Exploit.Java.CVE-2009, Antimalware Doctor, FakeAlert, and others

orleans_rob · May 15, 2010

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=9cacdc9dd4b8cb48ae74aaa42e3ced4c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-15 09:49:11
# local_time=2010-05-15 04:49:11 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776533 100 96 2980411 25952338 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=204507
# found=1
# cleaned=1
# scan_time=12966
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentsvc.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

ken545 · May 16, 2010

Hi,

Logs look good, all ESET found was a quarantined file that Spybot removed.

Lets update your Java to make your system more secure

Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 20, if not proceed with the instructions.

Download the latest version Here save it, do not install it yet.

Java SE Runtime Environment (JRE)JRE 6 Update 20 <--The wording is confusing but this is what you need

Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version

You can verify the installation Here

How are things running now ?

orleans_rob · May 16, 2010

cannot tell you how things are b/c i haven't been using the computer.
didn't want to mess up what we had done so far.

I am going to do the Java instalation again for you; now.

I did it a (saturday night/sunday morning 12:30 am) 12 hours after i posted the request for assistance on spybot (saturday the 8th at 1:00 pm)
- since Kaspersky stated i had an infection on wednesday 5-5-2010

i notice the following text doc on my desktop earlier this week.
it appears to have been created friday night/saturday morning 1:00 am
- that would hve been after Kaspersky's notification, but before the post and me removing and reinstalling java

#
# An unexpected error has been detected by Java Runtime Environment:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x252fda0f, pid=5548, tid=5744
#
# Java VM: Java HotSpot(TM) Client VM (11.0-b16 mixed mode, sharing windows-x86)
# Problematic frame:
# C 0x252fda0f
#
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#

--------------- T H R E A D ---------------

Current thread (0x02e33400): JavaThread "thread applet-Main.class-2" [_thread_in_native, id=5744, stack(0x03190000,0x031e0000)]

siginfo: ExceptionCode=0xc0000005, writing address 0x7fc1f8e7

Registers:
EAX=0x00000041, EBX=0x26bd8df0, ECX=0x252fd9a5, EDX=0x252fd9a4
ESP=0x031df728, EBP=0x41444444, ESI=0x26bd8df0, EDI=0x02e33400
EIP=0x252fda0f, EFLAGS=0x00210a12

Top of Stack: (sp=0x031df728)
0x031df728: 00000041 00000000 031df730 00000000
0x031df738: 031df764 26bd94b8 00000000 26bd8df0
0x031df748: 00000000 031df760 031df78c 00c22e83
0x031df758: 00000000 00c28179 24efdcc0 22c9d1e0
0x031df768: 22c9d1e0 031df76c 26bd8d4f 031df79c
0x031df778: 26bd94b8 00000000 26bd8d70 031df760
0x031df788: 031df798 031df7c0 00c22da1 22ca2ba0
0x031df798: 24efdcc0 22c9d1e0 031df7a0 26bd82f9

Instructions: (pc=0x252fda0f)
0x252fd9ff: 1c ad 8b 68 20 80 7d 0c 33 74 03 96 eb f3 8b 68
0x252fda0f: 08 8b f7 6a 04 59 e8 8f 00 00 00 e2 f9 68 6f 6e

Stack: [0x03190000,0x031e0000], sp=0x031df728, free space=317k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C 0x252fda0f

[error occurred during error reporting (printing native stack), id 0xc0000005]

Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j com.sun.media.sound.HeadspaceSoundbank.nOpenResource(Ljava/lang/String

J+0
j com.sun.media.sound.HeadspaceSoundbank.initialize(Ljava/lang/String

V+7
j com.sun.media.sound.HeadspaceSoundbank.<init>(Ljava/net/URL

V+89
j com.sun.media.sound.HsbParser.getSoundbank(Ljava/net/URL

Ljavax/sound/midi/Soundbank;+5
j javax.sound.midi.MidiSystem.getSoundbank(Ljava/net/URL

Ljavax/sound/midi/Soundbank;+36
J Main.init()V
j sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run()V+837
j java.lang.Thread.run()V+11
v ~StubRoutines::call_stub

--------------- P R O C E S S ---------------

Java Threads: ( => current thread )
0x02e43400 JavaThread "Java Sound Event Dispatcher" daemon [_thread_blocked, id=5308, stack(0x04550000,0x045a0000)]
0x02e04400 JavaThread "Keep-Alive-Timer" daemon [_thread_blocked, id=5664, stack(0x04450000,0x044a0000)]
0x02d97800 JavaThread "Thread-12" [_thread_blocked, id=5264, stack(0x04500000,0x04550000)]
0x02e23800 JavaThread "thread applet-Main.class-1" [_thread_in_native, id=2848, stack(0x04360000,0x043b0000)]
=>0x02e33400 JavaThread "thread applet-Main.class-2" [_thread_in_native, id=5744, stack(0x03190000,0x031e0000)]
0x03271c00 JavaThread "AWT-EventQueue-3" [_thread_blocked, id=4392, stack(0x04400000,0x04450000)]
0x03270c00 JavaThread "Applet 2 LiveConnect Worker Thread" [_thread_blocked, id=4804, stack(0x043b0000,0x04400000)]
0x03261400 JavaThread "AWT-EventQueue-2" [_thread_blocked, id=5052, stack(0x035d0000,0x03620000)]
0x03261c00 JavaThread "Applet 1 LiveConnect Worker Thread" [_thread_blocked, id=5184, stack(0x04310000,0x04360000)]
0x03260400 JavaThread "Browser Side Object Cleanup Thread" [_thread_blocked, id=4072, stack(0x042c0000,0x04310000)]
0x0325c000 JavaThread "AWT-Shutdown" [_thread_blocked, id=5160, stack(0x03710000,0x03760000)]
0x03255c00 JavaThread "Windows Tray Icon Thread" [_thread_in_native, id=4876, stack(0x03670000,0x036c0000)]
0x03240400 JavaThread "CacheCleanUpThread" daemon [_thread_blocked, id=4088, stack(0x034d0000,0x03520000)]
0x03262400 JavaThread "CacheMemoryCleanUpThread" daemon [_thread_blocked, id=4300, stack(0x036c0000,0x03710000)]
0x0323d000 JavaThread "Java Plug-In Heartbeat Thread" [_thread_blocked, id=4412, stack(0x03620000,0x03670000)]
0x0323a000 JavaThread "AWT-Windows" daemon [_thread_in_native, id=6112, stack(0x03520000,0x03570000)]
0x03237800 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=2536, stack(0x03480000,0x034d0000)]
0x02e5d800 JavaThread "Java Plug-In Pipe Worker Thread (Client-Side)" [_thread_in_native, id=5056, stack(0x031e0000,0x03230000)]
0x02de5c00 JavaThread "traceMsgQueueThread" daemon [_thread_blocked, id=5060, stack(0x03140000,0x03190000)]
0x02de1c00 JavaThread "Timer-0" [_thread_blocked, id=2836, stack(0x030f0000,0x03140000)]
0x02d91c00 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=4100, stack(0x03040000,0x03090000)]
0x02d8b400 JavaThread "CompilerThread0" daemon [_thread_blocked, id=6116, stack(0x02ff0000,0x03040000)]
0x02d89c00 JavaThread "Attach Listener" daemon [_thread_blocked, id=2456, stack(0x02fa0000,0x02ff0000)]
0x02d88c00 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=6100, stack(0x02f50000,0x02fa0000)]
0x02d83c00 JavaThread "Finalizer" daemon [_thread_blocked, id=4692, stack(0x02f00000,0x02f50000)]
0x02d7f000 JavaThread "Reference Handler" daemon [_thread_blocked, id=3680, stack(0x02eb0000,0x02f00000)]
0x001d6800 JavaThread "main" [_thread_blocked, id=2724, stack(0x00ba0000,0x00bf0000)]

Other Threads:
0x02d7d800 VMThread [stack: 0x02e60000,0x02eb0000] [id=4224]
0x02da5400 WatcherThread [stack: 0x03090000,0x030e0000] [id=5856]

VM state:not at safepoint (normal execution)

VM Mutex/Monitor currently owned by a thread: None

Heap
def new generation total 4544K, used 3194K [0x22990000, 0x22e70000, 0x22e70000)
eden space 4096K, 77% used [0x22990000, 0x22cae918, 0x22d90000)
from space 448K, 0% used [0x22e00000, 0x22e00000, 0x22e70000)
to space 448K, 0% used [0x22d90000, 0x22d90000, 0x22e00000)
tenured generation total 60544K, used 59959K [0x22e70000, 0x26990000, 0x26990000)
the space 60544K, 99% used [0x22e70000, 0x268fde08, 0x268fe000, 0x26990000)
compacting perm gen total 12288K, used 2420K [0x26990000, 0x27590000, 0x2a990000)
the space 12288K, 19% used [0x26990000, 0x26bed2a8, 0x26bed400, 0x27590000)
ro space 8192K, 63% used [0x2a990000, 0x2aea3ae8, 0x2aea3c00, 0x2b190000)
rw space 12288K, 53% used [0x2b190000, 0x2b7f83f8, 0x2b7f8400, 0x2bd90000)

Dynamic libraries:
0x00400000 - 0x00424000 C:\Program Files\Java\jre6\bin\java.exe
0x7c900000 - 0x7c9b2000 C:\WINDOWS\system32\ntdll.dll
0x7c800000 - 0x7c8f6000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 - 0x77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77e70000 - 0x77f02000 C:\WINDOWS\system32\RPCRT4.dll
0x77fe0000 - 0x77ff1000 C:\WINDOWS\system32\Secur32.dll
0x5cb70000 - 0x5cb96000 C:\WINDOWS\system32\ShimEng.dll
0x71590000 - 0x71609000 C:\WINDOWS\AppPatch\AcLayers.DLL
0x7e410000 - 0x7e4a1000 C:\WINDOWS\system32\USER32.dll
0x77f10000 - 0x77f59000 C:\WINDOWS\system32\GDI32.dll
0x7c9c0000 - 0x7d1d7000 C:\WINDOWS\system32\SHELL32.dll
0x77c10000 - 0x77c68000 C:\WINDOWS\system32\msvcrt.dll
0x77f60000 - 0x77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
0x774e0000 - 0x7761d000 C:\WINDOWS\system32\ole32.dll
0x769c0000 - 0x76a74000 C:\WINDOWS\system32\USERENV.dll
0x73000000 - 0x73026000 C:\WINDOWS\system32\WINSPOOL.DRV
0x76390000 - 0x763ad000 C:\WINDOWS\system32\IMM32.DLL
0x629c0000 - 0x629c9000 C:\WINDOWS\system32\LPK.DLL
0x74d90000 - 0x74dfb000 C:\WINDOWS\system32\USP10.dll
0x773d0000 - 0x774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x76c90000 - 0x76cb8000 C:\WINDOWS\system32\imagehlp.dll
0x3d930000 - 0x3da16000 C:\WINDOWS\system32\WININET.dll
0x009a0000 - 0x009a9000 C:\WINDOWS\system32\Normaliz.dll
0x78130000 - 0x78263000 C:\WINDOWS\system32\urlmon.dll
0x77120000 - 0x771ab000 C:\WINDOWS\system32\OLEAUT32.dll
0x3dfd0000 - 0x3e1b8000 C:\WINDOWS\system32\iertutil.dll
0x7c340000 - 0x7c396000 C:\Program Files\Java\jre6\bin\msvcr71.dll
0x6d800000 - 0x6da56000 C:\Program Files\Java\jre6\bin\client\jvm.dll
0x76b40000 - 0x76b6d000 C:\WINDOWS\system32\WINMM.dll
0x6d280000 - 0x6d288000 C:\Program Files\Java\jre6\bin\hpi.dll
0x76bf0000 - 0x76bfb000 C:\WINDOWS\system32\PSAPI.DLL
0x6d7b0000 - 0x6d7bc000 C:\Program Files\Java\jre6\bin\verify.dll
0x6d320000 - 0x6d33f000 C:\Program Files\Java\jre6\bin\java.dll
0x6d7f0000 - 0x6d7ff000 C:\Program Files\Java\jre6\bin\zip.dll
0x6d430000 - 0x6d436000 C:\Program Files\Java\jre6\bin\jp2native.dll
0x6d1c0000 - 0x6d1d3000 C:\Program Files\Java\jre6\bin\deploy.dll
0x77a80000 - 0x77b15000 C:\WINDOWS\system32\CRYPT32.dll
0x77b20000 - 0x77b32000 C:\WINDOWS\system32\MSASN1.dll
0x6d6b0000 - 0x6d6f2000 C:\Program Files\Java\jre6\bin\regutils.dll
0x77c00000 - 0x77c08000 C:\WINDOWS\system32\VERSION.dll
0x7d1e0000 - 0x7d49c000 C:\WINDOWS\system32\msi.dll
0x6d610000 - 0x6d623000 C:\Program Files\Java\jre6\bin\net.dll
0x71ab0000 - 0x71ac7000 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 - 0x71aa8000 C:\WINDOWS\system32\WS2HELP.dll
0x6d630000 - 0x6d639000 C:\Program Files\Java\jre6\bin\nio.dll
0x6d000000 - 0x6d138000 C:\Program Files\Java\jre6\bin\awt.dll
0x5ad70000 - 0x5ada8000 C:\WINDOWS\system32\uxtheme.dll
0x74720000 - 0x7476c000 C:\WINDOWS\system32\MSCTF.dll
0x77b40000 - 0x77b62000 C:\WINDOWS\system32\apphelp.dll
0x755c0000 - 0x755ee000 C:\WINDOWS\system32\msctfime.ime
0x6d220000 - 0x6d274000 C:\Program Files\Java\jre6\bin\fontmanager.dll
0x76fb0000 - 0x76fb8000 C:\WINDOWS\System32\winrnr.dll
0x76f20000 - 0x76f47000 C:\WINDOWS\system32\DNSAPI.dll
0x76f60000 - 0x76f8c000 C:\WINDOWS\system32\WLDAP32.dll
0x71a50000 - 0x71a8f000 C:\WINDOWS\System32\mswsock.dll
0x76fc0000 - 0x76fc6000 C:\WINDOWS\system32\rasadhlp.dll
0x662b0000 - 0x66308000 C:\WINDOWS\system32\hnetcfg.dll
0x71a90000 - 0x71a98000 C:\WINDOWS\System32\wshtcpip.dll
0x68000000 - 0x68036000 C:\WINDOWS\system32\rsaenh.dll
0x5b860000 - 0x5b8b5000 C:\WINDOWS\system32\netapi32.dll
0x6d520000 - 0x6d544000 C:\Program Files\Java\jre6\bin\jsound.dll
0x6d550000 - 0x6d558000 C:\Program Files\Java\jre6\bin\jsoundds.dll
0x73f10000 - 0x73f6c000 C:\WINDOWS\system32\DSOUND.dll
0x76c30000 - 0x76c5e000 C:\WINDOWS\system32\WINTRUST.dll
0x72d20000 - 0x72d29000 C:\WINDOWS\system32\wdmaud.drv
0x72d10000 - 0x72d18000 C:\WINDOWS\system32\msacm32.drv
0x77be0000 - 0x77bf5000 C:\WINDOWS\system32\MSACM32.dll
0x77bd0000 - 0x77bd7000 C:\WINDOWS\system32\midimap.dll
0x76ee0000 - 0x76f1c000 C:\WINDOWS\system32\RASAPI32.dll
0x76e90000 - 0x76ea2000 C:\WINDOWS\system32\rasman.dll
0x76eb0000 - 0x76edf000 C:\WINDOWS\system32\TAPI32.dll
0x76e80000 - 0x76e8e000 C:\WINDOWS\system32\rtutils.dll

VM Arguments:
jvm_args: -D__jvm_launched=17152102095 -Xbootclasspath/a:C:\PROGRA~1\Java\jre6\lib\deploy.jar;C:\PROGRA~1\Java\jre6\lib\javaws.jar;C:\PROGRA~1\Java\jre6\lib\plugin.jar
java_command: sun.plugin2.main.client.PluginMain write_pipe_name=jpi2_pid2032_pipe4,read_pipe_name=jpi2_pid2032_pipe3
Launcher Type: SUN_STANDARD

Environment Variables:
PATH=C:\WINDOWS\system32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\
USERNAME=Robert
OS=Windows_NT
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel

--------------- S Y S T E M ---------------

OS: Windows XP Build 2600 Service Pack 3

CPU:total 1 (1 cores per cpu, 1 threads per core) family 15 model 4 stepping 1, cmov, cx8, fxsr, mmx, sse, sse2, sse3

Memory: 4k page, physical 1046512k(54700k free), swap 2521728k(1128752k free)

vm_info: Java HotSpot(TM) Client VM (11.0-b16) for windows-x86 JRE (1.6.0_11-b03), built on Nov 10 2008 02:15:12 by "java_re" with MS VC++ 7.1

time: Sat May 08 00:59:17 2010
elapsed time: 47 seconds

ken545 · May 16, 2010

Not really sure what that means, try deleting all the old Java via add remove programs, you should download the new version, dont install it, then uninstall all the rest and then install the new version and see if you still have issues with it . If you do I will link you to a forum for Java for help sorting that out

orleans_rob · May 16, 2010

yes

i removed the old ones sunday moring 1:00 am

just removed Java SE Runtime Environment (JRE)JRE 6 Update 20 and reinstalled it

went to link you gave me and if tested fine

i just tried to update windows and the webpage came back
internet explorer cannot display page

i then tried it another way and it link to the beginning but then page changed to an error saying encountered a problem
Erroro number: 0x80072EFF

i searched it in their data base and the first link was this
http://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q=0x80072E
FF> &setlang=en-US&q=0x80072EFF

wqhen i clicked on it i got the ole
internet explorer cannot display page

i tried it on my wife's comp and the link worked
i don't know

do you feel i am clean now, what else needs to be fixed

ken545 · May 16, 2010

First run this cleaner

Please download ATF Cleaner by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Then lets flush out your DNS Cache

Next Go start> Run type cmd and hit OK
Type in ipconfig /flushdns then hit enter
(that space between g and / is needed)
Type exit hit enter

Then Open Internet Explorer and go to Tools> Internet Options > Advanced Tab > Reset Internet Explorer Settings > Reset...it will take a few seconds, then ok your way out and close IE, reopen it and try your windows updates again and see if it worked.

Like I said your logs look fine, if you still cant get windows updates to work why don't you post here at our sister site for help with windows updates, we all work together, tell them you posted here and we cleaned your system, you can link them to this thread so they can see what we have done
http://forums.whatthetech.com/Microsoft_Windows_f119.html

Then you can link me to your post if you wish and I can follow along and see whats going on.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Now to remove most of the tools that we have used in fixing your machine:

Make sure you have an Internet Connection.
Download OTC to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
Grinler BleepingComputer
GeeksTo Go
Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

orleans_rob · May 16, 2010

Before i started your final list, i typed in New Orleans in bing's search; just to test my system.
When i opened the second link - New Orleans Online - Tourism.
it led me to
alltheservices

i searched other things to see if it was the tourism website that had issues
- 1 out of 2 links brought me to something other than the intended link

Help!

McAfee didn't detecty during last night's autoscan

ken545 · May 16, 2010

Go ahead and post a new OTL log

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.

Under the Custom Scan box paste this in

Code:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
  Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

orleans_rob · May 16, 2010

i screwed up and ran it the first time with internet explorer open.
this is the second scan; i can post the first if you would like (maybe something will show in it, that is not in the second one)

- also, i was unable to post this through the comp with issue;
when i clicked "submit reply" internet explorer went to the
"internet explorer cannot display page" page

- has happened before while we were working together,
posted from wife's comp

OTL logfile created on: 5/16/2010 12:44:48 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Robert\Desktop\hjt\otl
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 329.00 Mb Available Physical Memory | 32.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 58.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.03 Gb Total Space | 4.77 Gb Free Space | 6.72% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DHRXN81
Current User Name: Robert
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Robert\Desktop\hjt\otl\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\MSC\McUICnt.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MSM\McSmtFwk.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\ngvpnmgr.exe (Aventail Corporation)
PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe (Carbonite, Inc. (www.carbonite.com))
PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
PRC - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (Symantec Corporation)
PRC - C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
PRC - C:\Program Files\Nikon\NkView6\NkvMon.exe (Nikon Corporation)
PRC - C:\Program Files\Iomega\AutoDisk\ADUserMon.exe (Iomega Corporation)
PRC - C:\Documents and Settings\All Users\Microsoft Home Publishing\MHPRMIND.EXE (Microsoft Corporation)
PRC - C:\Documents and Settings\All Users\Application Data\MSWorks\Calendar\WKCALREM.EXE (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Robert\Desktop\hjt\otl\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\cabinet.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\WINDOWS\system32\rsaenh.dll (Microsoft Corporation)
MOD - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (Iomega Activity Disk2) -- File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (NgVpnMgr) -- C:\WINDOWS\system32\ngvpnmgr.exe (Aventail Corporation)
SRV - (CarboniteService) -- C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe (Carbonite, Inc. (www.carbonite.com))
SRV - (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE (Symantec Corporation)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)
SRV - (SymWSC) -- C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (Symantec Corporation)
SRV - (_IOMEGA_ACTIVE_DISK_SERVICE_) -- C:\Program Files\Iomega\AutoDisk\ADService.exe (Iomega Corporation)
SRV - (Iomega App Services) -- C:\Program Files\Iomega\System32\AppServices.exe (Iomega Corporation)

========== Driver Services (SafeList) ==========

DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (MPFP) -- C:\WINDOWS\system32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (NgWfp) -- C:\WINDOWS\system32\drivers\ngwfp.sys (Aventail Corporation)
DRV - (NgFilter) -- C:\WINDOWS\system32\drivers\ngfilter.sys (Aventail Corporation)
DRV - (NgVpn) -- C:\WINDOWS\system32\drivers\ngvpn.sys (Aventail Corporation)
DRV - (NgLog) -- C:\WINDOWS\system32\drivers\nglog.sys (Aventail Corporation)
DRV - (USB_RNDIS) -- C:\WINDOWS\system32\drivers\usb8023.sys (Microsoft Corporation)
DRV - (ppa3) -- C:\WINDOWS\system32\DRIVERS\ppa3.sys (Microsoft Corporation)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (motmodem) -- C:\WINDOWS\system32\drivers\motmodem.sys (Motorola)
DRV - (dsunidrv) -- C:\WINDOWS\system32\drivers\dsunidrv.sys (Gteko Ltd.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (senfilt) -- C:\WINDOWS\system32\drivers\senfilt.sys (Creative Technology Ltd.)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (IntelC53) -- C:\WINDOWS\system32\drivers\IntelC53.sys (Intel Corporation)
DRV - (IntelC52) -- C:\WINDOWS\system32\drivers\IntelC52.sys (Intel Corporation)
DRV - (IntelC51) -- C:\WINDOWS\system32\drivers\IntelC51.sys (Intel Corporation)
DRV - (mohfilt) -- C:\WINDOWS\system32\drivers\mohfilt.sys (Intel Corporation)
DRV - (iomdisk) -- C:\WINDOWS\System32\DRIVERS\iomdisk.sys (Iomega Corporation)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (MODEMCSA) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/04/20 23:29:54 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/05/14 23:06:45 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe (Iomega Corporation)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe (Nikon Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)
O4 - Startup: C:\Documents and Settings\Robert\Start Menu\Programs\Startup\Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe (Research In Motion Limited)
O4 - Startup: C:\Documents and Settings\Robert\Start Menu\Programs\Startup\Microsoft Greetings Reminders.lnk = C:\Documents and Settings\All Users\Microsoft Home Publishing\MHPRMIND.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Robert\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk = C:\Documents and Settings\All Users\Application Data\MSWorks\Calendar\WKCALREM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: morkee.com ([i2] https in Trusted sites)
O15 - HKCU\..Trusted Domains: msn.com ([www] http in Trusted sites)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab (Reg Error: Key error.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?LinkID=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} https://i2.morkee.com/workplace/webifiers/wficat.cab (Citrix ICA Client)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130646214381 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131227148718 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab (Verizon Wireless Media Upload)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe (Virtools WebPlayer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FD3FF62E-61A7-48EE-A4A4-97CE7BD1F99D} https://i2.morkee.com/postauthACC/SodaAgent.CAB (SodaAgt Class)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll (PCPitstop Exam)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Robert\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/30 17:48:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/16 02:57:00 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Robert\Recent
[2010/05/16 00:56:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/05/16 00:55:17 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/16 00:55:16 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/16 00:55:16 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/16 00:55:16 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/16 00:53:19 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/05/15 23:32:21 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/14 21:06:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/14 20:57:21 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/14 20:57:21 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/14 20:57:21 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/14 20:57:21 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/14 20:56:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/14 20:56:12 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/14 18:07:36 | 000,000,000 | ---D | C] -- C:\rsit
[2010/05/09 00:49:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/05/09 00:47:42 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/08 13:20:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert\Desktop\hjt
[2010/05/02 17:02:49 | 000,181,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/05/02 16:58:58 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2010/05/01 12:12:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert\Application Data\Malwarebytes
[2010/05/01 12:12:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/01 12:12:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/01 12:12:14 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/01 12:12:13 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/29 09:14:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/28 00:39:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/27 22:09:29 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/04/24 23:35:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/24 23:35:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/24 23:34:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Roxio
[2010/04/24 23:34:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Robert\Application Data\Roxio
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/16 12:22:19 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{97465611-51A7-4A27-BBCC-D5DE1ECEE541}.job
[2010/05/16 02:56:29 | 019,660,800 | ---- | M] () -- C:\Documents and Settings\Robert\ntuser.dat
[2010/05/16 02:09:03 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/16 01:38:15 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/16 00:53:41 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/16 00:53:41 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/16 00:53:40 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/16 00:53:40 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/16 00:53:38 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/16 00:50:10 | 000,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2010/05/16 00:47:56 | 000,025,541 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/05/16 00:44:46 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/16 00:44:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/16 00:43:18 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Robert\ntuser.ini
[2010/05/14 23:07:02 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/14 23:06:45 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/14 21:06:28 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/05/14 17:45:32 | 000,000,368 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
[2010/05/13 19:58:03 | 000,107,704 | ---- | M] () -- C:\Documents and Settings\Robert\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/11 20:18:37 | 000,000,267 | ---- | M] () -- C:\Documents and Settings\Robert\Desktop\Shaba - virtumonde and Microsoft.Windows.RedirectedHosts (Cont) - Safer Networking Forums.url
[2010/05/10 19:04:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/10 04:00:38 | 000,000,334 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/05/09 15:26:28 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
[2010/05/08 13:13:03 | 000,000,277 | ---- | M] () -- C:\Documents and Settings\Robert\Desktop\virtumonde and Microsoft.Windows.RedirectedHosts - Safer Networking Forums.url
[2010/05/01 18:13:45 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 17:43:09 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/20 18:32:57 | 000,107,704 | ---- | M] () -- C:\Documents and Settings\Robert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/17 10:17:39 | 000,371,280 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/14 21:06:28 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/05/14 21:06:22 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/14 20:57:21 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/14 20:57:21 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/14 20:57:21 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/14 20:57:21 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/14 20:57:21 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/02 17:02:36 | 000,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/01 18:13:44 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/01 22:44:32 | 000,000,232 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2009/04/27 10:28:58 | 000,126,080 | ---- | C] () -- C:\WINDOWS\ngmsi.dll
[2008/08/12 11:29:19 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/11/04 10:00:55 | 000,000,022 | ---- | C] () -- C:\WINDOWS\iexplore.ini
[2007/04/05 06:56:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/01/08 00:44:52 | 000,050,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2005/11/15 21:02:38 | 000,000,036 | ---- | C] () -- C:\WINDOWS\webica.ini
[2005/11/09 21:10:00 | 000,000,021 | ---- | C] () -- C:\WINDOWS\CS_setup.ini
[2005/11/08 01:29:29 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/11/05 15:23:42 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/10/30 20:31:52 | 000,000,624 | ---- | C] () -- C:\WINDOWS\WinInit.ini.backup
[2005/10/19 07:24:02 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/10/19 07:13:18 | 000,001,052 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/10/19 06:46:14 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2005/10/19 06:46:04 | 000,000,394 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/08/09 17:12:28 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2004/08/10 13:12:05 | 000,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 13:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

========== LOP Check ==========

[2009/10/03 13:54:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Aventail
[2008/08/16 22:41:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Carbonite
[2007/11/09 01:07:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GameHouse
[2008/08/11 17:14:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
[2008/08/11 17:14:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft(3)
[2008/08/11 17:14:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft(4)
[2005/11/13 17:59:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSWorks
[2005/11/02 23:46:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2010/01/30 01:01:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCPitstop
[2009/10/26 10:32:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2010/01/24 10:18:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2007/12/10 02:14:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/05/16 01:33:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/09/03 00:12:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/02/20 20:36:09 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2005/11/02 22:58:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Active Disk
[2009/10/03 13:55:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Aventail
[2008/08/28 09:47:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\ICAClient
[2007/09/13 20:25:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Musicmatch
[2005/11/09 21:17:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Nikon
[2009/05/08 22:22:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\OfficeUpdate12
[2010/01/24 10:19:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Robert\Application Data\Research In Motion
[2010/05/16 01:38:15 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/04/15 01:11:58 | 000,000,342 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2010/05/10 04:00:38 | 000,000,334 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2010/05/16 02:09:03 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010/05/16 12:22:19 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{97465611-51A7-4A27-BBCC-D5DE1ECEE541}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/11 18:47:55 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/08/11 18:47:55 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/11 18:47:55 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/08/11 18:47:55 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/13 19:11:51 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll
[5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/08/10 12:56:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/10 12:56:46 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/10 12:56:46 | 000,872,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Robert\My Documents\The Dad Commandments.doc:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Robert\My Documents\Teach Your Kids to Break the Rules.doc:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Robert\My Documents\Sportsman Fleur de Lis 2.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Robert\My Documents\Monet's 2010 Summer.xls:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Robert\My Documents\How to Calm Your Kids.doc:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Robert\My Documents\hal90001680jo7.png:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Robert\My Documents\BlackBerry Curve 8530 Smartphone User Guide.pdf:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Robert\My Documents\7 Moves That Will Make You a Better Dad.doc:Roxio EMC Stream
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BAE21FF8
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

orleans_rob · May 16, 2010

same holds true for this post

OTL Extras logfile created on: 5/16/2010 12:44:48 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Robert\Desktop\hjt\otl
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 329.00 Mb Available Physical Memory | 32.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 58.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.03 Gb Total Space | 4.77 Gb Free Space | 6.72% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DHRXN81
Current User Name: Robert
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled

xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled

xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled

xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled

xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled

xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled

xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet

isabled

xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet

isabled

xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{14374619-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Simple Start Special Edition
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel(R) PROSet for Wired Connections
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"{237a4b22-78c2-11d6-a394-00104bd190b1}" = QuickBooks Pro Edition 2003
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{503AA035-41E2-4858-B31F-1E49AC66C309}" = Norton Security Center
"{54D44AD1-A083-48B9-BD6F-AFD517B7C775}" = Aventail Webifiers
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{689E0AB3-50B2-4E5A-9DCE-6DA9F5BE1314}" = BlackBerry® Media Sync
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E179C77-7335-458D-9537-4F4EAC0181ED}" = Photo Click
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{72552C46-944B-4E16-BBC8-0D85F31C1800}" = Aventail Access Manager
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111324990}" = Kick N Rush
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8D55AC33-2CB4-4A4D-93A9-F5C76124BBC3}" = BlackBerry Device Software v5.0.0 for the BlackBerry 8530 smartphone
"{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}" = Musicmatch® Jukebox
"{90110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9B0B46B3-10DF-4ADA-9501-0129D784563D}" = Aventail Web Proxy Agent
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A2A78788-2792-49BF-AF22-5E9296E568F3}" = Aventail Connect
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU
"{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}" = Nikon View 6
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio module
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B98BE95C-E76F-4246-B8E6-BEB8EE791D06}" = Roxio Media Manager
"{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
"{BE8913B7-B2C4-48BE-8A26-84390FF4F231}" = DMX Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D837BFF0-7EC2-4242-8750-E26EFE59A6F6}" = Crosstrainer 6
"{D8AB148C-3182-4B41-8CBC-565104358386}" = Juniper Installer Service
"{DDC63227-BA06-4855-B002-BDB49E9F677E}" = Symantec Technical Support Web Controls
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E7559288-223B-453C-9F06-340E3BE21E39}" = MyWay Search Assistant
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Active Disk" = Active Disk
"ActiveTouchMeetingClient" = WebEx
"Ad-Aware" = Ad-Aware
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"ArcSoft Software Suite" = ArcSoft Software Suite
"BlackBerry_{205A5182-EFC8-4C25-B61D-C164F8FF4048}" = BlackBerry Desktop Software 5.0.1
"Carbonite Backup" = Carbonite
"Citrix ICA Web Client" = MetaFrame Presentation Server Web Client for Win32
"Cox Online Support Controls_is1" = Cox Online Support Controls
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Disney's Toontown Online" = Disney's Toontown Online
"Home Publishing" = Microsoft Greetings
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{D837BFF0-7EC2-4242-8750-E26EFE59A6F6}" = Crosstrainer 6
"Intel(R) 537EP V9x DF PCI Modem" = Intel(R) 537EP V9x DF PCI Modem
"IrfanView" = IrfanView (remove only)
"Jasc Paint Shop Pro Studio.01 , Dell Edition 1.0.1.1 Patch" = Jasc Paint Shop Pro Studio.01 , Dell Edition 1.0.1.1 Patch
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Love Clock - Tonight's The Night_is1" = My Program 1.5
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSMONEYV70" = Microsoft Money 99
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"QuickTime" = QuickTime
"ScrewDrivers Client v4" = ScrewDrivers Client v4
"SpywareBlaster_is1" = SpywareBlaster 4.3
"StreetPlugin" = Learn2 Player (Uninstall Only)
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works Calendar" = Microsoft Works Calendar 1.0
"Works99Setup" = Microsoft Works Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{72552C46-944B-4E16-BBC8-0D85F31C1800}" = Aventail Access Manager
"Cisco Unified Presenter Add-in" = Cisco Unified Presenter Add-in
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/5/2009 2:54:24 AM | Computer Name = DHRXN81 | Source = Application Hang | ID = 1002
Description = Hanging application taskmgr.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/5/2009 2:55:47 AM | Computer Name = DHRXN81 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/5/2009 11:44:04 AM | Computer Name = DHRXN81 | Source = Microsoft Office 10 | ID = 2001
Description = Rejected Safe Mode action : Microsoft Outlook.

Error - 7/17/2009 2:46:15 AM | Computer Name = DHRXN81 | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/18/2009 2:19:23 AM | Computer Name = DHRXN81 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module sdhelper.dll, version 1.6.2.14, fault address 0x00001c61.

Error - 7/18/2009 2:20:40 AM | Computer Name = DHRXN81 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/25/2009 3:04:54 AM | Computer Name = DHRXN81 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/25/2009 3:05:16 AM | Computer Name = DHRXN81 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/29/2009 7:31:14 PM | Computer Name = DHRXN81 | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 3264 (0xcc0) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.423
/ 5301.4018 Object being scanned = \Device\HarddiskVolume2\WINDOWS\system32\drivers\etc\hosts

by C:\WINDOWS\system32\svchost.exe 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0)

7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 7/30/2009 7:31:35 AM | Computer Name = DHRXN81 | Source = McLogEvent | ID = 5051
Description = A thread in process C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took
longer than 90000 ms to complete a request. The process will be terminated. Thread
id : 728 (0x2d8) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.0.0.423
/ 5301.4018 Object being scanned = \Device\HarddiskVolume2\WINDOWS\system32\drivers\etc\hosts

by C:\WINDOWS\system32\svchost.exe 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0)

7004(0)(0) 5006(0)(0) 5004(0)(0)

[ System Events ]
Error - 5/16/2010 1:42:39 AM | Computer Name = DHRXN81 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/16/2010 1:42:40 AM | Computer Name = DHRXN81 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/16/2010 1:42:40 AM | Computer Name = DHRXN81 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/16/2010 1:42:40 AM | Computer Name = DHRXN81 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/16/2010 1:42:40 AM | Computer Name = DHRXN81 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/16/2010 1:42:40 AM | Computer Name = DHRXN81 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/16/2010 1:42:40 AM | Computer Name = DHRXN81 | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/16/2010 1:44:45 AM | Computer Name = DHRXN81 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/16/2010 1:44:45 AM | Computer Name = DHRXN81 | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/16/2010 1:46:02 AM | Computer Name = DHRXN81 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher
9 service to connect.

< End of report >

ken545 · May 16, 2010

Hi,

I just briefly looked through your OTL log and nothing is jumping out at me but I need some time to look it over more carefully. In the meantime I would like you to run this Rootkit scanner because if there is a rootkit installed it will not show up on most scanners. Have to warn you, depending on your system it could take awhile.

morkee.com <--Do you want this site in your Internet Explorer Trusted Zone ?

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
  
  Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

orleans_rob · May 16, 2010

morkee can be removed; was from a previous employer

about to start the next task

orleans_rob · May 16, 2010

was running GMER when itt went to blue scren

canot make out the first coul=ple of letters on the right side of the screen,
but here is what i bcan see

??p: c000021a {Fatal System Error}
??? Windows Subsystem system process terminated unexpectedly with a status of
???00005 (0x001e000a 0x02b6e064).
??? system has been shut down.

ken545 · May 16, 2010

Try running it in Safemode, make sure you disabled your AV

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode

orleans_rob · May 16, 2010

was able to restart the program in normal mode

ran for about 2 hours and then got another blue screen

running it in safemode now

should be done in 3.5-4 hours if it takes as long as some of the other scans

orleans_rob · May 16, 2010

aahhgg!!

i am able to start it in safemode, but i noticed that i cannot access any buttons below "scan" because of screen resolution
(tried to change it but only let me see 640 by 480)

if i remember correctly, the save button is below the scan button

i'll start it and you can let me now if i am wasting my time since i cannot access the save button
or if a report is created and i don't need to access that button

i was also wondering if i could highlite the info in the main window and paste it to a text document after it ran

let know know what you think

ken545 · May 17, 2010

well, really not sure although I have had other posters run this in Safemode and post a log. You can try copy and pasting the info if you cant save it.

If no luck either way you can try running this one, GMER gives more info but this one may do

Please download RootRepeal from one of these locations and save it to your desktop
Here
Here
Here

Open

on your desktop.
Click the

tab.
Click the

button.
Check just these boxes:
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the

button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

orleans_rob · May 17, 2010

well, that was a waste if 4+ hours.

not your fault.
i should of stopped when you sent me the notice about rootrepeal

i'll run rootrepeal now and post the report in the morning when i get up

if we get somewhere with root them maybe i will be able to run gmer in normal

orleans_rob · May 17, 2010

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/05/16 23:51
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF735E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BBD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6E18000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf76e787e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf76e7bfe

==EOF==

ken545 · May 17, 2010

Good Morning,

Let me tell ya, been at this for a good many years and this garbage is getting harder and harder to remove, be nice if these dirtbags where on our side. Rootrepeal was fine, nothing bad

Where going to run OTL again

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
O1 - Hosts: 127.0.0.1 localhost
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O15 - HKCU\..Trusted Domains: morkee.com ([i2] https in Trusted sites)
O16 - DPF: {FD3FF62E-61A7-48EE-A4A4-97CE7BD1F99D} https://i2.morkee.com/postauthACC/SodaAgent.CAB  (SodaAgt Class)

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done

Then we are going to reset your hosts file

Download the HostsXpert 4.3 - Hosts File Manager.

Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper left corner.
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Post the OTL report and let me know if this helped

Exploit.Java.CVE-2009, Antimalware Doctor, FakeAlert, and others

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert