Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware - "System Message - Write Fault Error" [Solved]


  • This topic is locked This topic is locked

#1
Rick1974

Rick1974

    Member

  • Member
  • PipPip
  • 23 posts
Hi,
Recently, my home computer has been infected with a virus or some sort of malware. I would really appreciate some help in getting my PC clean!


When I start the computer, several pop up windows appear. The pop up header bar is titled:
"System Message - Write Fault Error".
The detailed message is:
"A Write command during the test failed to complete. This may be due to a media or read/write error. The system generates an exception error when using a reference to an invalid memory address."

Then a new pop up appears. The pop up header is titled:
"System Error. Hard disk failure detected"
The detailed message is:
"It's highly recommended to run HDD scan to prevent loss of personal files."
If you click the button "Scan and Repair" it seems to find some problems and then presents a "repair" option. If you attempt to "repair" it states you have a trial version and you need to register to repair.

In Windows Explorer it appears as though all files are gone. I've found that they are actually hidden.
Also, the Start Menu is empty. "All Programs" and Favorites show up but they are empty.

It appears that some or all of these files may have been moved. I see some files under the folder:
..\Local Settings\temp\smtemp\1
..\Local Settings\temp\smtemp\2

Microsoft Security Essentials is still running. Scans did not produce anything. But when I look at the history I just noticed that a Trojan was quarantined on May 5th. It's called Rogue:Win32/Winwebsec


Below is the OTL.txt:
OTL logfile created on: 6/21/2012 10:01:33 PM - Run 1
OTL by OldTimer - Version 3.2.50.0 Folder = C:\Documents and Settings\Rick\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.49 Gb Total Physical Memory | 0.99 Gb Available Physical Memory | 66.69% Memory free
2.09 Gb Paging File | 1.75 Gb Available in Paging File | 83.87% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 7.88 Gb Free Space | 10.58% Space Free | Partition Type: NTFS
Drive E: | 37.26 Gb Total Space | 2.74 Gb Free Space | 7.35% Space Free | Partition Type: FAT32
Drive F: | 4.65 Gb Total Space | 3.00 Gb Free Space | 64.45% Space Free | Partition Type: FAT32

Computer Name: HOMEPC3 | User Name: Rick | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/20 19:25:28 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe
PRC - [2012/06/18 19:29:47 | 000,346,760 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\ajIlqwSkbUSE.exe
PRC - [2012/03/26 17:08:12 | 000,931,200 | -H-- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | -H-- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 18:12:12 | 000,012,288 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\attrib.exe
PRC - [2005/07/19 17:32:18 | 000,221,184 | -H-- | M] (Logitech Inc.) -- C:\WINDOWS\system32\LVCOMSX.EXE


========== Modules (No Company Name) ==========

MOD - [2012/06/18 19:29:47 | 000,346,760 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\ajIlqwSkbUSE.exe
MOD - [2012/02/20 21:29:04 | 000,087,912 | -H-- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/02/20 21:28:42 | 001,242,472 | -H-- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2007/09/16 19:07:27 | 000,051,716 | -H-- | M] () -- C:\WINDOWS\system32\pdf995mon.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/03/26 17:03:40 | 000,011,552 | -H-- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/03/03 14:53:08 | 000,033,176 | -H-- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2007/10/01 15:39:06 | 000,045,056 | -H-- | M] ( ) [Disabled | Stopped] -- c:\Program Files\Soccerwinners\Halt\Halt.exe -- (Halt)
SRV - [2007/10/01 15:39:06 | 000,020,480 | -H-- | M] ( ) [Disabled | Stopped] -- c:\Program Files\Soccerwinners\Halt\HaltMonitor.exe -- (HaltMonitor)
SRV - [2006/03/30 09:15:44 | 000,096,341 | -H-- | M] (Canon Inc.) [Disabled | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\DRIVERS\wATV03nt.sys -- (iAimTV2)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (.bcm4sbxp)
DRV - [2012/06/21 21:55:30 | 000,029,904 | -H-- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{21983A8C-1736-4318-9049-A2CF9B51479A}\MpKslf30e10f9.sys -- (MpKslf30e10f9)
DRV - [2006/05/20 04:15:25 | 000,030,588 | -H-- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2005/05/27 03:46:22 | 000,913,280 | RH-- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LV302AV.SYS -- (PID_08A0) QuickCam IM(PID_08A0)
DRV - [2005/05/27 03:38:00 | 000,007,136 | RH-- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2005/05/27 03:31:28 | 000,022,016 | RH-- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2004/08/03 23:29:49 | 000,019,455 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 23:29:47 | 000,012,063 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 23:29:45 | 000,023,615 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 23:29:43 | 000,033,599 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 23:29:42 | 000,019,551 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 23:29:41 | 000,029,311 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 23:29:37 | 000,012,415 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 23:29:37 | 000,012,127 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 23:29:37 | 000,011,775 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/03 23:29:36 | 000,161,020 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2003/05/15 18:09:32 | 000,043,136 | RH-- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/04/04 00:32:06 | 000,028,416 | RH-- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (Symmpi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.theglobeandmail.com/
IE - HKCU\..\SearchScopes,DefaultScope = {A990BF96-134E-4290-A68D-5D532B449798}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{2F6EB292-53FD-47A0-9D17-922EB54E957F}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\..\SearchScopes\{A990BF96-134E-4290-A68D-5D532B449798}: "URL" = http://www.google.ca...1I7GPEA_enCA304
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;*.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Rick\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\gcswf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.220.4 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U22 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.50917.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Entanglement = C:\Documents and Settings\Rick\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.1.1_0\
CHR - Extension: Poppit = C:\Documents and Settings\Rick\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

O1 HOSTS File: ([2012/06/18 19:30:51 | 000,000,761 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [ajIlqwSkbUSE.exe] C:\Documents and Settings\All Users\Application Data\ajIlqwSkbUSE.exe ()
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktop = 1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} https://securedoc.sa...wer.com/qp2.cab (QuickPlace Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} http://download.micr...20/pmupd806.exe (MSN Money Charting)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebo...otoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1179431535093 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1180668558656 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterf...ds/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://www.walmartph...veX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {C42B23DF-334C-4AD0-9AB4-91FF53D04239} file:///C:/Documents%20and%20Settings/Michelle/Application%20Data/Smilebox/OzDesktopImporter.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} http://www.walmartph...pv2.0.0.12.cab? (Photo Upload Plugin Class)
O16 - DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} https://access.rcsd....ies/instweb.cab (CSD ActiveX Installer)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220 65.87.230.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1DEE6D3E-36FF-49A0-A898-A6C153E5FD93}: DhcpNameServer = 208.67.222.222 208.67.220.220 65.87.230.4
O18 - Protocol\Handler\intu-qt2007 {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll File not found
O18 - Protocol\Handler\intu-qt2008 {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-qt2009 {03947252-2355-4e9b-B446-8CCC75C43370} - C:\Program Files\QuickTax 2009\ic2009pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-tt2010 {97A0575E-2309-4e75-8509-B1F9390C4DE7} - C:\Program Files\TurboTax 2010\ic2010pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-tt2011 {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - C:\Program Files\TurboTax 2011\ic2011pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/12/21 06:18:12 | 000,000,000 | -H-- | M] () - E:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/21 22:05:47 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Rick\Recent
[2012/06/21 21:59:48 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe
[2012/06/06 12:14:01 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2012/06/03 20:17:24 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2012/06/03 20:16:23 | 000,000,000 | -H-D | C] -- C:\Program Files\iTunes
[2012/06/03 20:12:56 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2012/06/03 20:11:43 | 000,000,000 | -H-D | C] -- C:\Program Files\Bonjour
[2012/06/03 20:02:34 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2012/06/03 20:02:17 | 000,000,000 | -H-D | C] -- C:\Program Files\QuickTime
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/21 22:09:02 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job
[2012/06/21 22:07:04 | 000,000,886 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/21 22:04:44 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/06/21 21:55:00 | 000,001,158 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/21 21:54:54 | 000,000,882 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/06/21 21:54:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/21 21:54:35 | 1601,753,088 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/20 19:25:28 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe
[2012/06/18 20:30:00 | 000,000,160 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-86iCIiSZsj3vMGr
[2012/06/18 20:30:00 | 000,000,000 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\-86iCIiSZsj3vMG
[2012/06/18 20:29:56 | 000,000,256 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\86iCIiSZsj3vMG
[2012/06/18 20:29:41 | 000,252,552 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\86iCIiSZsj3vMG.exe
[2012/06/18 19:30:51 | 000,000,761 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/06/18 19:29:47 | 000,346,760 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\ajIlqwSkbUSE.exe
[2012/06/13 05:17:05 | 000,356,160 | -H-- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/06/12 21:14:25 | 000,468,704 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/12 21:14:25 | 000,079,128 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/06/12 21:06:23 | 000,001,374 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2012/06/06 12:14:02 | 000,000,284 | -H-- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/06/03 20:17:24 | 000,001,542 | -H-- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/05/27 16:20:46 | 000,000,059 | -H-- | M] () -- C:\WINDOWS\wpd99.drv
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/21 21:54:35 | 1601,753,088 | -HS- | C] () -- C:\hiberfil.sys
[2012/06/18 20:30:00 | 000,000,160 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-86iCIiSZsj3vMGr
[2012/06/18 20:30:00 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\-86iCIiSZsj3vMG
[2012/06/18 20:29:54 | 000,000,256 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\86iCIiSZsj3vMG
[2012/06/18 20:29:41 | 000,252,552 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\86iCIiSZsj3vMG.exe
[2012/06/18 19:32:01 | 000,346,760 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\ajIlqwSkbUSE.exe
[2012/06/03 20:17:24 | 000,001,542 | -H-- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/06/03 19:51:04 | 000,000,284 | -H-- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/09/15 22:04:01 | 000,000,129 | -H-- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/04/02 17:25:14 | 000,080,808 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/09/04 14:50:41 | 000,001,664 | -H-- | C] () -- C:\WINDOWS\lsrslt.ini

========== LOP Check ==========

[2007/06/24 18:00:15 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/05/21 20:56:37 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2010/04/07 16:48:19 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Leapfrog
[2009/02/08 23:23:50 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2012/05/27 16:20:46 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2009/03/01 21:15:09 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/07/09 18:40:42 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
[2010/12/28 23:05:46 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2007/06/07 22:32:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\.BitTornado
[2011/08/27 20:08:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\calibre
[2011/10/10 12:04:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\Canon
[2007/06/08 21:31:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\IsolatedStorage
[2009/02/25 21:12:04 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\muvee Technologies
[2010/07/14 22:28:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\OpenDNS Updater
[2007/09/16 19:08:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\pdf995
[2008/08/23 21:21:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\Regen
[2009/01/25 16:17:13 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\Sparx Systems
[2012/06/10 17:51:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\uTorrent
[2012/06/21 22:09:02 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 173 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F4CE9946

< End of report >


Here are the Extras:
OTL Extras logfile created on: 6/21/2012 10:01:33 PM - Run 1
OTL by OldTimer - Version 3.2.50.0 Folder = C:\Documents and Settings\Rick\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.49 Gb Total Physical Memory | 0.99 Gb Available Physical Memory | 66.69% Memory free
2.09 Gb Paging File | 1.75 Gb Available in Paging File | 83.87% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 7.88 Gb Free Space | 10.58% Space Free | Partition Type: NTFS
Drive E: | 37.26 Gb Total Space | 2.74 Gb Free Space | 7.35% Space Free | Partition Type: FAT32
Drive F: | 4.65 Gb Total Space | 3.00 Gb Free Space | 64.45% Space Free | Partition Type: FAT32

Computer Name: HOMEPC3 | User Name: Rick | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
jsfile [edit] -- "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Documents and Settings\Rick\Local Settings\temp\7zS2.tmp\SymNRT.exe" = C:\Documents and Settings\Rick\Local Settings\temp\7zS2.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01B06D09-CF96-4878-A0F4-B6217150BB1B}" = Microsoft Money 2003
"{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}" = Microsoft Money 2003 System Pack
"{0837A661-FEC3-48B3-876C-91E7D32048A9}" = Macromedia Dreamweaver 8
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
"{12CAA28E-56CA-4C3D-B3F2-7311540DD410}" = TurboTax 2011
"{23B8A91D-680B-462B-87AD-3D70F7341731}" = iTunes
"{24AE6B5B-3D5A-488C-9224-1BEE11F75DD9}" = TurboTax 2010
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 26
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
"{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}" = Google Earth
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{8338BA06-E527-491B-9400-F51708FEE695}" = iPod for Windows 2005-11-17
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}" = URGE
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A1430C24-93CF-4182-9252-B333A76F2CDD}" = Garmin Training Center
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A8833100-1481-11D4-9731-00C04F8EEB39}" = Macromedia Fireworks 4
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA0D2D5F-612B-45D3-8759-DA87206E5CC9}" = QuickTax 2008
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{AEC0CEBC-0FC7-4716-8222-1C4A742719B1}" = Samsung Master
"{B0CC5440-E305-11E0-BCC1-1CC1DEF07CBE}" = Evernote v. 4.5.1
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3A31EEE-7C65-4EE6-BB0D-5549FD2D67B9}" = Ipswitch WS_FTP LE
"{BC433758-153C-45E4-A6AA-7EAAB105D679}" = Halt
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43048A9-742C-4DAD-90D2-E3B53C9DB825}" = Logitech QuickCam Software
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC98E8B3-FAAA-4D09-A813-A44C9FA1A3EE}" = Enterprise Architect 7.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E1CAE438-DEF7-44C2-A3A9-6915ABF2A732}" = calibre
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{ECB9C58E-C565-4683-9599-B72290BD3B25}" = QuickTax 2009
"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"7-Zip" = 7-Zip 9.20
"AC3Filter" = AC3Filter (remove only)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"B991B020-2968-11D8-AF23-444553540000_is1" = FreeMind
"CAL" = Canon Camera Access Library
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CanonCCDeinstall" = Canon Creative 3
"CDPhotoDeinstKey" = ColorDesk Photo
"ColorStoreDeInstallKey" = ColorStore
"Copy Muppy" = Copy Muppy
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"CreataCard Special Edition" = CreataCard Special Edition
"CSCLIB" = Canon Camera Support Core Library
"EOS Utility" = Canon Utilities EOS Utility
"ERUNT_is1" = ERUNT 1.1j
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"InstallShield_{8338BA06-E527-491B-9400-F51708FEE695}" = iPod for Windows 2005-11-17
"Java Web Start" = Java Web Start
"Leap Ahead Phonics Ages 4-7" = Leap Ahead Phonics Ages 4-7
"Magic ISO Maker v5.4 (build 0239)" = Magic ISO Maker v5.4 (build 0239)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Money2006a" = MSN Money Investment Toolbox
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OpenDNS Updater" = OpenDNS Updater 2.2
"PhotoStitch" = Canon Utilities PhotoStitch
"Picasa 3" = Picasa 3
"PowerISO" = PowerISO
"SFlyStudio" = Shutterfly Studio
"TTInstallerDeinstKey" = TrueType Font Installer
"UnPacker" = UnPacker 1,3,2,1856
"uTorrent" = µTorrent
"VLC media player" = VLC media player 0.9.8a
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1" = Xvid 1.1.2 final uninstall
"YTdetect" = Yahoo! Detect

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.5.0.457
"UnityWebPlayer" = Unity Web Player
"uTorrent" = µTorrent

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 6/14/2012 7:19:37 AM | Computer Name = HOMEPC3 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 6/14/2012 7:19:37 AM | Computer Name = HOMEPC3 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 32001344

Error - 6/14/2012 7:19:37 AM | Computer Name = HOMEPC3 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 32001344

Error - 6/14/2012 7:19:53 AM | Computer Name = HOMEPC3 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 6/14/2012 7:19:53 AM | Computer Name = HOMEPC3 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 32016953

Error - 6/14/2012 7:19:53 AM | Computer Name = HOMEPC3 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 32016953

Error - 6/14/2012 7:20:09 AM | Computer Name = HOMEPC3 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 6/14/2012 7:20:09 AM | Computer Name = HOMEPC3 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 32032578

Error - 6/14/2012 7:20:09 AM | Computer Name = HOMEPC3 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 32032578

Error - 6/14/2012 7:49:32 AM | Computer Name = HOMEPC3 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

[ System Events ]
Error - 6/21/2012 10:26:05 PM | Computer Name = HOMEPC3 | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 6/21/2012 10:26:05 PM | Computer Name = HOMEPC3 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 6/21/2012 10:26:06 PM | Computer Name = HOMEPC3 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu Tcpip

Error - 6/21/2012 10:26:09 PM | Computer Name = HOMEPC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 6/21/2012 10:27:28 PM | Computer Name = HOMEPC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 6/21/2012 10:27:35 PM | Computer Name = HOMEPC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 6/21/2012 10:35:46 PM | Computer Name = HOMEPC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 6/21/2012 10:35:46 PM | Computer Name = HOMEPC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 6/21/2012 10:35:46 PM | Computer Name = HOMEPC3 | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.127.2174.0 Update Source: %%859 Update Stage:
%%852 Source Path: Default URL Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM

Current
Engine Version: Previous Engine Version: 1.1.8403.0 Error code: 0x8007043c Error
description: This service cannot be started in Safe Mode

Error - 6/21/2012 11:53:19 PM | Computer Name = HOMEPC3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there lets recover your files and then take a deeper look to remove the malware

  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
Posted Image
  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
Posted Image
  • The report has been created on the desktop.

  • Next click on the ShortcutsFix
    Posted Image
  • The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

THEN

  • Run OTL.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    services.*
    WSHELPER.*
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, Only one log will be produced

  • 0

#3
Rick1974

Rick1974

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi. Thanks for helping.

Here are the reports from RogueKiller. I had to run from my USD drive since I could not copy it to my desktop. The desktop wallpaper is restored and the Start Menu looks better. Still can't see most of my files in Windows Explorer.


RogueKiller V7.5.4 [06/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Rick [Admin rights]
Mode: Scan -- Date: 06/22/2012 20:46:03

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] ajIlqwSkbUSE.exe -- C:\Documents and Settings\All Users\Application Data\ajIlqwSkbUSE.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 18 ¤¤¤
[SUSP PATH] HKLM\[...]\Run : ajIlqwSkbUSE.exe (C:\Documents and Settings\All Users\Application Data\ajIlqwSkbUSE.exe) -> FOUND
[HJPOL] HKCU\[...]\Policies\Explorer\Explorer : NoDesktop (1) -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[FAKED] acpi.sys : c:\windows\system32\drivers\acpi.sys --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : atapi.sys -> HOOKED ([INLINE] Unknown @ 0x8A5ABFA9)

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800LB-60DNA1 +++++
--- User ---
[MBR] 275f36113d1a1a8ce398d05920d4abe8
[BSP] 44ee1a806098d583ff9794b28b9198e1 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 6ed745b1b16959e734d7d53a39339877
[BSP] 44ee1a806098d583ff9794b28b9198e1 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 156280320 | Size: 10 Mo

+++++ PhysicalDrive1: ST340016A +++++
--- User ---
[MBR] 275f36113d1a1a8ce398d05920d4abe8
[BSP] 44ee1a806098d583ff9794b28b9198e1 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 9f6afccdfb8a9ce5a71ca6501f8dfb4b
[BSP] 99a62f08ad8d4d0b7f06de40db7ff734 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 38162 Mo

+++++ PhysicalDrive2: TOSHIBA MK5004MA USB Device +++++
--- User ---
[MBR] 40c5ea019cb365c72bc7ea95b0e277b0
[BSP] 7806d33e8e0f77c90ec94133476dfebb : Standard MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 4769 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt



RogueKiller V7.5.4 [06/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Rick [Admin rights]
Mode: Remove -- Date: 06/22/2012 20:49:25

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] ajIlqwSkbUSE.exe -- C:\Documents and Settings\All Users\Application Data\ajIlqwSkbUSE.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 18 ¤¤¤
[SUSP PATH] HKLM\[...]\Run : ajIlqwSkbUSE.exe (C:\Documents and Settings\All Users\Application Data\ajIlqwSkbUSE.exe) -> DELETED
[HJPOL] HKCU\[...]\Policies\Explorer\Explorer : NoDesktop (1) -> DELETED
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> REPLACED (C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp)
[HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowHelp (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowRun (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤
[FAKED] acpi.sys : c:\windows\system32\drivers\acpi.sys --> CANNOT FIX

¤¤¤ Driver: [LOADED] ¤¤¤
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : atapi.sys -> HOOKED ([INLINE] Unknown @ 0x8A5ABFA9)

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD800LB-60DNA1 +++++
--- User ---
[MBR] 275f36113d1a1a8ce398d05920d4abe8
[BSP] 44ee1a806098d583ff9794b28b9198e1 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 6ed745b1b16959e734d7d53a39339877
[BSP] 44ee1a806098d583ff9794b28b9198e1 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 156280320 | Size: 10 Mo

+++++ PhysicalDrive1: ST340016A +++++
--- User ---
[MBR] 275f36113d1a1a8ce398d05920d4abe8
[BSP] 44ee1a806098d583ff9794b28b9198e1 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 9f6afccdfb8a9ce5a71ca6501f8dfb4b
[BSP] 99a62f08ad8d4d0b7f06de40db7ff734 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 38162 Mo

+++++ PhysicalDrive2: TOSHIBA MK5004MA USB Device +++++
--- User ---
[MBR] 40c5ea019cb365c72bc7ea95b0e277b0
[BSP] 7806d33e8e0f77c90ec94133476dfebb : Standard MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 4769 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



RogueKiller V7.5.4 [06/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Rick [Admin rights]
Mode: Shortcuts HJfix -- Date: 06/22/2012 20:57:21

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] ajIlqwSkbUSE.exe -- C:\Documents and Settings\All Users\Application Data\ajIlqwSkbUSE.exe -> KILLED [TermProc]

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 15 / Fail 0
Quick launch: Success 6 / Fail 0
Programs: Success 32206 / Fail 0
Start menu: Success 307 / Fail 0
User folder: Success 20113 / Fail 0
My documents: Success 26566 / Fail 0
My favorites: Success 65 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 115599 / Fail 0
Backup: [FOUND] Success 201 / Fail 0

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[F:] \Device\HarddiskVolume4 -- 0x3 --> Restored

¤¤¤ Infection : Rogue.FakeHDD ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt



OTL logfile created on: 6/22/2012 9:04:35 PM - Run 2
OTL by OldTimer - Version 3.2.50.0 Folder = F:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.49 Gb Total Physical Memory | 0.86 Gb Available Physical Memory | 57.47% Memory free
2.09 Gb Paging File | 1.60 Gb Available in Paging File | 76.84% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 7.85 Gb Free Space | 10.53% Space Free | Partition Type: NTFS
Drive E: | 37.26 Gb Total Space | 2.74 Gb Free Space | 7.35% Space Free | Partition Type: FAT32
Drive F: | 4.65 Gb Total Space | 2.99 Gb Free Space | 64.42% Space Free | Partition Type: FAT32

Computer Name: HOMEPC3 | User Name: Rick | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/20 19:25:28 | 000,596,992 | ---- | M] (OldTimer Tools) -- F:\OTL.exe
PRC - [2012/03/26 17:08:12 | 000,931,200 | -H-- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | -H-- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/07/19 17:32:18 | 000,221,184 | -H-- | M] (Logitech Inc.) -- C:\WINDOWS\system32\LVCOMSX.EXE
PRC - [2005/06/08 14:44:56 | 000,192,512 | -H-- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Video\FxSvr2.exe


========== Modules (No Company Name) ==========

MOD - [2012/02/20 21:29:04 | 000,087,912 | -H-- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/02/20 21:28:42 | 001,242,472 | -H-- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/11/03 09:28:36 | 001,292,288 | -H-- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2008/04/13 18:12:03 | 000,192,512 | -H-- | M] () -- C:\WINDOWS\system32\qcap.dll
MOD - [2008/04/13 18:11:59 | 000,014,336 | -H-- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 18:11:51 | 000,059,904 | -H-- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2007/09/16 19:07:27 | 000,051,716 | -H-- | M] () -- C:\WINDOWS\system32\pdf995mon.dll
MOD - [2001/08/17 23:37:04 | 000,040,448 | -H-- | M] () -- C:\WINDOWS\system32\wiasf.ax


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/03/26 17:03:40 | 000,011,552 | -H-- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/03/03 14:53:08 | 000,033,176 | -H-- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2007/10/01 15:39:06 | 000,045,056 | -H-- | M] ( ) [Disabled | Stopped] -- c:\Program Files\Soccerwinners\Halt\Halt.exe -- (Halt)
SRV - [2007/10/01 15:39:06 | 000,020,480 | -H-- | M] ( ) [Disabled | Stopped] -- c:\Program Files\Soccerwinners\Halt\HaltMonitor.exe -- (HaltMonitor)
SRV - [2006/03/30 09:15:44 | 000,096,341 | -H-- | M] (Canon Inc.) [Disabled | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\DRIVERS\wATV03nt.sys -- (iAimTV2)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (.bcm4sbxp)
DRV - [2012/06/22 20:42:42 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8C087838-BBCB-40C9-B96A-C226BFF68F47}\MpKsl2a299648.sys -- (MpKsl2a299648)
DRV - [2008/04/13 12:36:35 | 000,187,776 | -H-- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\acpi.sys -- (ACPI)
DRV - [2006/05/20 04:15:25 | 000,030,588 | -H-- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2005/05/27 03:46:22 | 000,913,280 | RH-- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LV302AV.SYS -- (PID_08A0) QuickCam IM(PID_08A0)
DRV - [2005/05/27 03:38:00 | 000,007,136 | RH-- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2005/05/27 03:31:28 | 000,022,016 | RH-- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2004/08/03 23:29:49 | 000,019,455 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 23:29:47 | 000,012,063 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 23:29:45 | 000,023,615 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 23:29:43 | 000,033,599 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 23:29:42 | 000,019,551 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 23:29:41 | 000,029,311 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 23:29:37 | 000,012,415 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 23:29:37 | 000,012,127 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 23:29:37 | 000,011,775 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/03 23:29:36 | 000,161,020 | -H-- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2003/05/15 18:09:32 | 000,043,136 | RH-- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/04/04 00:32:06 | 000,028,416 | RH-- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (Symmpi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.theglobeandmail.com/
IE - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\..\SearchScopes,DefaultScope = {A990BF96-134E-4290-A68D-5D532B449798}
IE - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\..\SearchScopes\{2F6EB292-53FD-47A0-9D17-922EB54E957F}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\..\SearchScopes\{A990BF96-134E-4290-A68D-5D532B449798}: "URL" = http://www.google.ca...1I7GPEA_enCA304
IE - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;*.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Rick\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\gcswf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.220.4 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U22 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.50917.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Entanglement = C:\Documents and Settings\Rick\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.1.1_0\
CHR - Extension: Poppit = C:\Documents and Settings\Rick\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

O1 HOSTS File: ([2012/06/18 19:30:51 | 000,000,761 | R-S- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O3 - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Michelle\Start Menu\Programs\Startup\EvernoteClipper.lnk = C:\Program Files\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} https://securedoc.sa...wer.com/qp2.cab (QuickPlace Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} http://download.micr...20/pmupd806.exe (MSN Money Charting)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebo...otoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1179431535093 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1180668558656 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterf...ds/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://www.walmartph...veX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {C42B23DF-334C-4AD0-9AB4-91FF53D04239} file:///C:/Documents%20and%20Settings/Michelle/Application%20Data/Smilebox/OzDesktopImporter.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} http://www.walmartph...pv2.0.0.12.cab? (Photo Upload Plugin Class)
O16 - DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} https://access.rcsd....ies/instweb.cab (CSD ActiveX Installer)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220 65.87.230.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1DEE6D3E-36FF-49A0-A898-A6C153E5FD93}: DhcpNameServer = 208.67.222.222 208.67.220.220 65.87.230.4
O18 - Protocol\Handler\intu-qt2007 {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll File not found
O18 - Protocol\Handler\intu-qt2008 {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-qt2009 {03947252-2355-4e9b-B446-8CCC75C43370} - C:\Program Files\QuickTax 2009\ic2009pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-tt2010 {97A0575E-2309-4e75-8509-B1F9390C4DE7} - C:\Program Files\TurboTax 2010\ic2010pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-tt2011 {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - C:\Program Files\TurboTax 2011\ic2011pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/12/21 06:18:12 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/06/22 20:42:33 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Rick\Desktop\RK_Quarantine
[2012/06/22 20:38:23 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Rick\Recent
[2012/06/21 21:59:48 | 000,596,992 | -H-- | C] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe
[2012/06/06 12:14:01 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2012/06/03 20:17:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2012/06/03 20:16:23 | 000,000,000 | -H-D | C] -- C:\Program Files\iTunes
[2012/06/03 20:12:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2012/06/03 20:11:43 | 000,000,000 | -H-D | C] -- C:\Program Files\Bonjour
[2012/06/03 20:02:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2012/06/03 20:02:17 | 000,000,000 | -H-D | C] -- C:\Program Files\QuickTime
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/22 21:07:03 | 000,000,886 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/22 21:04:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job
[2012/06/22 20:47:39 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/06/22 20:38:10 | 000,000,882 | -H-- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/06/22 20:38:02 | 000,001,158 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/22 20:37:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/22 20:37:29 | 1601,753,088 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/20 19:25:28 | 000,596,992 | -H-- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe
[2012/06/18 20:30:00 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-86iCIiSZsj3vMGr
[2012/06/18 20:30:00 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-86iCIiSZsj3vMG
[2012/06/18 20:29:56 | 000,000,256 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\86iCIiSZsj3vMG
[2012/06/18 20:29:41 | 000,252,552 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\86iCIiSZsj3vMG.exe
[2012/06/18 19:30:51 | 000,000,761 | R-S- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/06/18 19:29:47 | 000,346,760 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ajIlqwSkbUSE.exe
[2012/06/13 05:17:05 | 000,356,160 | -H-- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/06/12 21:14:25 | 000,468,704 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/12 21:14:25 | 000,079,128 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/06/12 21:06:23 | 000,001,374 | -H-- | M] () -- C:\WINDOWS\imsins.BAK
[2012/06/10 17:52:18 | 000,001,542 | -H-- | M] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2012/06/06 12:14:02 | 000,000,284 | -H-- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/06/03 20:17:24 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/05/27 16:20:46 | 000,000,059 | -H-- | M] () -- C:\WINDOWS\wpd99.drv
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/22 20:50:04 | 000,001,542 | -H-- | C] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2012/06/22 20:50:04 | 000,000,815 | -H-- | C] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/06/22 20:50:04 | 000,000,800 | -H-- | C] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/06/22 20:50:04 | 000,000,792 | -H-- | C] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2012/06/22 20:50:04 | 000,000,079 | -H-- | C] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/06/22 20:50:01 | 000,001,846 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN Explorer.lnk
[2012/06/22 20:50:01 | 000,001,698 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/06/22 20:50:01 | 000,001,605 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Works Task Launcher.lnk
[2012/06/22 20:50:00 | 000,002,387 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Money 2003.lnk
[2012/06/22 20:49:58 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2012/06/22 20:49:58 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2012/06/21 21:54:35 | 1601,753,088 | -HS- | C] () -- C:\hiberfil.sys
[2012/06/18 20:30:00 | 000,000,160 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-86iCIiSZsj3vMGr
[2012/06/18 20:30:00 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-86iCIiSZsj3vMG
[2012/06/18 20:29:54 | 000,000,256 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\86iCIiSZsj3vMG
[2012/06/18 20:29:41 | 000,252,552 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\86iCIiSZsj3vMG.exe
[2012/06/18 19:32:01 | 000,346,760 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ajIlqwSkbUSE.exe
[2012/06/03 20:17:24 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/06/03 19:51:04 | 000,000,284 | -H-- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/09/15 22:04:01 | 000,000,129 | -H-- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/04/02 17:25:14 | 000,080,808 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/09/04 14:50:41 | 000,001,664 | -H-- | C] () -- C:\WINDOWS\lsrslt.ini

========== LOP Check ==========

[2007/06/24 18:00:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/05/21 20:56:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2010/04/07 16:48:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Leapfrog
[2009/02/08 23:23:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2012/05/27 16:20:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2009/03/01 21:15:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/07/09 18:40:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
[2010/12/28 23:05:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/19 21:56:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Matthew and Caleb\Application Data\iScreensaver
[2010/04/26 13:44:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Matthew and Caleb\Application Data\pdf995
[2008/09/10 21:55:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michelle\Application Data\Aim
[2007/11/06 21:35:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michelle\Application Data\Canon
[2011/04/12 15:47:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michelle\Application Data\Cisco
[2009/08/31 19:38:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michelle\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/02/21 12:17:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michelle\Application Data\Facebook
[2010/05/21 20:56:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michelle\Application Data\GARMIN
[2010/04/19 10:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michelle\Application Data\LEGO Company
[2007/07/02 20:55:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michelle\Application Data\Shutterfly
[2012/06/16 13:17:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michelle\Application Data\Smilebox
[2009/07/11 22:06:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michelle\Application Data\Template
[2009/11/19 16:46:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michelle\Application Data\Unity
[2007/06/07 22:32:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\.BitTornado
[2011/08/27 20:08:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\calibre
[2011/10/10 12:04:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\Canon
[2007/06/08 21:31:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\IsolatedStorage
[2009/02/25 21:12:04 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\muvee Technologies
[2010/07/14 22:28:31 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\OpenDNS Updater
[2007/09/16 19:08:18 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\pdf995
[2008/08/23 21:21:21 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\Regen
[2009/01/25 16:17:13 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\Sparx Systems
[2012/06/10 17:51:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Rick\Application Data\uTorrent
[2012/06/22 21:04:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >
[2009/11/14 10:13:39 | 023,510,720 | -H-- | M] (Microsoft Corporation) -- C:\dotnetfx.exe
[2009/11/14 09:43:35 | 000,812,344 | -H-- | M] (Trend Micro Inc.) -- C:\HJTInstall.exe
[2009/11/14 09:53:38 | 000,021,504 | -H-- | M] (Doug Knox) -- C:\SysRestorePoint.exe

< MD5 for: EXPLORER.EXE >
[2008/04/13 18:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 18:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 18:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 05:26:03 | 001,033,216 | -H-- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 04:23:07 | 001,033,216 | -H-- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/04 01:56:49 | 001,032,192 | -H-- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe

< MD5 for: SERVICES >
[2003/03/31 03:00:00 | 000,007,116 | -H-- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\WINDOWS\system32\drivers\etc\services

< MD5 for: SERVICES._ >
[2003/03/31 08:00:00 | 000,001,989 | -H-- | M] () MD5=29BB3BBBE3D49156A42BFB3DD000F554 -- C:\i386\SERVICES._

< MD5 for: SERVICES.CNF >
[2003/01/26 16:13:16 | 000,000,003 | -H-- | M] () MD5=864E46AD77EBE7A312EB11241A5114B6 -- C:\Documents and Settings\Rick\My Documents\My Webs\_vti_pvt\services.cnf
[2000/10/21 16:52:08 | 000,000,003 | -H-- | M] () MD5=864E46AD77EBE7A312EB11241A5114B6 -- C:\Documents and Settings\Rick\My Documents\My Webs\Archived Webs\CdnAlliance\_vti_pvt\services.cnf
[2000/04/08 00:00:00 | 000,000,003 | -H-- | M] () MD5=864E46AD77EBE7A312EB11241A5114B6 -- C:\Documents and Settings\Rick\My Documents\My Webs\Archived Webs\Rybchuk 31Oct2002\_vti_pvt\services.cnf
[2003/03/25 10:02:16 | 000,000,003 | -H-- | M] () MD5=864E46AD77EBE7A312EB11241A5114B6 -- C:\Documents and Settings\Rick\My Documents\My Webs\Test Webs\Rainbow\RainbowVB\_vti_pvt\services.cnf

< MD5 for: SERVICES.EX_ >
[2003/03/31 08:00:00 | 000,047,953 | -H-- | M] () MD5=78718439FA165A148B2F41A9EB41F488 -- C:\i386\SERVICES.EX_

< MD5 for: SERVICES.EXE >
[2009/02/06 05:06:24 | 000,110,592 | -H-- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2008/04/13 18:12:34 | 000,108,544 | -H-- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe
[2008/04/13 18:12:34 | 000,108,544 | -H-- | M] (Microsoft Corporation) MD5=0E776ED5F7CC9F94299E70461B7B8185 -- C:\WINDOWS\ServicePackFiles\i386\services.exe
[2009/02/06 05:11:05 | 000,110,592 | -H-- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\ERDNT\cache\services.exe
[2009/02/06 05:11:05 | 000,110,592 | -H-- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/06 05:11:05 | 000,110,592 | -H-- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\system32\services.exe
[2004/08/04 01:56:55 | 000,108,032 | -H-- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtServicePackUninstall$\services.exe

< MD5 for: SERVICES.LNK >
[2007/05/28 22:07:30 | 000,001,602 | ---- | M] () MD5=A2A1D635210FC0AE07F195D956F2C20B -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk
[2007/05/28 22:07:30 | 000,001,602 | -H-- | M] () MD5=A2A1D635210FC0AE07F195D956F2C20B -- C:\Documents and Settings\Rick\Local Settings\temp\smtmp\1\Programs\Administrative Tools\Services.lnk

< MD5 for: SERVICES.MOCHIADS.COM.SOL >
[2012/01/22 16:27:03 | 000,000,462 | ---- | M] () MD5=A7729DA59CDE4EE3214102975B2314D5 -- C:\Documents and Settings\Matthew and Caleb\Application Data\Macromedia\Flash Player\#SharedObjects\J6EHJ9KR\mochiads.com\services.mochiads.com.sol

< MD5 for: SERVICES.MS_ >
[2003/03/31 08:00:00 | 000,003,649 | -H-- | M] () MD5=64E9F61D2ED093C361862DE36433B5E1 -- C:\i386\SERVICES.MS_

< MD5 for: SERVICES.MSC >
[2001/07/21 15:14:20 | 000,033,464 | -H-- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\WINDOWS\system32\services.msc

< MD5 for: SVCHOST.EXE >
[2008/04/13 18:12:36 | 000,014,336 | -H-- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/13 18:12:36 | 000,014,336 | -H-- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 18:12:36 | 000,014,336 | -H-- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 01:56:57 | 000,014,336 | -H-- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 01:56:57 | 000,024,576 | -H-- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 18:12:38 | 000,026,112 | -H-- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/13 18:12:38 | 000,026,112 | -H-- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 18:12:38 | 000,026,112 | -H-- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 01:56:57 | 000,502,272 | -H-- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 18:12:39 | 000,507,904 | -H-- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 18:12:39 | 000,507,904 | -H-- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 18:12:39 | 000,507,904 | -H-- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 173 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F4CE9946

< End of report >
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Still a little work to do

Re-run RogueKiller please and select Shortcuts fix

Post the resultant log

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL
Posted Image

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    DRV - File not found [Kernel | On_Demand | Unknown] -- -- (.bcm4sbxp)
    O3 - HKU\S-1-5-21-2527309032-1139936588-3641913080-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    [2012/06/18 20:30:00 | 000,000,160 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-86iCIiSZsj3vMGr
    [2012/06/18 20:30:00 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\-86iCIiSZsj3vMG
    [2012/06/18 20:29:56 | 000,000,256 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\86iCIiSZsj3vMG
    [2012/06/18 20:29:41 | 000,252,552 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\86iCIiSZsj3vMG.exe
    [2012/06/18 19:29:47 | 000,346,760 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ajIlqwSkbUSE.exe

    :Files
    ipconfig /flushdns /c

    :Commands
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

NEXT

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application
    Posted Image
  • Then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
  • Click the Start Scan button.

  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  • Get the report by selecting Reports

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

AND FINALLY

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
  • Allow the installation of the Recovery Console

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#5
Rick1974

Rick1974

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I re-ran RougueKiller. Results are below.
I uninstalled Malware Bytes since I had a very old version (1.46).
I ran OTL with custom fix.
I got a couple errors:
Cannot create file C:\WINDOWS\System32\drivers\etc\Hosts.

then a bit later:
Windows Delayed Write Failed
Windows was unable to save all the data for the file \Device\DarddriskVolume6. The data has been lost. The error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

OTL looks like it's still running (but it might be hung?)
On the very bottom left corner of the window there is a status line that reads:
Resetting HOSTS file. DO NOT INTERRUPT...

It doesn't appear to be doing anything though. The Start Menu is not visible, so I may need to do a hard reboot.
I'll let it sit in this state until I hear back from you.


RogueKiller V7.5.4 [06/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Rick [Admin rights]
Mode: Shortcuts HJfix -- Date: 06/23/2012 14:00:21

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 38 / Fail 0
Quick launch: Success 6 / Fail 0
Programs: Success 32198 / Fail 0
Start menu: Success 69 / Fail 0
User folder: Success 17557 / Fail 0
My documents: Success 13169 / Fail 0
My favorites: Success 65 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 63488 / Fail 0
Backup: [FOUND] Success 0 / Fail 201

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[F:] \Device\HarddiskVolume6 -- 0x3 --> Restored

¤¤¤ Infection : Rogue.FakeHDD ¤¤¤

Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt

Edited by Rick1974, 23 June 2012 - 02:39 PM.

  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes do a hard reboot please

Then re-run with this fix prior to running TDSSkiller etc



Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :files
    xcopy %Temp%\smtmp\1 "%AllUsersProfile%\Start Menu" /H /I /S /Y /C
    xcopy %Temp%\smtmp\2 "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch" /H /I /S /Y /C
    xcopy %Temp%\smtmp\3 "%AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" /H /I /S /Y /C
    xcopy %Temp%\smtmp\4 "%AllUsersProfile%\Desktop" /H /I /S /Y /C
    ipconfig /flushdns /c

    :Commands
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

#7
Rick1974

Rick1974

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I rebooted and ran OTL quick scan. Result is below.

I can't get tdsskiller.exe to run on my PC. Nothing happens when I double click on it. I tried several times. Also tried logging off/on but it doesn't help.

Not sure if I should continue with ComboFix?

OTL logfile created on: 6/23/2012 4:59:26 PM - Run 3
OTL by OldTimer - Version 3.2.50.0 Folder = C:\Documents and Settings\Rick\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.49 Gb Total Physical Memory | 1.06 Gb Available Physical Memory | 71.09% Memory free
2.09 Gb Paging File | 1.82 Gb Available in Paging File | 87.44% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 7.94 Gb Free Space | 10.66% Space Free | Partition Type: NTFS
Drive E: | 37.26 Gb Total Space | 2.74 Gb Free Space | 7.35% Space Free | Partition Type: FAT32

Computer Name: HOMEPC3 | User Name: Rick | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/20 19:25:28 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe
PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2008/04/13 18:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\userinit.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/02/20 21:29:04 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/02/20 21:28:42 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2007/09/16 19:07:27 | 000,051,716 | ---- | M] () -- C:\WINDOWS\system32\pdf995mon.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/03/03 14:53:08 | 000,033,176 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2007/10/01 15:39:06 | 000,045,056 | ---- | M] ( ) [Disabled | Stopped] -- c:\Program Files\Soccerwinners\Halt\Halt.exe -- (Halt)
SRV - [2007/10/01 15:39:06 | 000,020,480 | ---- | M] ( ) [Disabled | Stopped] -- c:\Program Files\Soccerwinners\Halt\HaltMonitor.exe -- (HaltMonitor)
SRV - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) [Disabled | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\DRIVERS\wATV03nt.sys -- (iAimTV2)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - [2008/04/13 12:36:35 | 000,187,776 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\acpi.sys -- (ACPI)
DRV - [2006/05/20 04:15:25 | 000,030,588 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2005/05/27 03:46:22 | 000,913,280 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LV302AV.SYS -- (PID_08A0) QuickCam IM(PID_08A0)
DRV - [2005/05/27 03:38:00 | 000,007,136 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2005/05/27 03:31:28 | 000,022,016 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2004/08/03 23:29:49 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 23:29:47 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 23:29:45 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 23:29:43 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 23:29:42 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 23:29:41 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 23:29:37 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 23:29:37 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 23:29:37 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/03 23:29:36 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2003/05/15 18:09:32 | 000,043,136 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/04/04 00:32:06 | 000,028,416 | R--- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (Symmpi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com...DT/0409/bl8.asp
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.theglobeandmail.com/
IE - HKCU\..\SearchScopes,DefaultScope = {A990BF96-134E-4290-A68D-5D532B449798}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{2F6EB292-53FD-47A0-9D17-922EB54E957F}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKCU\..\SearchScopes\{A990BF96-134E-4290-A68D-5D532B449798}: "URL" = http://www.google.ca...1I7GPEA_enCA304
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;*.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Rick\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\gcswf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.220.4 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U22 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.0.3 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.50917.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Entanglement = C:\Documents and Settings\Rick\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.1.1_0\
CHR - Extension: Poppit = C:\Documents and Settings\Rick\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

O1 HOSTS File: ([2012/06/18 19:30:51 | 000,000,761 | R-S- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} https://securedoc.sa...wer.com/qp2.cab (QuickPlace Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} http://download.micr...20/pmupd806.exe (MSN Money Charting)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebo...otoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1179431535093 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1180668558656 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterf...ds/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://www.walmartph...veX_Control.cab (Photo Upload Plugin Class)
O16 - DPF: {C42B23DF-334C-4AD0-9AB4-91FF53D04239} file:///C:/Documents%20and%20Settings/Michelle/Application%20Data/Smilebox/OzDesktopImporter.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} Reg Error: Key error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} http://www.walmartph...pv2.0.0.12.cab? (Photo Upload Plugin Class)
O16 - DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} https://access.rcsd....ies/instweb.cab (CSD ActiveX Installer)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220 65.87.230.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1DEE6D3E-36FF-49A0-A898-A6C153E5FD93}: DhcpNameServer = 208.67.222.222 208.67.220.220 65.87.230.4
O18 - Protocol\Handler\intu-qt2007 {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll File not found
O18 - Protocol\Handler\intu-qt2008 {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-qt2009 {03947252-2355-4e9b-B446-8CCC75C43370} - C:\Program Files\QuickTax 2009\ic2009pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-tt2010 {97A0575E-2309-4e75-8509-B1F9390C4DE7} - C:\Program Files\TurboTax 2010\ic2010pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-tt2011 {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - C:\Program Files\TurboTax 2011\ic2011pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Rick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/12/21 06:18:12 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/23 16:56:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/23 16:56:00 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/06/23 13:45:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rick\My Documents\My Received Files
[2012/06/23 13:45:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rick\Application Data\MSN6
[2012/06/22 20:42:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Rick\Desktop\RK_Quarantine
[2012/06/22 20:38:23 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Rick\Recent
[2012/06/21 21:59:48 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe
[2012/06/06 12:14:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2012/06/03 20:17:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2012/06/03 20:16:23 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/06/03 20:12:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2012/06/03 20:11:43 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2012/06/03 20:02:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2012/06/03 20:02:17 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/23 17:07:15 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/23 17:04:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job
[2012/06/23 16:59:07 | 000,001,158 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/06/23 16:59:02 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/06/23 16:58:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/23 16:58:42 | 1601,753,088 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/23 14:19:40 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/06/23 13:45:26 | 000,000,244 | ---- | M] () -- C:\sqmnoopt18.sqm
[2012/06/23 13:45:26 | 000,000,232 | ---- | M] () -- C:\sqmdata17.sqm
[2012/06/20 19:25:28 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Rick\Desktop\OTL.exe
[2012/06/18 19:30:51 | 000,000,761 | R-S- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/06/13 05:17:05 | 000,356,160 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/06/12 21:14:25 | 000,468,704 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/12 21:14:25 | 000,079,128 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/06/12 21:06:23 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/06/10 17:52:18 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2012/06/06 12:14:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/06/03 20:17:24 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/05/27 16:20:46 | 000,000,059 | ---- | M] () -- C:\WINDOWS\wpd99.drv
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/23 13:45:26 | 000,000,244 | ---- | C] () -- C:\sqmnoopt18.sqm
[2012/06/23 13:45:26 | 000,000,232 | ---- | C] () -- C:\sqmdata17.sqm
[2012/06/22 20:50:04 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2012/06/22 20:50:04 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/06/22 20:50:04 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/06/22 20:50:04 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2012/06/22 20:50:04 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Rick\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/06/22 20:50:01 | 000,001,846 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN Explorer.lnk
[2012/06/22 20:50:01 | 000,001,698 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/06/22 20:50:01 | 000,001,605 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Works Task Launcher.lnk
[2012/06/22 20:50:00 | 000,002,387 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Money 2003.lnk
[2012/06/22 20:49:58 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2012/06/22 20:49:58 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2012/06/21 21:54:35 | 1601,753,088 | -HS- | C] () -- C:\hiberfil.sys
[2012/06/03 20:17:24 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/06/03 19:51:04 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/09/15 22:04:01 | 000,000,129 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2011/04/02 17:25:14 | 000,080,808 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/09/04 14:50:41 | 000,001,664 | -H-- | C] () -- C:\WINDOWS\lsrslt.ini

========== LOP Check ==========

[2007/06/24 18:00:15 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/05/21 20:56:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2010/04/07 16:48:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Leapfrog
[2009/02/08 23:23:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2012/05/27 16:20:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2009/03/01 21:15:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/07/09 18:40:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
[2010/12/28 23:05:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2007/06/07 22:32:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\.BitTornado
[2011/08/27 20:08:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\calibre
[2011/10/10 12:04:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\Canon
[2007/06/08 21:31:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\IsolatedStorage
[2009/02/25 21:12:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\muvee Technologies
[2010/07/14 22:28:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\OpenDNS Updater
[2007/09/16 19:08:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\pdf995
[2008/08/23 21:21:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\Regen
[2009/01/25 16:17:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\Sparx Systems
[2012/06/10 17:51:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Rick\Application Data\uTorrent
[2012/06/23 17:04:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{8194FAB8-47E9-45C7-824B-B5F660D581C0}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 173 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F4CE9946

< End of report >
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you do the following please

Run Combofix and ensure the recovery console is installed as we will need to work outside of windows to remove the infection

I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

Posted Image

You should be here... Press ENTER

Posted Image

By default, "do not touch keymap" is highlighted.
Leave this setting alone and just press ENTER.

Posted Image

Choose your language and press ENTER. English is default [33]

Posted Image

Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below

Posted Image

According to your logs, the partition that you want to delete is 10 MB

Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:

Posted Image

Now you should be here:

Posted Image

Posted Image

Is "boot" next to your OS drive?
If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

Posted Image


Now double-click the Posted Image button.

You should receive a small pop up like this: Posted Image

Choose reboot and then press OK.
  • 0

#9
Rick1974

Rick1974

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I downloaded ComboFix and GParted (plus created a bootable disc)

However, I can't copy ComboFix to the infected PC's desktop. Can I run this from another location?
Or is there something I can do to get write access to the desktop?

Thanks!
  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
In that case go ahead with the Gparted portion to delete the bad partition
  • 0

Advertisements


#11
Rick1974

Rick1974

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Ok, I following your instructions. I'm not sure if the bad partition was deleted though. After I deleted it, there was still a line there showing 10 MB.
The main OS is set to boot now.

When I reboot into Windows, I'm getting the same error messages I described in my original post.
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you run Roguekiller shorcut fix again please - that should show if the partition has gone

Then run combofix
  • 0

#13
Rick1974

Rick1974

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I re-ran RogueKiller. Results are below.

Still can't copy ComboFix to the desktop. It seems the custom OTL fix I ran earlier fixed the desktop but it has since reverted back to the original (problematic) state.

RogueKiller V7.5.4 [06/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Rick [Admin rights]
Mode: Shortcuts HJfix -- Date: 06/24/2012 17:07:37

¤¤¤ Bad processes: 2 ¤¤¤
[SUSP PATH] cshesv.dll -- C:\Documents and Settings\Rick\Application Data\cshesv.dll -> KILLED [TermProc]
[SUSP PATH] LFJGJxpDcfY.exe -- C:\Documents and Settings\All Users\Application Data\LFJGJxpDcfY.exe -> KILLED [TermProc]

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 45 / Fail 0
Quick launch: Success 6 / Fail 0
Programs: Success 32149 / Fail 0
Start menu: Success 307 / Fail 0
User folder: Success 19432 / Fail 0
My documents: Success 25615 / Fail 0
My favorites: Success 65 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 115431 / Fail 0
Backup: [FOUND] Success 0 / Fail 201

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume2 -- 0x3 --> Restored

¤¤¤ Infection : Rogue.FakeHDD ¤¤¤

Finished : << RKreport[5].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could yo do the following please as I need to ensure that the partition has gone,

Go Start > Run and type in the following command :

diskmgmt.msc

This will open your disc manager could you expand it and then take a screenshot to post here

Download aswMBR.exe ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image
  • 0

#15
Rick1974

Rick1974

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
The diskmgmt.msc screen shot is attached. Not sure how to embed in this editor (Insert Image is asking for a URL address).diskmgmt.gif

My desktop is all black and no shortcuts are showing. However, whe I go to Windows Explorer and navigate to folder C:\Documents and Settings\Rick\Desktop, I can see my shortcuts.


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-25 18:43:09
-----------------------------
18:43:09.859 OS Version: Windows 5.1.2600 Service Pack 3
18:43:09.859 Number of processors: 1 586 0x209
18:43:09.859 ComputerName: HOMEPC3 UserName: Rick
18:43:10.359 Initialize success
18:51:16.609 AVAST engine defs: 12062501
18:51:28.296 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
18:51:28.296 Disk 0 Vendor: WDC_WD800LB-60DNA1 81.07A81 Size: 76319MB BusType: 3
18:51:28.296 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
18:51:28.296 Disk 1 Vendor: ST340016A 3.19 Size: 38166MB BusType: 3
18:51:28.312 Disk 0 MBR read successfully
18:51:28.312 Disk 0 MBR scan
18:51:28.343 Disk 0 Windows XP default MBR code
18:51:28.343 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
18:51:28.359 Disk 0 scanning sectors +156280320
18:51:28.437 Disk 0 scanning C:\WINDOWS\system32\drivers
18:51:45.031 Service scanning
18:51:45.656 Service ACPI C:\WINDOWS\System32\DRIVERS\ACPI.sys **LOCKED** 32
18:52:16.796 Modules scanning
18:52:35.703 Disk 0 trace - called modules:
18:52:35.718 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8a530139]<<
18:52:35.718 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a606ab8]
18:52:35.718 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000051[0x8a63a030]
18:52:35.718 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a5f3d98]
18:52:36.125 AVAST engine scan C:\WINDOWS
18:52:54.562 AVAST engine scan C:\WINDOWS\system32
18:56:19.000 AVAST engine scan C:\WINDOWS\system32\drivers
18:56:40.359 AVAST engine scan C:\Documents and Settings\Rick
18:59:09.312 File: C:\Documents and Settings\Rick\Desktop\RK_Quarantine\ajIlqwSkbUSE.exe.vir **INFECTED** Win32:FakeAlert-CRZ [Trj]
18:59:09.625 File: C:\Documents and Settings\Rick\Desktop\RK_Quarantine\LFJGJxpDcfY.exe.vir **INFECTED** Win32:FakeAV-DNZ [Trj]
18:59:15.375 File: C:\Documents and Settings\Rick\Local Settings\Application Data\aewrp.exe **INFECTED** Win32:FakeAlert-CSL [Adw]
19:00:27.515 File: C:\Documents and Settings\Rick\Local Settings\temp\i76RojH.exe **INFECTED** Win32:FakeAlert-CSL [Adw]
19:15:08.921 File: C:\Documents and Settings\Rick\My Documents\Downloads\unconfirmed 23966.crdownload **INFECTED** Win32:MalOb-EO [Cryp]
19:15:09.078 File: C:\Documents and Settings\Rick\My Documents\Downloads\unconfirmed 29671.crdownload **INFECTED** Win32:MalOb-EO [Cryp]
19:15:09.234 File: C:\Documents and Settings\Rick\My Documents\Downloads\unconfirmed 42861.crdownload **INFECTED** Win32:MalOb-EO [Cryp]
19:15:09.406 File: C:\Documents and Settings\Rick\My Documents\Downloads\unconfirmed 59001.crdownload **INFECTED** Win32:MalOb-EO [Cryp]
19:15:09.593 File: C:\Documents and Settings\Rick\My Documents\Downloads\unconfirmed 86906.crdownload **INFECTED** Win32:MalOb-EO [Cryp]
19:25:00.500 AVAST engine scan C:\Documents and Settings\All Users
19:25:12.671 File: C:\Documents and Settings\All Users\Application Data\LFJGJxpDcfY.exe **INFECTED** Win32:FakeAV-DNZ [Trj]
19:39:53.546 Scan finished successfully
19:48:16.109 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Rick\Desktop\MBR.dat"
19:48:16.125 The log file has been saved successfully to "C:\Documents and Settings\Rick\Desktop\aswMBR.txt"
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP