Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Guarder... anything else?


  • Please log in to reply

#1
MS-Free

MS-Free

    Member

  • Member
  • PipPipPip
  • 425 posts
Full disclosure: this is not my system, it was basically handed to me saying "Can you fix it?" So I don't know anything about the system history. I have also been a part of the "GeekU" program, working on the last PL as a Junior, before I ran out of time.

One glance at the system and its fairly apparent that its infected. "Trojan Guarder" screamed Rogue, not just in name, but also in looks and behavior. I would love to try to take this thing out manually (if there was some way I could create a VM that would preserve the state of infection, I'd mess around with it that way... but I digress), but its not my system.

I ran a MBAM scan (from safemode... when I try to run it under normal conditions it complains about a file being out of date, forget the name, but it was something with a .ocx extension.)

I also noticed an odd symptom when I tried to "Save as.." the OTL log (b/c I wasn't sure/forgot where the file would be saved) that I also received an error there.

It appears this infection has a defense mechanism of preventing the execution of other scanners/removers, since I also tried running the 2 other scanners I inherited with the system (Spyware Terminator and SpySubtract.)

I did try to do a MSE install ("normally") but it failed, complaining of not having some "roller package". I don't know whether it would be worth trying again from safe mode.

Also - this is not connected to any network, and while I might be able to connect it to a network, it will be many, many times easier if I don't.

Enough editorializing, here are the logs:

OTL logfile created on: 6/27/2012 12:31:35 PM - Run 1
OTL by OldTimer - Version 3.2.53.0 Folder = E:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.30 Mb Total Physical Memory | 303.73 Mb Available Physical Memory | 60.35% Memory free
1.20 Gb Paging File | 1.06 Gb Available in Paging File | 88.25% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 178.70 Gb Total Space | 171.03 Gb Free Space | 95.71% Space Free | Partition Type: NTFS
Drive D: | 7.59 Gb Total Space | 2.17 Gb Free Space | 28.58% Space Free | Partition Type: FAT32
Drive E: | 1.86 Gb Total Space | 1.33 Gb Free Space | 71.56% Space Free | Partition Type: FAT

Computer Name: YOUR-4F1261A8E5 | User Name: HP_Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/27 17:18:56 | 000,596,992 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
PRC - [2010/09/11 00:41:20 | 002,500,552 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
PRC - [2010/08/11 02:41:46 | 000,712,704 | ---- | M] (AntiVirus) -- C:\Program Files\Trojan Guarder\Trojan Guarder.exe
PRC - [2010/01/14 17:08:16 | 000,378,128 | ---- | M] (PC Tools) -- C:\Program Files\ThreatFire\TFTray.exe
PRC - [2005/02/17 02:03:44 | 000,032,881 | ---- | M] () -- C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
PRC - [2004/10/14 01:17:06 | 002,742,272 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE
PRC - [2004/10/13 23:01:50 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/08/04 13:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2005/02/17 02:03:44 | 000,032,881 | ---- | M] () -- C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/12/29 04:39:55 | 000,496,128 | ---- | M] (Crawler.com) [Auto | Stopped] -- C:\Program Files\Spyware Terminator\sp_rsser.exe -- (sp_rssrv)
SRV - [2010/09/11 00:41:42 | 001,901,056 | ---- | M] (COMODO) [Auto | Stopped] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2010/01/14 17:08:12 | 000,070,928 | ---- | M] (PC Tools) [Auto | Stopped] -- C:\Program Files\ThreatFire\TFService.exe -- (ThreatFire)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\smserial.sys -- (smserial)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/06/27 12:30:50 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/09/11 00:40:54 | 000,091,560 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\inspect.sys -- (Inspect)
DRV - [2010/09/11 00:40:52 | 000,239,240 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmdGuard.sys -- (cmdGuard)
DRV - [2010/09/11 00:40:52 | 000,025,240 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2010/09/11 00:40:48 | 000,015,592 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmderd.sys -- (cmderd)
DRV - [2010/01/14 17:08:30 | 000,059,664 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TfSysMon)
DRV - [2004/10/14 02:33:20 | 002,287,104 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2004/08/04 15:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2004/06/29 19:07:18 | 001,268,204 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/03/18 02:10:40 | 000,113,664 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2003/09/19 11:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2002/10/04 19:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2001/06/04 15:00:00 | 000,014,112 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...lion&pf=desktop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...lion&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.1879: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.1939: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.872: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found



O1 HOSTS File: ([2004/08/04 20:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKCU\..\Toolbar\WebBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\Hdaudpropshortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe (Hewlett-Packard)
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe ()
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.EXE (Hewlett-Packard Company)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [regcmdcons] c:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - HKLM..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
O4 - HKLM..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe (PC Tools)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe (InterMute, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trojan Guarder.lnk = C:\Program Files\Trojan Guarder\Trojan Guarder.exe (AntiVirus)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/02/17 03:05:32 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 14:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2010/12/28 20:57:34 | 000,000,000 | RHSD | M] - D:\AUTORUN.INF -- [ FAT32 ]
O33 - MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/27 12:30:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/27 12:30:39 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/06/27 12:30:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/06/27 12:29:18 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/27 12:30:50 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012/06/27 12:30:42 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/27 12:27:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/06/27 12:27:22 | 527,814,656 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/27 11:21:56 | 000,381,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/27 11:21:56 | 000,053,436 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/06/25 20:14:34 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/27 12:30:42 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/27 12:27:22 | 527,814,656 | -HS- | C] () -- C:\hiberfil.sys
[2011/02/03 15:57:34 | 000,000,209 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2011/02/03 15:57:06 | 000,000,272 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2011/02/03 15:34:16 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/12/29 04:39:55 | 000,142,592 | ---- | C] () -- C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
[2010/12/29 04:23:50 | 001,474,832 | ---- | C] () -- C:\WINDOWS\System32\drivers\sfi.dat
[2010/12/29 04:06:14 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Local Settings\Application Data\fusioncache.dat

< End of report >

OTL Extras logfile created on: 6/27/2012 12:31:35 PM - Run 1
OTL by OldTimer - Version 3.2.53.0 Folder = E:\
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.30 Mb Total Physical Memory | 303.73 Mb Available Physical Memory | 60.35% Memory free
1.20 Gb Paging File | 1.06 Gb Available in Paging File | 88.25% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 178.70 Gb Total Space | 171.03 Gb Free Space | 95.71% Space Free | Partition Type: NTFS
Drive D: | 7.59 Gb Total Space | 2.17 Gb Free Space | 28.58% Space Free | Partition Type: FAT32
Drive E: | 1.86 Gb Total Space | 1.33 Gb Free Space | 71.56% Space Free | Partition Type: FAT

Computer Name: YOUR-4F1261A8E5 | User Name: HP_Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Scan with SpySubtract...] -- "C:\Program Files\InterMute\SpySubtract\SpySub.exe" "-sc" "%1" (InterMute, Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%ProgramFiles%\iTunes\iTunes.exe" = %ProgramFiles%\iTunes\iTunes.exe:*:enabled:iTunes

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA}" = PC-Doctor for Windows
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{14589F05-C658-4594-9429-D437BA688686}" = IntelliMover Data Transfer Demo
"{1A103D70-5C9B-4E1A-B306-5106C68F9914}" = Microsoft Plus! Dancer LE
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{21E75254-410E-49C4-8981-2E1A2A2221F2}" = HP Diagnostic Assistant
"{267868CE-6DFF-40F7-9C58-C01119B7B117}" = Fax
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{28CFF19D-B92C-4109-A427-F75505E81688}" = cp_dwSharkTaleAlbums1
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator
"{34A59AC3-6C5C-4A09-A7F5-369A37176C8A}" = AiOSoftware
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36FCD82D-1CED-436d-B33C-874EEC666D68}" = cp_dwSharkTaleCards1
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{3AE681E0-4E8D-453F-950A-48534D3C0724}" = Copy
"{3AEF2F6C-F1D3-47CD-BF3B-A327F1FABE58}" = PSPrinters06
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{4C04DF1B-6A39-4299-9DD1-1FA60000266E}" = HP Photosmart Cameras 4.0
"{55508A44-8225-47AB-9666-1F57A5B5CE2E}" = CP_PLSBusinessFlyers
"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery
"{64FC0C98-B035-4530-B15D-3D30610B6DF1}" = HP Software Update
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{6B350CA4-0031-0002-3757-34999AD85AEC}" = InterVideo WinDVD Creator
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
"{725249C3-B94C-4141-8799-0D3BA43D0812}" = CameraDrivers
"{7B98685A-4E21-4A4F-A2D6-DC557042BADA}" = HPIZplus450
"{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD Player
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9CB2512B-3EC4-43DF-8002-46BDAB5EDD1B}" = QuickProjects
"{9EEBF8D5-8712-4D1D-88F4-4CDC2D270BC3}" = PrintScreen
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.0
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}" = Readme
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config
"{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}" = Photosmart 320,370,7400,8100,8400 Series
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1
"{B103C8A7-D1CC-4B1A-BD41-883F652E097D}" = muvee autoProducer 3.5 magicMoments - HPD
"{B32C75F2-7495-4D01-9431-C11E97D66F8C}" = DocProc
"{B56D5B09-C4FB-4EA0-8EAD-7BC3E2715A2D}" = DocumentViewer
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{C3F058C0-A21C-452D-8D99-95B1A45F417D}" = InterVideo DiscLabel
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{D0122362-6333-4DE4-93F6-A5A2F3CC101A}" = HP Organize
"{D0420D64-8D33-4374-A2B2-9225C7925CA6}" = HP Image Zone Plus 4.5.3
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E0343A4C-2FFD-4CCB-B0EB-5DE9F0E2A083}" = LS_HSI
"{EC8673DA-F96B-497E-B2DB-BC7B029FD680}" = BufferChm
"{F419D20A-7719-4639-8E30-C073A040D878}" = HP Deskjet Preloaded Printer Drivers
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"{FD8E178D-8B4E-42DA-B434-EFF270329B1C}" = COMODO Internet Security
"3554AA4B-9B0B-451a-A269-2B5F53982209_is1" = ThreatFire
"36317AE4-57EC-4F3E-B828-009A3DD96BE8" = Polar Bowler from Hewlett-Packard Desktops (remove only)
"3F34F72F-9BB0-4B73-8312-558953ACF56F" = Super Granny from Hewlett-Packard Desktops (remove only)
"58D1A004-6D3C-480A-9E0D-FAA58F3C2A62" = Blackhawk Striker 2 from Hewlett-Packard Desktops (remove only)
"62067F4C-84A9-45B9-8573-B90468B0A3EF" = Orbital from Hewlett-Packard Desktops (remove only)
"6723E59E-322A-417A-8E03-27A61E18253C" = Overball from Hewlett-Packard Desktops (remove only)
"6B60434A-ABE1-48FF-906B-0EA67087AB25" = Road Ready Streetwise from Hewlett-Packard Desktops (remove only)
"703E3900-69DA-47C9-9768-C6514098F149" = Shrek 2 Ogre Bowler from Hewlett-Packard Desktops (remove only)
"8C4E79CC-03E1-43AA-9910-9A5113F24603" = Blasterball 2 from Hewlett-Packard Desktops (remove only)
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"B151D9AC-5E4E-4AD0-96C9-5A6C9EC23502" = Blasterball 2 Remix from Hewlett-Packard Desktops (remove only)
"B2D3332F-EA2D-42B3-8E4A-F74D052BCBC1" = Polar Golfer from Hewlett-Packard Desktops (remove only)
"BackWeb-309731 Uninstaller" = Updates from HP
"D11F7128-8CBD-408B-8BF8-034604DEDD42" = Bounce Symphony from Hewlett-Packard Desktops (remove only)
"DAE7A92A-BAC7-42FA-AC62-53DEF1DC4292" = Crystal Maze from Hewlett-Packard Desktops (remove only)
"F5215F01-DFC0-475D-A910-6F1AF94E807E" = Tradewinds from Hewlett-Packard Desktops (remove only)
"ffdshow_is1" = ffdshow [rev 3274] [2010-02-19]
"HaaliMkx" = Haali Media Splitter
"Help and Support Additions" = Help and Support Additions
"Hoyle Card Games 5" = Hoyle Card Games 5
"HP Photo & Imaging" = HP Image Zone 4.5.3
"InstallShield_{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA}" = PC-Doctor for Windows
"InstallShield_{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"PS2" = PS2
"Python 2.2.3" = Python 2.2.3
"pywin32-py2.2" = Python 2.2 pywin32 extensions (build 203)
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer
"SpySubtract" = SpySubtract
"Spyware Terminator_is1" = Spyware Terminator
"Trojan Guarder_is1" = Trojan Guarder 6.92
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10

========== Last 10 Event Log Errors ==========

Error: Unable to start EventLog service!

< End of report >


Here's the MBAM log, though it doesn't appear to have anything too useful in it:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

6/27/2012 11:44:56 AM
mbam-log-2012-06-27 (11-44-43).txt

Scan type: Full scan (C:\|)
Objects scanned: 184794
Time elapsed: 19 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\trojan guarder\bttom.jpg (Extension.Mismatch) -> No action taken.
  • 0

Advertisements


#2
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hello, MS-Free! :wave:

:welcome: I'm Nedklaw and I'll be glad to help you with your malware issues. :)

I am currently still in training and my posts have to be approved by an expert so please expect a delay between my posts.

These instructions are specifically designed for MS-Free only. No one else should follow these instructions because it can cause serious damage to your computer.

Before we start to clean your computer of malware, please read through the following points to help me and you, and prevent damage to your computer:
  • Please completely read through all of the instructions given to you before attempting to follow them. Reading too lightly will cause you to miss important steps, which could have DESTRUCTIVE effects. If you can't perform a certain step or you are unsure about what to do, let me know!
  • Don't be afraid to ask questions! If you are unsure about anything, ask me! No question is considered stupid here!
  • Be patient with me, logs can take some time to research and my life can mean that I'm busy.
  • Please copy and paste all logs into your reply. Do not attach logs to a post unless I tell you to or if they don't fit in the post.
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • NEVER fix anything in OTL or other programs on your own! This can be very dangerous and cause harm to your system.
  • Refrain from running any other tools apart from the ones I tell you to.
Note: You should save or print out my instructions for easy reference, as part of the fix may be in Safe Mode and you won't be able to access GeeksToGo.


I am currently reviewing your logs and I will post back soon.
  • 0

#3
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)


Step 1

  • Download RogueKiller and save it on your desktop.
  • Quit all programs.
  • Start RogueKiller.exe.
  • Note: If RogueKiller has been blocked, do not hesitate to try several times. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again.
  • Wait until the Prescan has finished.
  • Click on Scan.

    Posted Image
  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
  • The report has been created on the desktop.

Step 2

Please uninstall the following programs via Control Panel > Add/Remove Programs (if present):

  • Adobe Reader 6.0.1
  • Adobe Acrobat - Reader 6.0.2 Update
  • Java 2 Runtime Environment, SE v1.4.2_03
  • SpySubtract
  • Spyware Terminator
  • ThreatFire
  • Trojan Guarder 6.92

You are running too many antivirus/anti-spyware programs. This is not a good idea as this can cause problems such as slowness in computer speed, conflicts and cause more vulnerability to infection. Comodo Internet Security can do a sufficent job of removing malware on it's own. Only keep the programs if you have a paid subscription for them.


Step 3

If you have the paid version of Malwarebytes 1.6 or later installed, please disable it for the duration of this run.

To disable MBAM

Open the scanner and select the Protection tab.
Remove the tick from Start protection module with Windows.
Reboot and then run OTL.

Posted Image


Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    :Commands 
    [CREATERESTOREPOINT] 
    
    :OTL 
    O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trojan Guarder.lnk = C:\Program Files\Trojan Guarder\Trojan Guarder.exe (AntiVirus)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
    O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    
    :Files
    C:\Program Files\Trojan Guarder
    ipconfig /flushdns /c
    
    :Commands]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
  • Post the log that appears upon reboot in your next reply.
  • If no log appears upon reboot, the OTL Fix log should be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.

Step 4

Please download and install Service Pack 3 from here.
I strongly recommend you update to Windows XP Service Pack 3. SP3 contains critical patches and updates which make your computer less vunerable to malware.
The update can take around an hour to install and your computer may restart several times during the installation.


Step 5

Posted Image
Internet Explorer 8 - I recommend you upgrade to Internet Explorer 8. This version provides security fixes which make your computer less vunerable to malware attacks. This version also includes enhanced features which can make your web browsing a more enjoyable experience. Microsoft are even running a campaign to abolish Internet Explorer 6.


Step 6

  • Open OTL again and select the "Scan All Users" box.
  • Click the Quick Scan button. Post the log it produces in your next reply.

Things I want to see in your next reply

  • All RKreport.txt files
  • OTL Fix Log
  • OTL.txt

  • 0

#4
MS-Free

MS-Free

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 425 posts
Congrats on making it to GeekU Senior - I think you were working on a Live Log last time I was active... still want to get back and complete the program at some point.

Three symptoms I forgot to report with my initial posting (mostly because I didn't notice them until now... sorry), and have still not yet been resolved/fixed:
  • Open applications do not show in the task bar
  • I cannot copy/paste files via the right click context menu (I opened a command prompt to copy RogueKiller to the desktop).
  • Shortly after boot, SpySubtract encounters an error throwing up the "...Encountered an Error and had to close... submit error report?" Dialog.
  • Not new - but I still can't launch MBAM.

You are running too many antivirus/anti-spyware programs. This is not a good idea as this can cause problems such as slowness in computer speed, conflicts and cause more vulnerability to infection. Comodo Internet Security can do a sufficent job of removing malware on it's own. Only keep the programs if you have a paid subscription for them.

I like your "Too much antivirus" speech - short and to the point. However, I can't seem to get rid of any of them, each producing "An error ocured while trying to remove SpySubtract. It may hve already been removed. Would you like to remove SpySubtract from the Add or Remove programs list?" Replacing SpySubtract with Spy Terminator or Threat Fire.

  • Adobe Reader 6.0.1
  • Adobe Acrobat - Reader 6.0.2 Update
  • Java 2 Runtime Environment, SE v1.4.2_03
Am I just removing these because there horribly out of date and I need to get more current versions? Regardless, trying to uninstall any of these produces the following error message:

Acrobat-6-2-error.PNG

Perhaps ironically the only thing that uninstalled without error was Trojan Guarder. That disappeared from the Add/remove list without a fight. However, after a reboot (the system was claiming the USB drive was in use when I tried to eject it, so I rebooted to safely release control) it started right back up again.

Please download and install Service Pack 3 from here.
I strongly recommend you update to Windows XP Service Pack 3. SP3 contains critical patches and updates which make your computer less vunerable to malware.
The update can take around an hour to install and your computer may restart several times during the installation.

Before I take the time to do that, I need know one thing: If you follow the link, Microsoft calls it a "Network Installation Package". Is that going to expect/need a network connection in order to complete? I would hate to get half-way through it and then be unable to complete the process because its looking for a network connection, causing the machine to be in a less functional state, because the versions on key system files don't agree.

By the way... there was a typo in your custom scan/fix - there's an extra right square bracket after the second ":command" - I fixed this before executing though.

OTL seemed to take out the visual representation of the infection, but the paste option is still grayed out. There's a third RogueReport because after running it, I noticed that when I tried to close "Trojan Guarder" it just minimized itself to the system tray, instead of actually exiting completely (if it even does...) after closing it from the system tray, I ran RogueKiller once more just to make sure that the Trojan Guarder's presence on the System Tray was affecting anything (doesn't appear to have).

Through step 3, here are your results:

RogueKiller V7.6.1 [06/28/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: HP_Owner [Admin rights]
Mode: Scan -- Date: 06/28/2012 21:00:12

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 1 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 22e2a1c4f1b52a7ea91649d2cc3c1439
[BSP] a231b9e8a5c0d46ead9d886d8d901878 : Toshiba tatooed MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7788 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 15951600 | Size: 182990 Mo
Error reading LL1 MBR!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

RogueKiller V7.6.1 [06/28/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: HP_Owner [Admin rights]
Mode: Remove -- Date: 06/28/2012 21:01:17

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 1 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 22e2a1c4f1b52a7ea91649d2cc3c1439
[BSP] a231b9e8a5c0d46ead9d886d8d901878 : Toshiba tatooed MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7788 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 15951600 | Size: 182990 Mo
Error reading LL1 MBR!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


RogueKiller V7.6.1 [06/28/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: HP_Owner [Admin rights]
Mode: Scan -- Date: 06/28/2012 21:03:16

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 22e2a1c4f1b52a7ea91649d2cc3c1439
[BSP] a231b9e8a5c0d46ead9d886d8d901878 : Toshiba tatooed MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7788 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 15951600 | Size: 182990 Mo
Error reading LL1 MBR!
Error reading LL2 MBR!

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt


All processes killed
========== COMMANDS ==========
System Restore Service not available.
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trojan Guarder.lnk moved successfully.
C:\Program Files\Trojan Guarder\Trojan Guarder.exe moved successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
========== FILES ==========
C:\Program Files\Trojan Guarder folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Could not flush the DNS Resolver Cache: Function failed during execution.
E:\cmd.bat deleted successfully.
E:\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 175564 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: All Users

User: Default User
->Temp folder emptied: 11724 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: HP_Owner
->Temp folder emptied: 121919788 bytes
->Temporary Internet Files folder emptied: 38013668 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 75616 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 659420 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 11784417 bytes
RecycleBin emptied: 1830 bytes

Total Files Cleaned = 165.00 mb


OTL by OldTimer - Version 3.2.53.0 log created on 06282012_214136

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#5
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Thank you, I've been in Check My Fix for approximatly a year now.

Yes, I want you to uninstall Adobe Reader and Java for now because they are out of date and they make your computer more vunerable to infection. I will get you to install the latest versions after we have fixed some of your problems.

You can still download and install SP3. Your computer doesn't have to be on a network. The only thing needed is an internet connection. It is called a "Network Installation Package" because it can be used to install SP3 on multiple computers on a network.


Step 1

It looks like there is a problem with the Windows Installer service.

Download Windows Repair (all in one) from this site.

Install the program then let it run.

Posted Image


Go to Step 3 and allow it to run System File Checker.

Posted Image


On the Start Repairs tab click Start.

Posted Image


Select the following items plus Repair MSI (Windows Installer) and tick Restart System When Finished then click Start.

Posted Image


Can you now uninstall the 6 programs?


Step 2

Download the script file here.
Double-click xp_taskbar_desktop_fixall.vbs and you will be notified when the script has done.
Can you now see programs in your taskbar?


Step 3

Download the reg file here.
Double-click contextmenu.reg and confirm the prompts.
Can you now copy and paste via the right-click context menu?


Things I want to see in your next reply

  • Answers to my questions

  • 0

#6
MS-Free

MS-Free

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 425 posts

You can still download and install SP3. Your computer doesn't have to be on a network. The only thing needed is an internet connection. It is called a "Network Installation Package" because it can be used to install SP3 on multiple computers on a network.

Okay. Let me clarify myself. I use "Network" as a broader term then just LAN. The internet is still a Network... So will Microsoft require a working Internet connection in order to perform a proper upgrade.

No dice on Tweaking.com Windows Repair. Error when trying to run it:

Failed to load control 'lvButtons_H' from . Your version of may be outdated. Make sure you are using the version of the control that was provided with your application.

(Forgot that the forum software condenses white space. There should be 2 spaces between "version of" and "may be outdated." Also 2 space after the period.)

No luck with your VB script either.

Your registry file appeared to run okay... got the "Do you want to add the contents of [file] to the registry." "Contents added to registry successfully."

However, even after a reboot no change.
  • 0

#7
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
You need a working internet connection in order to download the installation file. An internet connection isn't needed when you actually install the service pack.
Alternatively, if you don't have a proper working internet connection then download the installation file onto a flash drive from a clean computer, transfer it over to the sick computer and then run the file.


Step 1

The error you received when running Windows Repair is unusual as the buttons are built into the program.
Download and install the VB6 runtimes here and let me know if it helps you to run the program.


Step 2

  • Click Start.
  • Select All Programs.
  • Select Accessories.
  • Right click Command Prompt and select Run as Administrator.
  • Type in the black box sfc /scannow and press Enter.
  • Once done reboot and let me know of the result
.
  • 0

#8
MS-Free

MS-Free

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 425 posts

An internet connection isn't needed when you actually install the service pack.

That's all I needed to hear. I've been transferring files via flash drive this whole time.
Now that that's been cleared up, do you want me to upgrade now, or do you want me to wait until everything else is resolved?

My guess is VB6 probably would help run the application... if I extracted it to the right place... but I'm not used to VB, so I don't know where the package should be extracted to. And Microsoft's Instructions aren't much clearer or more helpful. Paraphrased, all M$ says is: "Create a directory and extract it there..." Great! And then it will just suddenly work? I created a directory in the root for "VB6"... running the install only created 1 file there... run that file... I think it changed/modified maybe 2 files... but No change for Windows Repair.

Does "sfc" leave any sort of log/report? From what I can see it made no difference here.

By the way... "Run As Administrator..." is a Vista/7 concept.
  • 0

#9
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
It looks like we are going to have to do a repair install on the system. The Windows XP repair feature won't delete your data, installed programs, personal information, or settings. It just repairs the operating system!

I would still suggest backing up your data just in case something goes wrong. There are some suggestions here on how you can backup your data.

The page here gives you some more information about a repair install and instructions on how to do one.

Let me know how you get on! :thumbsup:
  • 0

#10
MS-Free

MS-Free

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 425 posts
Eeek! What seemed like a simple, quick infection, is turning into a comedy of errors.

AFter digging around, I was finally able to find an XP recovery/re-install disk (it came with an old dell, unfortunately, since it doesn't appear HP actually shipped an XP disk). I followed the instructions for doing a repair... and it erred out (initial error i think had something to do with failing to retrieve program libraries, or something like that), and failed to complete.

Update: HP seems to have there own recovery methods, and after performing a non-destructive recovery, and going through the install prompts, the systems behaving like a normal PC should (but Trojan Guarder is back in the start menu, but it isn't starting on boot...)

Upgraded to sp3, and then I will try to remove the excess Antivirus software.

Edited by MS-Free, 06 July 2012 - 08:20 PM.

  • 0

#11
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
A Dell disk won't work on a HP computer. It will look in the BIOS and see it is not a Dell machine. You have to use a HP disk on a HP computer.
What exact procedure did you go through to repair the computer?


Step 1

Posted Image
  • Go to this site and click Do I have Java.
  • It will check your current version and then offer to update to the latest version.

Step 2

Posted Image
Adobe Reader - It's important to keep Adobe Reader updated because many security problems are fixed with updates.
Go to this site and download the latest version of Adobe Reader (10.1.3).


Step 3

Posted Image
Internet Explorer 8 - Ensure you have Internet Explorer 8 installed. This version provides security fixes which make your computer less vunerable to malware attacks. This version also includes enhanced features which can make your web browsing a more enjoyable experience. Microsoft are even running a campaign to abolish Internet Explorer 6.


Step 4

  • Open OTL again and select the "Scan All Users" box.
  • Click the Quick Scan button. Post the log it produces in your next reply.

Things I want to see in your next reply

  • Answer to my question
  • OTL.txt

  • 0

#12
MS-Free

MS-Free

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 425 posts
I noticed in the initial HP splash screen on boot (What do I call this... I don't think its part of the POST...) there was an option F10 for system Recovery... I took that and it led me to a "non-destructive" recovery process which took about 15 minutes.

Also - odd behavior which I couldn't explain - when I tried to save-as the OTL log I got the following message:

Common Dialog Error (0x3002)

Probably nothing, but a strange behavior none the less.

Also - you'll notice its running from the "J" drive... for whatever reason, the system appears (in Explorer, at least) to believe there's removable Drives E - I. Don't know what to make of that.

OTL logfile created on: 7/7/2012 5:46:31 PM - Run 1
OTL by OldTimer - Version 3.2.53.0 Folder = J:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.30 Mb Total Physical Memory | 247.88 Mb Available Physical Memory | 49.25% Memory free
1.20 Gb Paging File | 0.98 Gb Available in Paging File | 81.46% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 178.70 Gb Total Space | 169.54 Gb Free Space | 94.87% Space Free | Partition Type: NTFS
Drive D: | 7.59 Gb Total Space | 2.17 Gb Free Space | 28.60% Space Free | Partition Type: FAT32
Drive J: | 1.86 Gb Total Space | 0.93 Gb Free Space | 49.75% Space Free | Partition Type: FAT

Computer Name: YOUR-4F1261A8E5 | User Name: HP_Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/07 17:38:53 | 000,161,776 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/06/27 17:18:56 | 000,596,992 | ---- | M] (OldTimer Tools) -- J:\OTL.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/10/14 01:17:06 | 002,742,272 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE
PRC - [2004/10/14 01:00:10 | 000,057,344 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\ALCMTR.EXE
PRC - [2004/10/13 23:01:50 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/08/30 20:34:20 | 000,176,768 | ---- | M] (Symantec Corporation) -- c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
PRC - [2004/08/28 01:22:48 | 000,164,984 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2004/08/28 01:22:46 | 000,234,616 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
PRC - [2004/08/28 01:22:42 | 000,197,752 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2004/08/28 01:22:40 | 000,058,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2004/08/28 00:02:54 | 000,206,048 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
PRC - [2004/08/06 03:23:10 | 000,308,352 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
PRC - [2004/08/05 19:23:14 | 000,218,240 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe


========== Modules (No Company Name) ==========

MOD - [2004/10/08 19:43:10 | 000,196,608 | ---- | M] () -- c:\Program Files\HP\Digital Imaging\bin\HpqUtil.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/07/07 17:38:53 | 000,161,776 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2004/08/31 04:29:46 | 000,078,992 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Norton Internet Security\ISSVC.exe -- (ISSVC)
SRV - [2004/08/30 20:34:20 | 000,176,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe -- (navapsvc)
SRV - [2004/08/28 01:22:48 | 000,164,984 | ---- | M] (Symantec Corporation) [Auto | Running] -- c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2004/08/28 01:22:48 | 000,078,968 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2004/08/28 01:22:46 | 000,234,616 | ---- | M] (Symantec Corporation) [Auto | Running] -- c:\Program Files\Common Files\Symantec Shared\ccProxy.exe -- (ccProxy)
SRV - [2004/08/28 01:22:42 | 000,197,752 | ---- | M] (Symantec Corporation) [Auto | Running] -- c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2004/08/28 00:02:54 | 000,206,048 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2004/08/06 03:23:10 | 000,308,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- (SymWSC)
SRV - [2004/07/23 21:47:22 | 000,197,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe -- (SAVScan)
SRV - [2004/07/21 18:24:04 | 000,173,160 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\smserial.sys -- (smserial)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2004/11/17 11:00:00 | 000,629,544 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20041117.006\NAVEX15.SYS -- (NAVEX15)
DRV - [2004/11/17 11:00:00 | 000,072,712 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20041117.006\NAVENG.SYS -- (NAVENG)
DRV - [2004/10/14 02:33:20 | 002,287,104 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2004/08/28 00:02:28 | 000,266,464 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI)
DRV - [2004/08/28 00:02:26 | 000,025,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV)
DRV - [2004/08/26 16:03:38 | 000,104,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2004/08/04 15:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2004/07/23 21:47:24 | 000,049,808 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- c:\Program Files\Norton Internet Security\Norton AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2004/07/23 21:47:22 | 000,335,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- c:\Program Files\Norton Internet Security\Norton AntiVirus\savrt.sys -- (SAVRT)
DRV - [2004/07/21 18:24:02 | 000,341,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2004/06/29 19:07:18 | 001,268,204 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/03/18 02:10:40 | 000,113,664 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2003/09/19 11:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2002/10/04 19:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2001/06/04 15:00:00 | 000,014,112 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...lion&pf=desktop
IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.1879: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.1939: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.872: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2004/08/04 20:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (CNavExtBho Class) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\..\Toolbar\ShellBrowser: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\..\Toolbar\ShellBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\..\Toolbar\WebBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [ccApp] c:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\Hdaudpropshortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe (Symantec Corporation)
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.EXE (Hewlett-Packard Company)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe (Symantec Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe (Symantec Corporation)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/02/17 03:05:32 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 14:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2010/12/28 20:57:34 | 000,000,000 | RHSD | M] - D:\AUTORUN.INF -- [ FAT32 ]
O33 - MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/07 17:43:17 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\IETldCache
[2012/07/07 17:41:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2012/07/07 17:40:03 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2012/07/07 17:39:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2012/07/07 17:39:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/07/07 17:37:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2012/07/07 17:36:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2012/07/07 00:17:24 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/07/07 00:17:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\setup.pss
[2012/07/07 00:15:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2012/07/07 00:03:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
[2012/07/07 00:03:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2012/07/07 00:03:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2012/07/07 00:03:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2012/07/07 00:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2012/07/06 23:58:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2012/07/06 23:53:27 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2012/07/06 23:53:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\EHome
[2012/07/06 23:42:13 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Recent
[2012/07/06 23:42:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Lang
[2012/07/06 23:42:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\LightScribe
[2012/07/06 23:41:08 | 000,000,000 | --SD | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft
[2012/07/06 23:41:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\SendTo
[2012/07/06 23:41:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data
[2012/07/06 23:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\My Documents\My Videos
[2012/07/06 23:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\My Documents\My Pictures
[2012/07/06 23:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\My Documents\My Music
[2012/07/06 23:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\My Documents
[2012/07/06 23:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Favorites
[2012/07/06 23:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Accessories
[2012/07/06 23:41:08 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Cookies
[2012/07/06 23:41:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\PrintHood
[2012/07/06 23:41:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\NetHood
[2012/07/06 23:41:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Symantec
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Sun
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\SampleView
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Real
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Quicken
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\PC Help & Tools
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Online Services
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\Microsoft
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\InterMute
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Identities
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Desktop
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\ApplicationHistory
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\Apple Computer
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Apple Computer
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}
[2012/07/06 23:41:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Startup
[2012/07/06 23:41:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu
[2012/07/06 23:41:07 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Templates
[2012/07/06 23:41:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\WINDOWS
[2012/07/06 23:41:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\WeatherBug
[2012/07/06 23:39:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\RTCOM
[2012/07/06 22:22:32 | 000,000,000 | RHSD | C] -- C:\WINDOWS\System32\dllcache
[2012/07/05 09:04:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\dell
[2012/07/01 12:09:04 | 000,000,000 | ---D | C] -- C:\VB6
[2012/06/27 12:30:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/27 12:30:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/07 17:44:03 | 000,000,248 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2012/07/07 17:43:44 | 000,000,826 | ---- | M] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/07/07 17:43:12 | 527,814,656 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/07 17:43:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/07 17:38:05 | 000,001,745 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/07/07 00:17:32 | 000,382,022 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/07/07 00:17:32 | 000,053,640 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/07/07 00:17:31 | 000,000,283 | RHS- | M] () -- C:\boot.ini
[2012/07/07 00:16:06 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2012/07/07 00:15:39 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/07 00:15:12 | 000,175,464 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/07/07 00:13:12 | 000,002,639 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/07/06 23:58:08 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/07/06 23:42:57 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\Easy Internet Sign-up.job
[2012/07/06 23:42:48 | 000,000,745 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Easy Internet Sign-up.lnk
[2012/07/06 23:42:17 | 000,008,192 | ---- | M] () -- C:\WINDOWS\System32\edb.chk
[2012/07/06 23:42:12 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Desktop\Register with HP.url
[2012/07/06 23:41:39 | 000,001,826 | RHS- | M] () -- C:\WINDOWS\System32\drivers\103C_HP_CPC_PS583AA-ABA a1020n_YC_0Pavi_QCNH515_E52NAheBLU1_47_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.19_T050310_WXH2_L409_M504_J200_7Intel_8Pentium 4_93.06_#050616_N10EC8139_Z11C1048C_G80862582.MRK
[2012/07/06 23:39:59 | 000,000,993 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2012/07/06 23:39:55 | 000,002,158 | ---- | M] () -- C:\WINDOWS\System32\ssmute.ini
[2012/07/06 23:38:52 | 000,000,213 | RHS- | M] () -- C:\BOOT.BAK
[2012/07/01 13:30:42 | 001,248,727 | ---- | M] () -- C:\WINDOWS\setupapi.old
[2012/06/27 13:46:01 | 000,001,919 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/06/27 12:30:42 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/07 17:38:05 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2012/07/07 17:38:05 | 000,001,745 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/07/07 00:17:30 | 000,000,213 | RHS- | C] () -- C:\BOOT.BAK
[2012/07/07 00:17:27 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/07/06 23:58:34 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
[2012/07/06 23:58:34 | 000,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
[2012/07/06 23:58:32 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
[2012/07/06 23:42:49 | 000,000,278 | ---- | C] () -- C:\WINDOWS\tasks\Easy Internet Sign-up.job
[2012/07/06 23:42:17 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\edb.chk
[2012/07/06 23:42:12 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Desktop\Register with HP.url
[2012/07/06 23:41:32 | 000,001,826 | RHS- | C] () -- C:\WINDOWS\System32\drivers\103C_HP_CPC_PS583AA-ABA a1020n_YC_0Pavi_QCNH515_E52NAheBLU1_47_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.19_T050310_WXH2_L409_M504_J200_7Intel_8Pentium 4_93.06_#050616_N10EC8139_Z11C1048C_G80862582.MRK
[2012/07/06 23:41:23 | 527,814,656 | -HS- | C] () -- C:\hiberfil.sys
[2012/07/06 23:41:12 | 000,001,643 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2012/07/06 23:41:12 | 000,000,826 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/07/06 23:41:12 | 000,000,753 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk
[2012/07/06 23:41:11 | 000,002,235 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Desktop\Help and Support.lnk
[2012/07/06 23:41:11 | 000,000,926 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft\Internet Explorer\Quick Launch\RealPlayer.lnk
[2012/07/06 23:41:11 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\fusioncache.dat
[2012/07/06 23:41:11 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/07/06 23:41:09 | 000,001,692 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Install Microsoft Money 2005.lnk
[2012/07/06 23:41:09 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Remote Assistance.lnk
[2012/07/06 23:41:09 | 000,000,814 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Internet Explorer.lnk
[2012/07/06 23:41:09 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Windows Media Player.lnk
[2012/07/06 23:41:09 | 000,000,749 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Outlook Express.lnk
[2012/07/06 23:39:51 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AOL®.lnk
[2012/06/27 13:46:01 | 000,001,919 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2012/06/27 12:30:42 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2011/02/03 15:57:34 | 000,000,209 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2011/02/03 15:57:06 | 000,000,272 | ---- | C] () -- C:\WINDOWS\_delis32.ini

========== LOP Check ==========

[2005/02/17 02:51:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterMute
[2005/02/17 02:47:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SampleView
[2010/12/29 11:58:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2005/02/17 02:51:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\InterMute
[2005/02/17 02:47:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\SampleView
[2012/07/06 23:42:57 | 000,000,278 | ---- | M] () -- C:\WINDOWS\Tasks\Easy Internet Sign-up.job

========== Purity Check ==========



< End of report >

And even though you didn't ask for it... since it appeared to be a first-run to OTL, here's the Extra's Log:

OTL Extras logfile created on: 7/7/2012 5:46:31 PM - Run 1
OTL by OldTimer - Version 3.2.53.0 Folder = J:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.30 Mb Total Physical Memory | 247.88 Mb Available Physical Memory | 49.25% Memory free
1.20 Gb Paging File | 0.98 Gb Available in Paging File | 81.46% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 178.70 Gb Total Space | 169.54 Gb Free Space | 94.87% Space Free | Partition Type: NTFS
Drive D: | 7.59 Gb Total Space | 2.17 Gb Free Space | 28.60% Space Free | Partition Type: FAT32
Drive J: | 1.86 Gb Total Space | 0.93 Gb Free Space | 49.75% Space Free | Partition Type: FAT

Computer Name: YOUR-4F1261A8E5 | User Name: HP_Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe" = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe:*:Enabled:BackWeb for Pavilion -- (Hewlett-Packard)
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA}" = PC-Doctor for Windows
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{12E2B9E9-05B1-407d-B0FD-B5F350535125}" = Norton Internet Security
"{14589F05-C658-4594-9429-D437BA688686}" = IntelliMover Data Transfer Demo
"{1A103D70-5C9B-4E1A-B306-5106C68F9914}" = Microsoft Plus! Dancer LE
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{21E75254-410E-49C4-8981-2E1A2A2221F2}" = HP Diagnostic Assistant
"{267868CE-6DFF-40F7-9C58-C01119B7B117}" = Fax
"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java™ 7 Update 5
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{28CFF19D-B92C-4109-A427-F75505E81688}" = cp_dwSharkTaleAlbums1
"{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}" = SymNet
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator
"{34A59AC3-6C5C-4A09-A7F5-369A37176C8A}" = AiOSoftware
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36FCD82D-1CED-436d-B33C-874EEC666D68}" = cp_dwSharkTaleCards1
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{3AE681E0-4E8D-453F-950A-48534D3C0724}" = Copy
"{3AEF2F6C-F1D3-47CD-BF3B-A327F1FABE58}" = PSPrinters06
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{449F3A9E-9903-4a0d-A209-08030D45A935}" = Norton Internet Security
"{48185814-A224-447a-81DA-71BD20580E1B}" = Norton Internet Security
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4C04DF1B-6A39-4299-9DD1-1FA60000266E}" = HP Photosmart Cameras 4.0
"{503AA035-41E2-4858-B31F-1E49AC66C309}" = Norton Security Center
"{526AD5DC-CFC4-4f2a-8442-C84CC91D6C7F}" = Norton Internet Security
"{55508A44-8225-47AB-9666-1F57A5B5CE2E}" = CP_PLSBusinessFlyers
"{5677563D-0CB1-485f-9E18-C5025306BB3F}" = Norton AntiSpam
"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery
"{64FC0C98-B035-4530-B15D-3D30610B6DF1}" = HP Software Update
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{6B350CA4-0031-0002-3757-34999AD85AEC}" = InterVideo WinDVD Creator
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
"{725249C3-B94C-4141-8799-0D3BA43D0812}" = CameraDrivers
"{77772678-817F-4401-9301-ED1D01A8DA56}" = SPBBC
"{7B98685A-4E21-4A4F-A2D6-DC557042BADA}" = HPIZplus450
"{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD Player
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9CB2512B-3EC4-43DF-8002-46BDAB5EDD1B}" = QuickProjects
"{9EEBF8D5-8712-4D1D-88F4-4CDC2D270BC3}" = PrintScreen
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.0
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}" = Readme
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config
"{A93C9E60-29B6-49da-BA21-F70AC6AADE20}" = Norton Internet Security
"{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}" = Photosmart 320,370,7400,8100,8400 Series
"{AADFE0B9-F905-4d5f-A144-0ADB2EFA747B}" = Norton Internet Security
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{B103C8A7-D1CC-4B1A-BD41-883F652E097D}" = muvee autoProducer 3.5 magicMoments - HPD
"{B32C75F2-7495-4D01-9431-C11E97D66F8C}" = DocProc
"{B56D5B09-C4FB-4EA0-8EAD-7BC3E2715A2D}" = DocumentViewer
"{B7C61755-DB48-4003-948F-3D34DB8EAF69}" = MSRedist
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{BE20E2F5-1903-4AAE-B1AF-2046E586C925}" = iTunes
"{C3F058C0-A21C-452D-8D99-95B1A45F417D}" = InterVideo DiscLabel
"{C6F5B6CF-609C-428E-876F-CA83176C021B}" = Norton AntiVirus 2005
"{C9D599E1-6B68-4a1f-8A4F-A1DB433DB1BF}" = Norton Internet Security
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{D0122362-6333-4DE4-93F6-A5A2F3CC101A}" = HP Organize
"{D0420D64-8D33-4374-A2B2-9225C7925CA6}" = HP Image Zone Plus 4.5.3
"{DA42FDCA-7C5A-43EF-9A05-CCE148ADF919}" = CC_ccProxyExt
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}" = ccCommon
"{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}" = Norton Internet Security
"{E5EE9939-259F-4DE2-8023-5C49E16A4F43}" = Norton Internet Security
"{E85FA9A1-C241-4698-893B-DD99509B8DB0}" = Norton WMI Update
"{EC8673DA-F96B-497E-B2DB-BC7B029FD680}" = BufferChm
"{F419D20A-7719-4639-8E30-C073A040D878}" = HP Deskjet Preloaded Printer Drivers
"{F64306A5-4C32-41bb-B153-53986527FAB4}" = Norton WMI Update
"{FC08587A-4F01-4188-819F-F55880022917}" = ccPxyCore
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"{FC2C0536-583C-46c0-844A-62CECAE01F22}" = Norton Internet Security
"36317AE4-57EC-4F3E-B828-009A3DD96BE8" = Polar Bowler from Hewlett-Packard Desktops (remove only)
"3F34F72F-9BB0-4B73-8312-558953ACF56F" = Super Granny from Hewlett-Packard Desktops (remove only)
"58D1A004-6D3C-480A-9E0D-FAA58F3C2A62" = Blackhawk Striker 2 from Hewlett-Packard Desktops (remove only)
"62067F4C-84A9-45B9-8573-B90468B0A3EF" = Orbital from Hewlett-Packard Desktops (remove only)
"6723E59E-322A-417A-8E03-27A61E18253C" = Overball from Hewlett-Packard Desktops (remove only)
"6B60434A-ABE1-48FF-906B-0EA67087AB25" = Road Ready Streetwise from Hewlett-Packard Desktops (remove only)
"703E3900-69DA-47C9-9768-C6514098F149" = Shrek 2 Ogre Bowler from Hewlett-Packard Desktops (remove only)
"8C4E79CC-03E1-43AA-9910-9A5113F24603" = Blasterball 2 from Hewlett-Packard Desktops (remove only)
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"B151D9AC-5E4E-4AD0-96C9-5A6C9EC23502" = Blasterball 2 Remix from Hewlett-Packard Desktops (remove only)
"B2D3332F-EA2D-42B3-8E4A-F74D052BCBC1" = Polar Golfer from Hewlett-Packard Desktops (remove only)
"BackWeb-309731 Uninstaller" = Updates from HP
"D11F7128-8CBD-408B-8BF8-034604DEDD42" = Bounce Symphony from Hewlett-Packard Desktops (remove only)
"DAE7A92A-BAC7-42FA-AC62-53DEF1DC4292" = Crystal Maze from Hewlett-Packard Desktops (remove only)
"F5215F01-DFC0-475D-A910-6F1AF94E807E" = Tradewinds from Hewlett-Packard Desktops (remove only)
"Help and Support Additions" = Help and Support Additions
"HP Photo & Imaging" = HP Image Zone 4.5.3
"ie8" = Windows Internet Explorer 8
"InstallShield_{0C66761E-497A-4BE3-AE0D-8EC30FC9A9AA}" = PC-Doctor for Windows
"InstallShield_{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"InstallShield_{BE20E2F5-1903-4AAE-B1AF-2046E586C925}" = iTunes
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 2.5 (Symantec Corporation)
"PS2" = PS2
"Python 2.2.3" = Python 2.2.3
"pywin32-py2.2" = Python 2.2 pywin32 extensions (build 203)
"QuickTime" = QuickTime
"RealPlayer 6.0" = RealPlayer
"SymSetup.{A93C9E60-29B6-49da-BA21-F70AC6AADE20}" = Norton Internet Security 2005 (Symantec Corporation)
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/7/2012 12:42:14 AM | Computer Name = YOUR-4F1261A8E5 | Source = ESENT | ID = 454
Description = wuauclt (3260) Database recovery/restore failed with unexpected error
-515.

[ System Events ]
Error - 7/7/2012 6:36:12 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/7/2012 6:36:12 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/7/2012 6:36:12 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/7/2012 6:36:12 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/7/2012 6:36:13 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/7/2012 6:36:13 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/7/2012 6:36:13 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/7/2012 6:36:13 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/7/2012 6:36:13 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 7/7/2012 6:36:13 PM | Computer Name = YOUR-4F1261A8E5 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126


< End of report >
  • 0

#13
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
How is your system running? Are you experiencing any problems?


Step 1

Delete Trojan Guarder from the Start Menu by right clicking the entry and selecting Delete. Empty the Recycle Bin afterwards.


Step 2

If you have the paid version of Malwarebytes 1.6 or later installed, please disable it for the duration of this run.

To disable MBAM

Open the scanner and select the Protection tab.
Remove the tick from Start protection module with Windows.
Reboot and then run OTL.

Posted Image


Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    :Commands 
    [CREATERESTOREPOINT] 
    
    :OTL 
    O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
    [2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\InterMute
    [2005/02/17 02:51:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterMute
    [2005/02/17 02:51:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\InterMute
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
  • Post the log that appears upon reboot in your next reply.
  • If no log appears upon reboot, the OTL Fix log should be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date and the time of the tool run.
  • Open OTL again and select the "Scan All Users" box.
  • Click the Quick Scan button. Post the log it produces in your next reply.

Step 3

The minimum amount of RAM recommended for Windows XP is 512MB. I recommend at least 1GB.

  • Please visit Crucial System Scanner.
  • Check the box to agree with the Terms and Conditions and click Download the Scanner.
  • Run the scanner and it will suggest RAM modules which you can consider buying to increase the amount of RAM you have.
I recommend you invest in a RAM module in the near future because it can help to increase your computer speed.


Things I want to see in your next reply

  • Answers to my questions
  • OTL Fix Log
  • OTL.txt

  • 0

#14
MS-Free

MS-Free

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 425 posts

Hi. :)
How is your system running? Are you experiencing any problems?

None that I've noticed.

The minimum amount of RAM recommended for Windows XP is 512MB. I recommend at least 1GB.

  • Please visit Crucial System Scanner.
  • Check the box to agree with the Terms and Conditions and click Download the Scanner.
  • Run the scanner and it will suggest RAM modules which you can consider buying to increase the amount of RAM you have.
I recommend you invest in a RAM module in the near future because it can help to increase your computer speed.

Nice can, I'll can pass on the suggestion, but I don't think the owners really going to be looking to invest in more RAM. I don't think there's really heavy use...


All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.
C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\InterMute\SpySubtract\tmp folder moved successfully.
C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\InterMute\SpySubtract folder moved successfully.
C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\InterMute folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\InterMute\SpySubtract\tmp folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\InterMute\SpySubtract folder moved successfully.
C:\Documents and Settings\Administrator\Application Data\InterMute folder moved successfully.
C:\Documents and Settings\Default User\Application Data\InterMute\SpySubtract\tmp folder moved successfully.
C:\Documents and Settings\Default User\Application Data\InterMute\SpySubtract folder moved successfully.
C:\Documents and Settings\Default User\Application Data\InterMute folder moved successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\002549_.tmp deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
J:\cmd.bat deleted successfully.
J:\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 11724 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: HP_Owner
->Temp folder emptied: 49122 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: HP_Owner.YOUR-4F1261A8E5
->Temp folder emptied: 16693430 bytes
->Temporary Internet Files folder emptied: 212947 bytes

User: LocalService
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 16786 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 75616 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 11724 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 16.00 mb


OTL by OldTimer - Version 3.2.53.0 log created on 07102012_230007

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

OTL logfile created on: 7/10/2012 11:05:32 PM - Run 2
OTL by OldTimer - Version 3.2.53.0 Folder = J:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.30 Mb Total Physical Memory | 248.50 Mb Available Physical Memory | 49.37% Memory free
1.20 Gb Paging File | 0.98 Gb Available in Paging File | 81.34% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 178.70 Gb Total Space | 169.54 Gb Free Space | 94.87% Space Free | Partition Type: NTFS
Drive D: | 7.59 Gb Total Space | 2.17 Gb Free Space | 28.60% Space Free | Partition Type: FAT32
Drive J: | 1.86 Gb Total Space | 0.92 Gb Free Space | 49.17% Space Free | Partition Type: FAT

Computer Name: YOUR-4F1261A8E5 | User Name: HP_Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/07 17:38:53 | 000,161,776 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/06/27 17:18:56 | 000,596,992 | ---- | M] (OldTimer Tools) -- J:\OTL.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/10/14 01:17:06 | 002,742,272 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE
PRC - [2004/10/14 01:00:10 | 000,057,344 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\ALCMTR.EXE
PRC - [2004/10/13 23:01:50 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/08/30 20:34:20 | 000,176,768 | ---- | M] (Symantec Corporation) -- c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
PRC - [2004/08/28 01:22:48 | 000,164,984 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2004/08/28 01:22:46 | 000,234,616 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
PRC - [2004/08/28 01:22:42 | 000,197,752 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2004/08/28 01:22:40 | 000,058,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2004/08/28 00:02:54 | 000,206,048 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
PRC - [2004/08/06 03:23:10 | 000,308,352 | ---- | M] (Symantec Corporation) -- c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
PRC - [2004/08/05 19:23:14 | 000,218,240 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe


========== Modules (No Company Name) ==========

MOD - [2004/10/08 19:43:10 | 000,196,608 | ---- | M] () -- c:\Program Files\HP\Digital Imaging\bin\HpqUtil.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/07/07 17:38:53 | 000,161,776 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2004/08/31 04:29:46 | 000,078,992 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Norton Internet Security\ISSVC.exe -- (ISSVC)
SRV - [2004/08/30 20:34:20 | 000,176,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe -- (navapsvc)
SRV - [2004/08/28 01:22:48 | 000,164,984 | ---- | M] (Symantec Corporation) [Auto | Running] -- c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2004/08/28 01:22:48 | 000,078,968 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2004/08/28 01:22:46 | 000,234,616 | ---- | M] (Symantec Corporation) [Auto | Running] -- c:\Program Files\Common Files\Symantec Shared\ccProxy.exe -- (ccProxy)
SRV - [2004/08/28 01:22:42 | 000,197,752 | ---- | M] (Symantec Corporation) [Auto | Running] -- c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2004/08/28 00:02:54 | 000,206,048 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2004/08/06 03:23:10 | 000,308,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- (SymWSC)
SRV - [2004/07/23 21:47:22 | 000,197,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe -- (SAVScan)
SRV - [2004/07/21 18:24:04 | 000,173,160 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\smserial.sys -- (smserial)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2004/11/17 11:00:00 | 000,629,544 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20041117.006\NAVEX15.SYS -- (NAVEX15)
DRV - [2004/11/17 11:00:00 | 000,072,712 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20041117.006\NAVENG.SYS -- (NAVENG)
DRV - [2004/10/14 02:33:20 | 002,287,104 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2004/08/28 00:02:28 | 000,266,464 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI)
DRV - [2004/08/28 00:02:26 | 000,025,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV)
DRV - [2004/08/26 16:03:38 | 000,104,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2004/08/04 15:31:36 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2004/07/23 21:47:24 | 000,049,808 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- c:\Program Files\Norton Internet Security\Norton AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2004/07/23 21:47:22 | 000,335,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- c:\Program Files\Norton Internet Security\Norton AntiVirus\savrt.sys -- (SAVRT)
DRV - [2004/07/21 18:24:02 | 000,341,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2004/06/29 19:07:18 | 001,268,204 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/03/18 02:10:40 | 000,113,664 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2003/09/19 11:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2002/10/04 19:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2001/06/04 15:00:00 | 000,014,112 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...lion&pf=desktop
IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...lion&pf=desktop
IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.1879: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.1939: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.872: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2004/08/04 20:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (CNavExtBho Class) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\..\Toolbar\ShellBrowser: (Norton AntiVirus) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NAVShExt.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\..\Toolbar\ShellBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O3 - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\..\Toolbar\WebBrowser: (HP view) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll (Hewlett-Packard Company)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [ccApp] c:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\Hdaudpropshortcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe (Symantec Corporation)
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.EXE (Hewlett-Packard Company)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe (Symantec Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe (Symantec Corporation)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3214942085-884137249-1358264841-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/02/17 03:05:32 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 14:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2010/12/28 20:57:34 | 000,000,000 | RHSD | M] - D:\AUTORUN.INF -- [ FAT32 ]
O33 - MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{946850c5-1e27-11d9-baf0-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/10 18:05:14 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\PrivacIE
[2012/07/07 17:49:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\Sun
[2012/07/07 17:43:17 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\IETldCache
[2012/07/07 17:41:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2012/07/07 17:40:03 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2012/07/07 17:39:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2012/07/07 17:39:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/07/07 17:37:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2012/07/07 17:36:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2012/07/07 00:17:24 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/07/07 00:17:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\setup.pss
[2012/07/07 00:15:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2012/07/07 00:03:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
[2012/07/07 00:03:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2012/07/07 00:03:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2012/07/07 00:03:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2012/07/07 00:01:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2012/07/06 23:58:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2012/07/06 23:53:27 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2012/07/06 23:53:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\EHome
[2012/07/06 23:42:13 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Recent
[2012/07/06 23:42:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Lang
[2012/07/06 23:42:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\LightScribe
[2012/07/06 23:41:08 | 000,000,000 | --SD | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft
[2012/07/06 23:41:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\SendTo
[2012/07/06 23:41:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data
[2012/07/06 23:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\My Documents\My Videos
[2012/07/06 23:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\My Documents\My Pictures
[2012/07/06 23:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\My Documents\My Music
[2012/07/06 23:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\My Documents
[2012/07/06 23:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Favorites
[2012/07/06 23:41:08 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Accessories
[2012/07/06 23:41:08 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Cookies
[2012/07/06 23:41:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\PrintHood
[2012/07/06 23:41:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\NetHood
[2012/07/06 23:41:08 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Symantec
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Sun
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\SampleView
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Real
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Quicken
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\PC Help & Tools
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Online Services
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\Microsoft
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Identities
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Desktop
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\ApplicationHistory
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\Apple Computer
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Apple Computer
[2012/07/06 23:41:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}
[2012/07/06 23:41:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Startup
[2012/07/06 23:41:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu
[2012/07/06 23:41:07 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Templates
[2012/07/06 23:41:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\WINDOWS
[2012/07/06 23:41:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\WeatherBug
[2012/07/06 23:39:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\RTCOM
[2012/07/06 22:22:32 | 000,000,000 | RHSD | C] -- C:\WINDOWS\System32\dllcache
[2012/07/05 09:04:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\dell
[2012/07/01 12:09:04 | 000,000,000 | ---D | C] -- C:\VB6
[2012/06/27 12:30:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/27 12:30:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

========== Files - Modified Within 30 Days ==========

[2012/07/10 23:01:50 | 000,000,248 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2012/07/10 23:01:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/10 23:01:36 | 527,814,656 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/10 18:02:18 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/07 17:43:44 | 000,000,826 | ---- | M] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/07/07 17:38:05 | 000,001,745 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/07/07 00:17:32 | 000,382,022 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/07/07 00:17:32 | 000,053,640 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/07/07 00:17:31 | 000,000,283 | RHS- | M] () -- C:\boot.ini
[2012/07/07 00:16:06 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2012/07/07 00:15:12 | 000,175,464 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/07/07 00:13:12 | 000,002,639 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/07/06 23:58:08 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/07/06 23:42:57 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\Easy Internet Sign-up.job
[2012/07/06 23:42:48 | 000,000,745 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Easy Internet Sign-up.lnk
[2012/07/06 23:42:17 | 000,008,192 | ---- | M] () -- C:\WINDOWS\System32\edb.chk
[2012/07/06 23:42:12 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Desktop\Register with HP.url
[2012/07/06 23:41:39 | 000,001,826 | RHS- | M] () -- C:\WINDOWS\System32\drivers\103C_HP_CPC_PS583AA-ABA a1020n_YC_0Pavi_QCNH515_E52NAheBLU1_47_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.19_T050310_WXH2_L409_M504_J200_7Intel_8Pentium 4_93.06_#050616_N10EC8139_Z11C1048C_G80862582.MRK
[2012/07/06 23:39:59 | 000,000,993 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2012/07/06 23:39:55 | 000,002,158 | ---- | M] () -- C:\WINDOWS\System32\ssmute.ini
[2012/07/06 23:38:52 | 000,000,213 | RHS- | M] () -- C:\BOOT.BAK
[2012/07/01 13:30:42 | 001,248,727 | ---- | M] () -- C:\WINDOWS\setupapi.old
[2012/06/27 13:46:01 | 000,001,919 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/06/27 12:30:42 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2012/07/07 17:38:05 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2012/07/07 17:38:05 | 000,001,745 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2012/07/07 00:17:30 | 000,000,213 | RHS- | C] () -- C:\BOOT.BAK
[2012/07/07 00:17:27 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/07/06 23:58:34 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
[2012/07/06 23:58:34 | 000,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
[2012/07/06 23:58:32 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
[2012/07/06 23:42:49 | 000,000,278 | ---- | C] () -- C:\WINDOWS\tasks\Easy Internet Sign-up.job
[2012/07/06 23:42:17 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\edb.chk
[2012/07/06 23:42:12 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Desktop\Register with HP.url
[2012/07/06 23:41:32 | 000,001,826 | RHS- | C] () -- C:\WINDOWS\System32\drivers\103C_HP_CPC_PS583AA-ABA a1020n_YC_0Pavi_QCNH515_E52NAheBLU1_47_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.19_T050310_WXH2_L409_M504_J200_7Intel_8Pentium 4_93.06_#050616_N10EC8139_Z11C1048C_G80862582.MRK
[2012/07/06 23:41:23 | 527,814,656 | -HS- | C] () -- C:\hiberfil.sys
[2012/07/06 23:41:12 | 000,001,643 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2012/07/06 23:41:12 | 000,000,826 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/07/06 23:41:12 | 000,000,753 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk
[2012/07/06 23:41:11 | 000,002,235 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Desktop\Help and Support.lnk
[2012/07/06 23:41:11 | 000,000,926 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft\Internet Explorer\Quick Launch\RealPlayer.lnk
[2012/07/06 23:41:11 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Local Settings\Application Data\fusioncache.dat
[2012/07/06 23:41:11 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/07/06 23:41:09 | 000,001,692 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Install Microsoft Money 2005.lnk
[2012/07/06 23:41:09 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Remote Assistance.lnk
[2012/07/06 23:41:09 | 000,000,814 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Internet Explorer.lnk
[2012/07/06 23:41:09 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Windows Media Player.lnk
[2012/07/06 23:41:09 | 000,000,749 | ---- | C] () -- C:\Documents and Settings\HP_Owner.YOUR-4F1261A8E5\Start Menu\Programs\Outlook Express.lnk
[2012/07/06 23:39:51 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AOL®.lnk
[2012/06/27 13:46:01 | 000,001,919 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2012/06/27 12:30:42 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2011/02/03 15:57:34 | 000,000,209 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2011/02/03 15:57:06 | 000,000,272 | ---- | C] () -- C:\WINDOWS\_delis32.ini

========== LOP Check ==========

[2005/02/17 02:47:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SampleView
[2010/12/29 11:58:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2005/02/17 02:47:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\SampleView
[2012/07/06 23:42:57 | 000,000,278 | ---- | M] () -- C:\WINDOWS\Tasks\Easy Internet Sign-up.job

========== Purity Check ==========



< End of report >
  • 0

#15
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hello! :wave:
Congratulations your logs look clean! :thumbsup: :yeah: :woot:
Please follow the steps below to make your computer more secure.


First, re-enable any anti-virus/anti-malware programs we have disabled during the removal process!


Cleanup

Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    :Commands
    [emptytemp]
    [CLEARALLRESTOREPOINTS] 
    [Reboot]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.

  • Open OTL to run it. (Vista users, right click on OTL and "Run as administrator").
  • Close all other programs apart from OTL as this step will require a reboot.
  • On the OTL main screen, press the CLEANUP button.
  • Say Yes to the prompt and then allow the program to reboot your computer.
Note: If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.


Updates

Windows Update - This site is a Microsoft site that will scan your computer for any patches or updates that are missing from your computer. You should check this website regularly to keep windows up to date. This will ensure your computer has all of the latest security updates installed on your computer and is secure from any known security holes. Windows Updates are constantly being revised to combat the newest hacks and threats.
It is best if you have these set to download automatically.

How to turn on Automatic Updates:

  • Click on Start.
  • Right-click My Computer.
  • Select Properties.
  • Click on the Automatic Updates Tab.
  • Place a checkmark in the circle next to Automatic (recommended) near the green shield.
  • Click Apply > OK.

Make sure you have the latest Adobe Flash Player (11.3.300.265) and Adobe Shockwave Player (11.6.5.635) so you can view all of the latest content on websites.


Make Internet Explorer more secure

  • Click Start > Run.
  • Type Inetcpl.cpl & click OK.
  • Click on the Security tab.
  • Click Reset all zones to default level.
  • Make sure the Internet Zone is selected & Click Custom level.
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

Recommended Programs

Make sure you update your security programs regularly so they know about new infections so they can protect your computer against them.
Here are a list of programs/tools that I like to recommend to users to reduce the risk of infection in the future:



Anti-Spyware Programs

MBAM - MalwareBytes Anti Malware is an excellent tool program to detect and get rid of malware. This program should be updated and run often.

SpywareBlaster - Prevents spyware from installing on your system and stops you from getting infected. It protects against bad ActiveX and immunizes your PC against them.

SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place. It offers realtime protection from spyware installation attempts.
Note: Make sure you are only running one real-time anti-spyware protection program (eg: TeaTimer, Windows Defender) or there will be a conflict.


Alternate Browsers

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (as an added benefit!) that I have ever seen. Hijackers like to attack Internet Explorer more than FireFox. If you are interested, Firefox may be downloaded from here.

Add-ons

NoScript - Blocks ads and other potential website attacks.

AdBlockPlus - Adblock Plus gets rid of ads and banners on the internet.

DrWeb Anti-Virus Link Checker - Allows you to check any file you are about to download, any page you are about to visit with online version of Dr.Web anti-virus.

Other browsers include:

Google Chrome
Safari
Opera


Other Programs

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Green to go.
Yellow for caution.
Red to stop.
WOT has an addon available for both Firefox and IE.


ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.


IE-SpyAd - Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It prevents Cookies etc from downloading, from these websites, onto your computer.


MVPS Hosts File replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.


FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.


Google Toolbar - Get the free google toolbar to help stop pop ups.


Finally...

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Please respond one last time so we can consider the thread resolved and close it, thank-you.
Good luck and stay safe!!! :thumbsup:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP