05/11 08:09:35 | 000,292,700 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2012/05/11 08:09:35 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\nvdrswr.lk
[2012/05/11 08:06:33 | 000,000,876 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Advanced System Protector.lnk
[2012/05/11 07:28:46 | 000,014,080 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/05/11 06:25:56 | 001,417,728 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RogueKiller.exe
[2012/05/10 08:53:48 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2012/05/10 08:48:32 | 000,000,725 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\RegClean Pro.lnk
[2012/05/03 11:41:13 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2012/05/02 14:35:37 | 000,000,178 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\PD+Rescue v1 Prefs
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/16 09:43:02 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/16 08:21:33 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/11 08:09:35 | 000,292,700 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2012/05/11 08:09:35 | 000,292,700 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2012/05/11 08:09:35 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2012/05/11 08:09:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\nvdrswr.lk
[2012/05/11 08:06:33 | 000,000,876 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Advanced System Protector.lnk
[2012/05/11 08:06:32 | 000,017,136 | ---- | C] () -- C:\WINDOWS\System32\sasnative32.exe
[2012/05/11 07:28:46 | 000,014,080 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2012/05/11 07:28:41 | 001,417,728 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\RogueKiller.exe
[2012/05/10 08:48:32 | 000,000,725 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\RegClean Pro.lnk
[2012/05/10 08:33:30 | 000,007,843 | ---- | C] () -- C:\WINDOWS\System32\nvinfo.pb
[2012/05/10 08:33:14 | 000,003,108 | ---- | C] () -- C:\WINDOWS\System32\e1c5132.din
[2012/05/03 11:41:13 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2012/05/03 10:00:06 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/02/09 22:40:00 | 002,783,770 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data

========== Custom Scans ==========

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed\thard disk media
Interface type: IDE
Media Type: Fixed\thard disk media
Model: ST3500413AS
Partitions: 1
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 466.00GB
Starting Offset: 32256
Hidden sectors: 0


< %SYSTEMDRIVE%\*.* >
[2007/08/10 17:19:58 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/07/08 13:08:43 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2007/08/10 17:19:58 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/08/10 18:28:52 | 000,001,344 | ---- | M] () -- C:\i386.lnk
[2007/08/10 17:19:58 | 000,000,000 | R-S- | M] () -- C:\IO.SYS
[2007/08/10 17:19:58 | 000,000,000 | R-S- | M] () -- C:\MSDOS.SYS
[2007/08/10 18:52:59 | 000,047,564 | R-S- | M] () -- C:\NTDETECT.COM
[2007/08/10 18:52:58 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2012/05/16 09:58:07 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2008/07/01 12:18:25 | 000,000,791 | ---- | M] () -- C:\Version Control.txt

< %systemdrive%\drivers\*.exe >

< %systemroot%\system32\drivers\*.* /90 >
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2012/05/11 07:28:46 | 000,014,080 | ---- | M] () -- C:\WINDOWS\system32\drivers\TrueSight.sys

< %PROGRAMFILES%\*.* >

< C:\Windows\assembly\tmp\U /s >

< HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2004/08/04 03:56:58 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2004/08/04 03:56:58 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2004/08/04 03:56:58 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "%programfiles%\Internet Explorer\iexplore.exe" [2004/08/04 03:56:52 | 000,093,184 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)

< HKLM\SOFTWARE\CLIENTS\Startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: %systemroot%\system32\shmgrate.exe OCInstallReinstallIE [2004/08/04 03:56:58 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallHideIE [2004/08/04 03:56:58 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: %systemroot%\system32\shmgrate.exe OCInstallShowIE [2004/08/04 03:56:58 | 000,042,496 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "%programfiles%\Internet Explorer\iexplore.exe" [2004/08/04 03:56:52 | 000,093,184 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\InstallInfo\\ReinstallCommand: "C:\Program Files\Safari\Safari.exe" /reinstall [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\InstallInfo\\HideIconsCommand: "C:\Program Files\Safari\Safari.exe" /hideicons [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\InstallInfo\\ShowIconsCommand: "C:\Program Files\Safari\Safari.exe" /showicons [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)
HKEY_LOCAL_MACHINE\SOFTWARE\CLIENTS\Startmenuinternet\Safari.exe\shell\open\command\\: "C:\Program Files\Safari\Safari.exe" [2012/03/22 15:21:58 | 002,388,336 | ---- | M] (Apple Inc.)

< End of report >
***
Here's the OTL Extras log:
*
OTL Extras logfile created on: 5/21/2012 9:41:04 AM - Run 3
OTL by OldTimer - Version 3.2.42.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.49 Gb Total Physical Memory | 2.77 Gb Available Physical Memory | 79.42% Memory free
4.08 Gb Paging File | 3.54 Gb Available in Paging File | 86.75% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 450.85 Gb Free Space | 96.80% Space Free | Partition Type: NTFS

Computer Name: 2UA148097C22911 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{1E5E2F9A-17D3-45CA-8FF0-B0C2927D4B03}" = MobileMe Control Panel
"{23B8A91D-680B-462B-87AD-3D70F7341731}" = iTunes
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 17
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{67320C36-8521-435E-B146-999EBB63682D}" = Mirar
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{6D172D0A-B9F1-4046-AFAB-8599288545BF}" = Safari
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"00212D92-C5D8-4ff4-AE50-B20F0F85C40A_Systweak_Ad~B9F029BF_is1" = Advanced System Protector
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"NVIDIA Drivers" = NVIDIA Drivers
"PD+Rescue for iPod_is1" = PD+Rescue for iPod v1.5.2
"PROSet" = Intel® PRO Network Connections Drivers
"RegClean Pro_is1" = RegClean Pro
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/3/2012 10:53:33 AM | Computer Name = 2UA8280MHY10049 | Source = Bonjour Service | ID = 100
Description = 472: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/3/2012 10:53:33 AM | Computer Name = 2UA8280MHY10049 | Source = Bonjour Service | ID = 100
Description = 484: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/3/2012 10:53:33 AM | Computer Name = 2UA8280MHY10049 | Source = Bonjour Service | ID = 100
Description = 496: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/3/2012 10:53:33 AM | Computer Name = 2UA8280MHY10049 | Source = Bonjour Service | ID = 100
Description = 508: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/3/2012 10:53:33 AM | Computer Name = 2UA8280MHY10049 | Source = Bonjour Service | ID = 100
Description = 228: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 5/10/2012 8:49:06 AM | Computer Name = 2UA148097C22911 | Source = MsiInstaller | ID = 1008
Description = The installation of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-QEMRS.tmp\dotnetfx20\netfx.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 5/10/2012 8:49:07 AM | Computer Name = 2UA148097C22911 | Source = MsiInstaller | ID = 1008
Description = The installation of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-QEMRS.tmp\dotnetfx20\netfx.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 5/15/2012 3:26:31 PM | Computer Name = 2UA148097C22911 | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.2.42.3, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/16/2012 7:17:38 AM | Computer Name = 2UA148097C22911 | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.2.42.3, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/16/2012 9:11:38 AM | Computer Name = 2UA148097C22911 | Source = Application Hang | ID = 1002
Description = Hanging application OTL.exe, version 3.2.42.3, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 5/10/2012 8:33:40 AM | Computer Name = 2UA148097C22911 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm

Error - 5/10/2012 8:36:33 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/10/2012 8:39:55 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/10/2012 8:39:57 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 5/10/2012 8:41:19 AM | Computer Name = 2UA148097C22911 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm

Error - 5/10/2012 8:41:20 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/10/2012 8:41:21 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/10/2012 8:41:24 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/10/2012 8:42:29 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/10/2012 8:44:06 AM | Computer Name = 2UA148097C22911 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >
***
  • 0

#12
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

How is your computer?

# Step 1 #

Please reopen Posted Image on your desktop.
  • Under the Posted Image box at the bottom, paste in the following

    :Reg
    [HKU\S-1-5-21-2557125706-1604667511-1493721487-500\Software\Microsoft\Windows\CurrentVersion\Run]
    "RDReminder"=-
    "SystweakASP"=-
  • Then click the Posted Image button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


# Step 2 #

Disable your antivirus software
  • Acess the Eset Online Scanner website using Internet Explorer navigator.
    http://www.eset.com/us/online-scanner/
  • Do the scan according the image:

    Posted Image
  • At the end, check the box "Delete Quarantined files" and click in [FINISH]
  • It will be generated a log in C:\Program Files\EsetOnlineScanner\Log.txt
    PS: If you didn't find the log.txt file in \EsetOnlineScanner\, look on \Program Files\Eset\EsetOnlineScanner\log.txt
  • Post that log.

  • 0

#13
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
The PC is better than it was.

It looks like Smart Fortress 2012 is no longer installed. However, after a reboot, RegCleanPro still runs and fins "phony" errors and asks me to purchase software to remove them. I also noticed another program that was not installed and visible before I started this thread. The program is called, Advanced System Protector ver 2.1.1.74 from Systweak Inc.

Below are the OTL & ESET log files.
***
OTL Custom Scan log
*
========== REGISTRY ==========
Registry value HKEY_USERS\S-1-5-21-2557125706-1604667511-1493721487-500\Software\Microsoft\Windows\CurrentVersion\Run\\RDReminder deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2557125706-1604667511-1493721487-500\Software\Microsoft\Windows\CurrentVersion\Run\\SystweakASP not found.

OTL by OldTimer - Version 3.2.42.3 log created on 05232012_063848
*
***
ESET Log file.
*
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=62b7c854e400e54eaa23be11cc11af73
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-05-23 11:01:22
# local_time=2012-05-23 07:01:22 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=62464
# found=10
# cleaned=10
# scan_time=775
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\rclbs.exe a variant of Win32/Agent.NKV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\Desktop\RK_Quarantine\psintf.dll.vir a variant of Win32/Medfos.R trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\Desktop\RK_Quarantine\rclbs.exe.vir a variant of Win32/Agent.NKV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\Local Settings\Temp\jdc7B.tmp multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\My Documents\Limewire\Saved\crossroads stevie ray vaughan.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\My Documents\Limewire\Saved\frisco blues john lee hooker.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\My Documents\My Music\New Folder\crossroads stevie ray vaughan.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\My Documents\My Music\New Folder\frisco blues john lee hooker.mp3 WMA/TrojanDownloader.GetCodec.C trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\RECYCLER\S-1-5-21-3156727262-2454622353-1765030686-500\Dc1.wma probably a variant of Win32/Agent.JKEOXOV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\05152012_133327\C_Documents and Settings\Administrator\Local Settings\Temp\psintf.dll a variant of Win32/Medfos.R trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
  • 0

#14
WhiteHat

WhiteHat

    Trusted Helper

  • Retired Staff
  • 1,925 posts
Hi,

You have problems with this two softwares:
  • RegCleanPro
  • Advanced System Protector
Do you use these software? Do you know the functionality of these softwares?

RegCleanPro is a registry maintenance program and Advanced System Protector is an Anti-Spyware.

Registry maintenance are a waste of time.
  • Registry cleaners offer no perceptible increase in performance.
  • They don't optimized the Registry
I suggest you to uninstall the RegCleanPro.

And about the Advanced System Protector. He is an anti-spyware is up to you and keep it installed. If you do not use or do not like the software, uninstall it.

Edited by WhiteHat, 23 May 2012 - 05:51 PM.

  • 0

#15
beabruin

beabruin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 73 posts
I uninstalled RegCleanPro and Advanced System Protector as I do not use them. So far everything else seems okay for now.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP