My Documents and Recycle bin have unviewable files

Inactive
By GloverG
Mar 23, 2012
  1. Three days ago, I was upgrading an adobe program when a company called IOLO offered a free system checkup. I downloaded the program and found for $ they would fix issues with my computer. When I accepted the program that was downloaded (system checkup) self-destructed. I then became suspicious and began checking my computer. All my files in the C: drive were left alone but all the files in My Documents were changed. The computer shows the files sizes are still existing but I'm unable to view the files in the recycle bin or within the non-deleted folders in My Documents. I have performed numerous restores and it has restored my icons but not My Document files. I have also downloaded many recovery programs and have limited success but have taken no action with each. I have also contacted the IOLO company and they tried to unhide my files but to no avail. The technician told me that my issue could not be resolved and hung up. So with a friend's advice to contact you, I'm hoping to get a resolution to this issue.
  2. Broni

    Broni Malware Annihilator Posts: 46,178   +251

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    Scan Log Requests

    1. I currently run Microsoft Security Essentials.
    2. The following is the contents of the Malwarebytes log:
    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.24.02

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Garry S. Glover :: DDQSKV11 [administrator]

    3/24/2012 3:10:57 PM
    mbam-log-2012-03-24 (15-37-36).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 219258
    Time elapsed: 26 minute(s), 1 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D60FF48-95BE-4956-B4C6-6BB168A70310} (Trojan.KeenValue) -> No action taken.

    Registry Values Detected: 4
    HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{5D60FF48-95BE-4956-B4C6-6BB168A70310} (Trojan.KeenValue) -> Data: -> No action taken.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{5F1ABCDB-A875-46C1-8345-B72A4567E486} (Adware.ISTBar) -> Data: -> No action taken.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{5F1ABCDB-A875-46C1-8345-B72A4567E486} (Adware.ISTBar) -> Data: Û¼_u¨ÁFƒE·*Egä† -> No action taken.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{5D60FF48-95BE-4956-B4C6-6BB168A70310} (Trojan.KeenValue) -> Data: -> No action taken.

    Registry Data Items Detected: 2
    HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page_bak (Hijack.SearchPage) -> Bad: (http://www.idgsearch.com/) Good: (http://www.Google.com/) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page_bak (Hijack.SearchPage) -> Bad: (http://www.idgsearch.com/) Good: (http://www.Google.com/) -> No action taken.

    Folders Detected: 1
    C:\Program Files\Save (Adware.WhenU) -> No action taken.

    Files Detected: 3
    C:\Documents and Settings\Garry S. Glover\Engine.dll (Trojan.GamesThief) -> No action taken.
    C:\Program Files\Save\ReadMe.txt (Adware.WhenU) -> No action taken.
    C:\Program Files\Save\save.db (Adware.WhenU) -> No action taken.

    (end)

    3. Downloaded GMER from your mirrors and from Bleeping computer but all three executables gave me a "Load Driver (".\uxtyapoc.sys) error on 0xC000003A: Cannot create a stable sub by under a volatile parent key". It also generates a uxtyapoc.sys file that's 99KB. Program seems viable after error but generates a 0KB log without generating any information in the window during scan.

    4. The following is the contents of the DDS by sUBS (DDS.txt log):
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Garry S. Glover at 17:32:40 on 2012-03-24
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.133 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    uDefault_Search_URL = hxxp://about-blank.biz/
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    uStart Page = hxxp://www.att.net
    mSearch Bar = hxxp://www.2020search.com/search/9884/search.html
    uCustomizeSearch =
    uSearchAssistant = hxxp://www.2020search.com/search/9884/search.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    mSearchAssistant = hxxp://www.2020search.com/search/9884/search.html
    mCustomizeSearch =
    uURLSearchHooks: H - No File
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: {2cf0b992-5eeb-4143-99c0-5297ef71f443} - Search Toolbar BHO Object
    BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
    BHO: {55102325-f838-447f-93d7-d03fed8f4c3b} -
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: Search: {2cf0b992-5eeb-4143-99c0-5297ef71f444} -
    TB: {5C75D98F-A3FF-4C79-A106-7E088D55D5DB} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: {2cf0b992-5eeb-4143-99c0-5297ef71f444} - Search
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    uPolicies-explorer: <NO NAME> =
    IE: {1A00C40B-DA85-4aa3-A67F-582D9347EECD}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    Trusted Zone: intuit.com\ttlc
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268618336953
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268795703686
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Hosts: 69.56.223.196 t.rack.cc
    Hosts: 69.56.223.196 www.alfa-search.com
    Hosts: 69.56.223.196 webcoolsearch.com
    Hosts: 69.56.223.196 in.webcounter.cc
    Hosts: 69.56.223.196 i-lookup.com
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ============= SERVICES / DRIVERS ===============
    .
    .
    =============== Created Last 30 ================
    .
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 17:34:10.21 ===============

    and here is the other log (Attach.txt):

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/24/2002 7:38:35 AM
    System Uptime: 3/24/2012 3:44:32 PM (2 hours ago)
    .
    Motherboard: Dell Computer Corporation | | Dimension 8200
    Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz | Microprocessor | 2386/133mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 74 GiB total, 41.45 GiB free.
    D: is CDROM (CDFS)
    E: is CDROM (CDFS)
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP35: 12/17/2011 7:55:20 AM - Software Distribution Service 3.0
    RP36: 12/19/2011 4:46:52 PM - Software Distribution Service 3.0
    RP37: 12/23/2011 10:37:30 AM - Software Distribution Service 3.0
    RP38: 12/24/2011 6:59:40 PM - Software Distribution Service 3.0
    RP39: 12/26/2011 11:22:03 PM - Software Distribution Service 3.0
    RP40: 12/28/2011 9:09:47 AM - Software Distribution Service 3.0
    RP41: 12/28/2011 5:41:24 PM - Software Distribution Service 3.0
    RP42: 12/29/2011 9:42:45 AM - Software Distribution Service 3.0
    RP43: 12/31/2011 8:02:09 AM - Software Distribution Service 3.0
    RP44: 1/1/2012 10:39:41 AM - Software Distribution Service 3.0
    RP45: 1/3/2012 7:41:13 AM - Software Distribution Service 3.0
    RP46: 1/10/2012 7:47:26 AM - Printer Driver AdobePSGenericPostScriptPrinter Installed
    RP47: 1/10/2012 7:53:16 AM - Printer Driver AdobePS Acrobat Distiller Installed
    RP48: 1/10/2012 7:53:33 AM - Printer Driver Acrobat PDFWriter Installed
    RP49: 1/12/2012 1:44:07 PM - Software Distribution Service 3.0
    RP50: 1/18/2012 5:13:52 PM - Software Distribution Service 3.0
    RP51: 1/19/2012 4:02:16 PM - Installed TurboTax 2011 wrapper
    RP52: 1/21/2012 10:43:09 PM - Software Distribution Service 3.0
    RP53: 1/21/2012 11:42:43 PM - Software Distribution Service 3.0
    RP54: 1/31/2012 5:16:21 PM - Software Distribution Service 3.0
    RP55: 2/6/2012 9:00:33 PM - Software Distribution Service 3.0
    RP56: 2/15/2012 8:37:33 AM - IObit Uninstaller restore point
    RP57: 2/15/2012 8:40:50 AM - IObit Uninstaller restore point
    RP58: 2/15/2012 8:41:57 AM - Removed Apple Application Support
    RP59: 2/15/2012 8:43:32 AM - IObit Uninstaller restore point
    RP60: 2/15/2012 8:43:46 AM - Removed Apple Software Update
    RP61: 2/15/2012 8:45:01 AM - IObit Uninstaller restore point
    RP62: 2/15/2012 8:46:02 AM - IObit Uninstaller restore point
    RP63: 2/15/2012 8:47:36 AM - IObit Uninstaller restore point
    RP64: 2/15/2012 8:55:01 AM - IObit Uninstaller restore point
    RP65: 2/15/2012 8:56:09 AM - IObit Uninstaller restore point
    RP66: 2/15/2012 8:56:34 AM - Removed The Hulk(TM)
    RP67: 2/15/2012 9:05:52 AM - IObit Uninstaller restore point
    RP68: 2/15/2012 9:11:18 AM - IObit Uninstaller restore point
    RP69: 2/15/2012 9:14:10 AM - IObit Uninstaller restore point
    RP70: 2/15/2012 9:19:11 AM - IObit Uninstaller restore point
    RP71: 2/15/2012 1:05:06 PM - Unsigned driver install
    RP72: 2/15/2012 1:11:22 PM - Removed Microsoft Picture It! Photo 2002
    RP73: 2/16/2012 9:16:41 AM - Printer Driver Acrobat PDFWriter Installed
    RP74: 2/21/2012 9:36:42 AM - Software Distribution Service 3.0
    RP75: 2/21/2012 4:40:49 PM - Software Distribution Service 3.0
    RP76: 3/9/2012 6:56:32 PM - Software Distribution Service 3.0
    RP77: 3/19/2012 10:31:58 PM - Software Distribution Service 3.0
    RP78: 3/20/2012 5:32:54 PM - Removed Adobe Reader 6.0
    RP79: 3/20/2012 5:33:49 PM - Installed Adobe Reader X (10.1.2).
    RP80: 3/20/2012 7:52:06 PM - Software Distribution Service 3.0
    RP81: 3/21/2012 7:57:21 AM - Restore Operation
    RP82: 3/21/2012 8:30:51 AM - Restore Operation
    RP83: 3/21/2012 9:00:56 AM - Restore Operation
    RP84: 3/21/2012 1:17:14 PM - Installed Microsoft Visual C++ 2005 Redistributable
    RP85: 3/21/2012 9:27:32 PM - Restore Operation
    RP86: 3/21/2012 10:33:39 PM - Software Distribution Service 3.0
    RP87: 3/23/2012 3:35:57 PM - Software Distribution Service 3.0
    RP88: 3/24/2012 4:02:05 PM - Software Distribution Service 3.0
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 69.56.223.196 t.rack.cc
    Hosts: 69.56.223.196 www.alfa-search.com
    Hosts: 69.56.223.196 webcoolsearch.com
    Hosts: 69.56.223.196 in.webcounter.cc
    Hosts: 69.56.223.196 i-lookup.com
    Hosts: 69.56.223.196 www.hand-book.com
    Hosts: 69.56.223.196 www.maxxxhosters.com
    Hosts: 69.56.223.196 allneedsearch.com
    Hosts: 69.56.223.196 nativehardcore.com
    Hosts: 69.56.223.196 best.royalsearch.net
    Hosts: 69.56.223.196 default-homepage-network.com
    Hosts: 69.56.223.196 xwebsearch.biz
    Hosts: 69.56.223.196 www.rightfinder.net
    Hosts: 69.56.223.196 www.search-1.net
    Hosts: 69.56.223.196 www.searchv.com
    Hosts: 69.56.223.196 www.websearch.com
    Hosts: 69.56.223.196 mysearchnow.com
    Hosts: 69.56.223.196 www.therealsearch.com
    Hosts: 69.56.223.196 www.find-itnow.com
    Hosts: 69.56.223.196 super-spider.com
    Hosts: 69.56.223.196 www.searching-the-net.com
    Hosts: 69.56.223.196 www.firstbookmark.com
    Hosts: 69.56.223.196 just.find-itnow.com
    Hosts: 69.56.223.196 www.find-itnow.com
    Hosts: 69.56.223.196 qwertysearch123.biz
    Hosts: 69.56.223.196 www.search-space.com
    Hosts: 69.56.223.196 www.windowws.cc
    Hosts: 69.56.223.196 aifind.info
    Hosts: 69.56.223.196 www.find4u.net
    Hosts: 69.56.223.196 find4u.net
    Hosts: 69.56.223.196 www.lookfor.cc
    Hosts: 69.56.223.196 www.008i.com
    Hosts: 69.56.223.196 www.hugesearch.net
    Hosts: 69.56.223.196 www.nova****.com
    Hosts: 69.56.223.196 www.seznam.cz
    Hosts: 69.56.223.196 aifind.cc
    Hosts: 69.56.223.196 www.onet.pl
    Hosts: 69.56.223.196 www.ttjj.com
    Hosts: 69.56.223.196 www.search-dot.com
    Hosts: 69.56.223.196 www.search-and-go.com
    Hosts: 69.56.223.196 www.slotch.com
    Hosts: 69.56.223.196 www.2fastsearch.net
    Hosts: 69.56.223.196 awebfind.biz
    Hosts: 69.56.223.196 www.power-search.info
    Hosts: 69.56.223.196 www.naver.com
    Hosts: 69.56.223.196 www.daum.net
    Hosts: 69.56.223.196 www.ohcorea.com
    Hosts: 69.56.223.196 www.hao123.com
    Hosts: 69.56.223.196 58q.com
    Hosts: 69.56.223.196 www.startium.com
    Hosts: 69.56.223.196 www.gajai.com
    Hosts: 69.56.223.196 www.wazzupnet.com
    Hosts: 69.56.223.196 www.xgmm.com
    Hosts: 69.56.223.196 searchmyrequest.com
    Hosts: 69.56.223.196 yourbookmarks.ws
    Hosts: 69.56.223.196 wmmse.com
    Hosts: 69.56.223.196 link.startmake.com
    Hosts: 69.56.223.196 approvedlinks.com
    Hosts: 69.56.223.196 www.nkvd.us
    Hosts: 69.56.223.196 www.8095.com
    Hosts: 69.56.223.196 ie-search.com
    Hosts: 69.56.223.196 auto.ie.searchforge.com
    Hosts: 69.56.223.196 search.psn.cn
    Hosts: 69.56.223.196 www.couldnotfind.com
    Hosts: 69.56.223.196 www.iquicksearch.com
    Hosts: 69.56.223.196 1-se.com
    Hosts: 69.56.223.196 www.spidersearch.com
    Hosts: 69.56.223.196 search.ieplugin.com
    Hosts: 69.56.223.196 itseasy.us
    Hosts: 69.56.223.196 searchbar.findthewebsiteyouneed.com
    Hosts: 69.56.223.196 www.searchxl.com
    Hosts: 69.56.223.196 www.searchforge.com
    Hosts: 69.56.223.196 www.omega-search.com
    Hosts: 69.56.223.196 searchcentrix.com
    .
    ==== Installed Programs ======================
    .
    .
    ==== Event Viewer Messages From Past Week ========
    .
    .
    ==== End Of File ===========================

    I appreciate the help in resolving this. Let me know what further instruction you need me to do.

    Thanks
  4. Broni

    Broni Malware Annihilator Posts: 46,178   +251

    Your MBAM log says "No action taken".
    Re-run it, FIX all issues and post new log.

    Then....

    Let's see, if we can recover your missing features.
    Download and run UnHide
    Let me know, if it worked.
  5. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    Log Response

    Broni,

    Sorry, I pulled the log off for you before fixing the 11 issues. The issues were fixed. Do you want me to run the program again to just confirm? Also, I did run the unhide software and it didn't unhide the files. To give you some background, once I saw that My Document files missing (C drive files were left alone), Prior to contacting you initially, I performed about 4 window restores to earlier dates to try and get my files back but realized restores do not affect personal files. I then contacted IOLO tech support for help. The interesting thing is, when I contacted IOLO tech support about this issue, they ran a search for %temp% and then loaded their own unhide software onto my computer; which they deleted off my computer. As their unhide software ran, their software did not function as the Bleeping software version. It was as if they knew where the issue was and were searching for a particular area or file. I don't know if the restores I performed destroyed the file they were looking for but after the IOLO tech support tried their unhide version; the technician commented the problem was unresolvable and hung up.
  6. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    Malware bytes log updated

    Broni,

    I decided to do run the Malware bytes software again and send you an updated log. Here is the information from that log:

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.24.02

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Garry S. Glover :: DDQSKV11 [administrator]

    3/25/2012 1:27:17 AM
    mbam-log-2012-03-25 (01-27-17).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 219284
    Time elapsed: 11 minute(s), 2 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  7. Broni

    Broni Malware Annihilator Posts: 46,178   +251

    Did my UnHide work?
  8. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    Unhide text response

    I ran the unhide program referenced in your post. Here is the text:

    Unhide by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Unhide.exe can be found at this link:
    http://www.bleepingcomputer.com/forums/topic405109.html

    Program started at: 03/26/2012 08:20:11 AM
    Windows Version: Windows XP

    Please be patient while your files are made visible again.

    Processing the C:\ drive
    Finished processing the C:\ drive. 90992 files processed.

    On the original it ended with: Temp doesn't exist. Unhide terminated.

    I assume you saw the post stating that the GMER did not function?
    Also, after IOLO was on my computer, I keep getting this Desktop INI file that runs:

    [.ShellClassInfo]
    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
  9. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    Unhide supplemental

    My Document files are still missing after running all the unhide programs.
  10. Broni

    Broni Malware Annihilator Posts: 46,178   +251

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  11. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    ASW and Bootkit logs

    The ASW log follows:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-26 19:14:26
    -----------------------------
    19:14:26.062 OS Version: Windows 5.1.2600 Service Pack 3
    19:14:26.062 Number of processors: 1 586 0x204
    19:14:26.062 ComputerName: DDQSKV11 UserName:
    19:14:39.078 Initialze error C000003A - driver not loaded
    19:32:17.875 AVAST engine defs: 12032602
    19:32:32.687 Service scanning
    19:37:34.921 Modules scanning
    19:37:35.109 Disk 0 trace - called modules:
    19:37:35.109
    19:37:53.234 AVAST engine scan C:\WINDOWS
    19:38:41.171 AVAST engine scan C:\WINDOWS\system32
    19:46:03.093 AVAST engine scan C:\WINDOWS\system32\drivers
    19:46:24.671 AVAST engine scan C:\Documents and Settings\Garry S. Glover
    19:47:38.718 AVAST engine scan C:\Documents and Settings\All Users
    19:48:01.375 Scan finished successfully
    19:48:38.593 The log file has been saved successfully to "C:\Documents and Settings\Garry S. Glover\My Documents\Downloads\Broni File\aswMBR.txt"


    The Bootkit Remover log created:

    [.ShellClassInfo]
    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

    Looks awful suspicious but this is the same file in the Desktop.INI file windows runs each time I reboot the system. This was not the data contained in the black screen.
     
  12. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    aswMBR

    When I ran this program; it did not create a MBR.dat file on my desktop. Just thought I'd bring that to your attention.
  13. Broni

    Broni Malware Annihilator Posts: 46,178   +251

    Re-run aswMBR and be more patient.
    It doesn't look like the scan has completed.

    Re-run Bootkit Remover one more time.
    It's not correct log.
  14. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    ASW and Bootkit logs 2nd run

    I reran the aswMBR software again. This software gives you 4 choices to run a scan on: Quickscan, C:, ..., (none). So I ran 3 more quickscans and received the same log as I gave you before. I decided to run it against C: and here is the log from that run:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-26 22:40:29
    -----------------------------
    22:40:29.437 OS Version: Windows 5.1.2600 Service Pack 3
    22:40:29.437 Number of processors: 1 586 0x204
    22:40:29.437 ComputerName: DDQSKV11 UserName:
    22:40:31.156 Initialze error C000003A - driver not loaded
    22:41:17.171 AVAST engine defs: 12032602
    22:41:55.656 Service scanning
    22:43:39.093 Modules scanning
    22:43:39.093 Disk 0 trace - called modules:
    22:43:39.093
    22:43:41.468 AVAST engine scan C:\
    23:15:36.328 File: C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP85\A0030219.exe **INFECTED** Win32:QHost-CAH [Trj]
    23:15:36.687 File: C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP85\A0030221.exe **INFECTED** Win32:Adware-gen [Adw]
    23:38:29.281 Scan finished successfully
    23:39:49.734 The log file has been saved successfully to "C:\Documents and Settings\Garry S. Glover\My Documents\Downloads\Broni File\aswMBR_C.txt"

    I then ran the aswMBR in administrator in safe mode and got the following log:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-27 07:48:24
    -----------------------------
    07:48:24.812 OS Version: Windows 5.1.2600 Service Pack 3
    07:48:24.812 Number of processors: 1 586 0x204
    07:48:24.812 ComputerName: DDQSKV11 UserName:
    07:48:26.203 Initialize success
    07:49:21.421 AVAST engine download error: 0
    07:50:35.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    07:50:35.687 Disk 0 Vendor: ST380021A 3.75 Size: 76319MB BusType: 3
    07:50:35.734 Disk 0 MBR read successfully
    07:50:35.750 Disk 0 MBR scan
    07:50:35.781 Disk 0 Windows XP default MBR code
    07:50:35.812 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
    07:50:35.843 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76285 MB offset 64260
    07:50:35.875 Disk 0 scanning sectors +156296385
    07:50:36.000 Disk 0 scanning C:\WINDOWS\system32\drivers
    07:50:55.609 Service scanning
    07:51:53.500 Modules scanning
    07:52:15.093 Disk 0 trace - called modules:
    07:52:15.156 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys
    07:52:17.250 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x827a2030]
    07:52:17.390 3 CLASSPNP.SYS[f9a42fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8275ad48]
    07:52:17.515 Scan finished successfully
    07:53:29.531 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
    07:53:29.578 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR_AD.txt"

    I hope one of these is what you were looking for.

    On the bootkit remover; running normal and in safe mode yielded the same results from the Ctrl C and Ctrl V directions. However, I did notice it always left a debug log which I'm including as follows:


    .\debug.cpp(238) : Debug log started at 27.03.2012 - 12:03:05
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 Esage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.1
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x804d7000 0x00217580 "\WINDOWS\system32\ntoskrnl.exe"
    .\debug.cpp(256) : 0x806ef000 0x00020300 "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) : 0xf9ef2000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) : 0xf9e02000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0xf99a3000 0x0002e000 "ACPI.sys"
    .\debug.cpp(256) : 0xf9ef4000 0x00002000 "\WINDOWS\System32\DRIVERS\WMILIB.SYS"
    .\debug.cpp(256) : 0xf9992000 0x00011000 "pci.sys"
    .\debug.cpp(256) : 0xf99f2000 0x0000a000 "isapnp.sys"
    .\debug.cpp(256) : 0xf9ef6000 0x00002000 "intelide.sys"
    .\debug.cpp(256) : 0xf9c72000 0x00007000 "\WINDOWS\System32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xf9a02000 0x0000b000 "MountMgr.sys"
    .\debug.cpp(256) : 0xf9973000 0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) : 0xf9c7a000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xf9a12000 0x00009000 "sfsync02.sys"
    .\debug.cpp(256) : 0xf9a22000 0x0000d000 "VolSnap.sys"
    .\debug.cpp(256) : 0xf995b000 0x00018000 "atapi.sys"
    .\debug.cpp(256) : 0xf9a32000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xf9a42000 0x0000d000 "\WINDOWS\System32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xf993b000 0x00020000 "fltmgr.sys"
    .\debug.cpp(256) : 0xf9929000 0x00012000 "sr.sys"
    .\debug.cpp(256) : 0xf9912000 0x00017000 "KSecDD.sys"
    .\debug.cpp(256) : 0xf9885000 0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) : 0xf9858000 0x0002d000 "NDIS.sys"
    .\debug.cpp(256) : 0xf9c82000 0x00008000 "sfhlp02.sys"
    .\debug.cpp(256) : 0xf9846000 0x00012000 "sfdrv01.sys"
    .\debug.cpp(256) : 0xf982c000 0x0001a000 "Mup.sys"
    .\debug.cpp(256) : 0xf9a52000 0x0000b000 "agp440.sys"
    .\debug.cpp(256) : 0xf9d52000 0x00007000 "\SystemRoot\System32\DRIVERS\fdc.sys"
    .\debug.cpp(256) : 0xf9a72000 0x0000d000 "\SystemRoot\System32\DRIVERS\i8042prt.sys"
    .\debug.cpp(256) : 0xf9d72000 0x00006000 "\SystemRoot\System32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xf9d82000 0x00006000 "\SystemRoot\System32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0xf9d92000 0x00007000 "\SystemRoot\System32\Drivers\MxlW2k.SYS"
    .\debug.cpp(256) : 0xf9a82000 0x00010000 "\SystemRoot\System32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xf9a92000 0x0000f000 "\SystemRoot\System32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xf9788000 0x00023000 "\SystemRoot\System32\DRIVERS\ks.sys"
    .\debug.cpp(256) : 0xf9aa2000 0x0000b000 "\SystemRoot\System32\Drivers\Imapi.SYS"
    .\debug.cpp(256) : 0xf9dea000 0x00006000 "\SystemRoot\System32\DRIVERS\usbuhci.sys"
    .\debug.cpp(256) : 0xf9764000 0x00024000 "\SystemRoot\System32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xf9ab2000 0x0000a000 "\SystemRoot\System32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xf9efc000 0x00002000 "\SystemRoot\System32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xf9706000 0x0005e000 "\SystemRoot\System32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xf9eca000 0x00004000 "\SystemRoot\System32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xf9ac2000 0x0000f000 "\SystemRoot\System32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xf9f00000 0x00002000 "\SystemRoot\System32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0xf9d2a000 0x00005000 "\SystemRoot\System32\DRIVERS\flpydisk.sys"
    .\debug.cpp(256) : 0xf9ee2000 0x00003000 "\SystemRoot\System32\Drivers\i2omgmt.SYS"
    .\debug.cpp(256) : 0xf9f04000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xfa041000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xf9f08000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xf9d4a000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xf96ca000 0x00014000 "\SystemRoot\System32\drivers\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xf9d7a000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xf9d9a000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xf9cf2000 0x00007000 "\SystemRoot\System32\DRIVERS\USBSTOR.SYS"
    .\debug.cpp(256) : 0xf9af2000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xf9686000 0x00024000 "\SystemRoot\System32\Drivers\Fastfat.SYS"
    .\debug.cpp(256) : 0xf966e000 0x00018000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
    .\debug.cpp(256) : 0xf9f16000 0x00002000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
    .\debug.cpp(256) : 0xbf800000 0x001c7000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xf9ec6000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xf9ca2000 0x00005000 "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xbf000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xfa0b4000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xbff50000 0x00003000 "\SystemRoot\System32\framebuf.dll"
    .\debug.cpp(256) : 0xbf012000 0x00047000 "\SystemRoot\System32\ATMFD.DLL"
    .\debug.cpp(256) : 0xf93f6000 0x0000c000 "\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aswMBR.sys"
    .\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\SYSTEM32\ntdll.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\aswMBR"
    .\debug.cpp(400) : Destination "\Device\aswMBR"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000045"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&27b1dfe0&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{17bf7957-cfb1-11d6-95de-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-RW_GCE-8400B________________B104____#5&7208d00&0&0.1.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-17"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureE4651A0AOffset1F60800Length129FD37A00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sfsync02i"
    .\debug.cpp(400) : Destination "\Device\sfsync02i"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&737e51b&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-RW_GCE-8400B________________B104____#5&7208d00&0&0.1.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-17"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sfhlp02i"
    .\debug.cpp(400) : Destination "\Device\sfhlp02i"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&33a96545&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000056"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{17bf7959-cfb1-11d6-95de-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-RW_GCE-8400B________________B104____#5&7208d00&0&0.1.0#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-17"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\I2OExec"
    .\debug.cpp(400) : Destination "\Device\I2OExec"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0F13#4&33a96545&0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sfdrv01"
    .\debug.cpp(400) : Destination "\Device\sfdrv01"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_4GB&Rev_8.07#N8DOMYFA&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\0000005f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1b192bea&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DR3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom1"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000049"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{229d6358-74f5-11e1-a118-0008a1044128}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomLite-On_LTN486S_48x_Max_________________YDS4____#5&7208d00&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_058f&Pid_6387#N8DOMYFA#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomLite-On_LTN486S_48x_Max_________________YDS4____#5&7208d00&0&0.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sfdrv01i"
    .\debug.cpp(400) : Destination "\Device\sfdrv01i"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskST380021A_______________________________3.75____#483331564c565931202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sfsync02"
    .\debug.cpp(400) : Destination "\Device\sfsync02"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sfhlp02"
    .\debug.cpp(400) : Destination "\Device\sfhlp02"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FDC#GENERIC_FLOPPY_DRIVE#5&351c866&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\FloppyPDO0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\A:"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{17bf7958-cfb1-11d6-95de-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MxlW2k"
    .\debug.cpp(400) : Destination "\Device\MxlW2k"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2444&SUBSYS_010C1028&REV_04#3&172e68dd&0&FC#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0007"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&27b1dfe0&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000003f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2442&SUBSYS_010C1028&REV_04#3&172e68dd&0&FA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000003e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{17bf7956-cfb1-11d6-95de-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`01f60800
    .\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
    .\boot_cleaner.cpp(1061) :
    .\boot_cleaner.cpp(1062) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1063) : --------------------------------------------
    .\boot_cleaner.cpp(1107) : 74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    .\boot_cleaner.cpp(1113) :
    .\boot_cleaner.cpp(1152) : Done;

    Let me know if none of these is what you expected. I made all these downloads with the microsoft essentials off. When I ran bootkit remover, the window showed the following:

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esage.com
    Program version: 1.2.0.1
    OS version: microsoft windows XP home edition service pack 3 (build 2600)
    System Volume is \\.\C:
    \\.\C:->\\.\Physical Drive0 at offset 0x00000000'01f60800
    Boot sector MD5 is:6def5ffcbcdbdb4082f1015625e597bd
    Size Device MBR Status
    74GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

    Done;
    Press any key to Quit . . .

    This window displayed all these contents everytime and very quickly. I waited one time for an hour to see if it would continue but to no avail. When I "selected all" and "Ctrl C"; "opened a notepad" and "Ctrl V"; I got the log contents I showed you before that looked like the Desktop INI notepad. I have not been successful in getting a functional response from the bootkit remover. Could the infection in the aswMBR be affecting the bootkit from not performing as expected?
  15. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    aswMBR dat file

    Also, running in safe mode as administrator was the only time I received the file aswMBR.dat file on the desktop
  16. Broni

    Broni Malware Annihilator Posts: 46,178   +251

    You did well this time :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  17. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    ComboFix and Rkill attempts

    I deactivated all antivirus and security programs. I even ran the AppRemover, it identified Microsoft Security Essentials and I uninstalled that program.

    I tried running ComboFix in Normal mode, it began deleting and extracting files and then the screen just went black. I let it run all night but nothing else happened.

    I then tried ComboFix in Safe mode, it made it through deleting and extracting files but as soon as it it began the output folder process (this is about 3/4 of the way through), the computer crashed and a blue screen appeared stating that a problem had been detected and windows has been shut down to prevent damage to the computer.

    I then deleted ComboFix, reloaded and ran in Safe mode only. Once again, the computer crashed at the output folder and stated the same as above.

    I then deleted ComboFix again, downloaded Rkill.com and ComboFix and saved in my name. Rkill functioned properly but when running ComboFix, it began deleting and extracting files and then the screen went black again.

    I rebooted and brought up in Safe Mode and ran Rkill.com again; it again ran properly but ComboFIx ran through all deleting and extracting files but when output folder came up, the computer crashed with the same warning screen as before.

    I repeated deleting the Rkill and ComboFix programs and downloaded the next two Rkills (.scr and .exe) and when I downloaded ComboFix gave it different versions of my name (used my initials first and then with my middle name). Ran both in normal and Safe Mode again but the same things happened again.

    I also tried different variations by leaving the internet connection up or down. Neither had any browsers open just an internet connection or not.

    I'm unable to download the programs in Safe Mode so I had to download in Normal mode, reboot in Safe Mode, and then run the programs.

    Each time I boot in Normal mode, I'm still getting the Desktop.ini file that pops up but twice now. Window allows me to close both.
  18. Broni

    Broni Malware Annihilator Posts: 46,178   +251

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  19. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    OTL logs response

    I ran the OTL program in normal mode. Here is the contents of the Extras.txt log:

    OTL Extras logfile created on: 3/28/2012 9:44:04 PM - Run 1
    OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Garry S. Glover\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    255.01 Mb Total Physical Memory | 152.21 Mb Available Physical Memory | 59.69% Memory free
    618.04 Mb Paging File | 486.52 Mb Available in Paging File | 78.72% Paging File free
    Paging file location(s): C:\pagefile.sys 384 768 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.50 Gb Total Space | 41.56 Gb Free Space | 55.79% Space Free | Partition Type: NTFS

    Computer Name: DDQSKV11 | User Name: Garry S. Glover | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
    "C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)
    "C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)
    "C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)
    "C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)
    "C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)
    "C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)
    "C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
    "C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)
    "C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)
    "C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)
    "C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)
    "C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)
    "C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)
    "C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)
    "C:\WINDOWS\SYSTEM32\USMT\migwiz.exe" = C:\WINDOWS\SYSTEM32\USMT\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{05F26168-B5E6-4118-B510-FBD1BFB423FA}" = Microsoft Office Project 2007 Step by Step
    "{0CE5F45E-F6CC-4638-B0DD-BB7F6EF56713}" = HP Deskjet D1500 Printer Driver Software 10.0 Rel .3
    "{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
    "{0F8267D9-3E3D-4187-83AE-863207A935CC}" = MX-3000 Editor
    "{1243EFD1-E2A7-4A57-976B-29EC6CA855F7}" = CC2-Pro
    "{127B684B-A002-44C8-99A7-6CF8F1E26873}" = PunkBuster for Battlefield 1942
    "{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
    "{280C7673-2DF8-4E74-B031-D8F108BE2A6D}" = PRO200WL
    "{305468A6-DE2D-43ba-A168-2F45A97A89DA}" = DJ_SF_03_D1500_Software_Min
    "{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{47836B39-2465-4F39-9D7E-52F70A1C3D72}" = Axis & Allies
    "{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
    "{54BB0384-1C33-488F-A95B-877E480D3EDC}" = MSXML 4.0
    "{54DD126C-E5F5-404C-B4B7-66DF7FD4F2FF}" = MSSoap
    "{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
    "{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
    "{6790B26E-19BC-46E2-8206-BCC9B4984E88}" = CC2-Pro Demo
    "{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
    "{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}" = Battlefield 1942
    "{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
    "{7AEF6F04-BCAD-4AC1-A77D-D69EE1BAF6D8}" = Tome of Ultimate Mapping
    "{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
    "{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_PRJPROR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_PRJPROR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_PRJPROR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_PRJPROR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00B4-0409-0000-0000000FF1CE}" = Microsoft Office Project MUI (English) 2007
    "{90120000-00B4-0409-0000-0000000FF1CE}_PRJPROR_{F3CD3F3F-726C-4414-A1FE-5CD0968313EA}" = Microsoft Office Project 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_PRJPROR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
    "{91120000-003B-0000-0000-0000000FF1CE}" = Microsoft Office Project Professional 2007
    "{91120000-003B-0000-0000-0000000FF1CE}_PRJPROR_{8446EB22-A746-46DC-B1BD-E0DFA1F3CDDA}" = Microsoft Office Project 2007 Service Pack 3 (SP3)
    "{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
    "{91E8A85F-2960-40ED-BA84-7F4567BB00C0}" = Dell | Support
    "{927D5D39-5B7F-488E-ACC8-D1AEE56B4631}" = Fractal Terrains Pro Demo
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status
    "{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}" = Microsoft Works 6.0
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter
    "{A662E280-64A8-4CF5-8407-13D0808602B3}" = Call of Duty - United Offensive
    "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
    "{B1421599-A42D-47ef-B512-B9B0317BD599}" = DJ_SF_03_D1500_Software
    "{B252ADE8-8F39-4CBD-89CB-5919008754FE}" = VC User CRT71 RTL X86 ---
    "{B73B4A99-4173-4747-BBEC-0F05E966F9D2}" = Battlefield 1942: Secret Weapons of WWII
    "{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
    "{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C3A439E4-7303-491F-A678-CEA36A87D517}" = Microsoft Works Suite Add-in for Microsoft Word
    "{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser
    "{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
    "{CAF5B770-082F-40C4-853D-3973BB81BDAA}" = TurboTax 2011 WinPerTaxSupport
    "{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D057AA08-8CBF-42E3-9EAB-23B8FED1C279}" = Battlefield 1942: The Road To Rome
    "{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch
    "{DC19E750-988B-4005-A355-85EF66055EFE}" = Works Suite OS Pack
    "{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
    "{E463E171-4082-4744-A466-F7CBE8502789}" = TurboTax 2011 WinPerReleaseEngine
    "{EE556A3E-EB37-4392-9637-BAA8EC2F47FA}" = TurboTax 2011 wrapper
    "{F2E6EB42-B04D-4F63-853F-8016BF71B25A}" = VC User MFC71 RTL X86 ---
    "{FAD3D68B-2F9C-459B-AA79-C04B9090FD72}" = TurboTax 2011 WinPerFedFormset
    "AD&D Core Rules II" = Advanced Dungeons & Dragons Core Rules CD-ROM 2.0
    "Adobe Acrobat 5.0" = Adobe Acrobat 5.0
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Advanced SystemCare 4_is1" = Advanced SystemCare 4
    "ATTToolbar" = AT&T Toolbar
    "AutoREALM_is1" = AutoREALM Version 2.0
    "Axis and Allies" = Axis and Allies
    "Call of Duty" = Call of Duty
    "CalorieKing Nutrition and Exercise Manager" = CalorieKing Nutrition and Exercise Manager (remove only)
    "Campaign Mapper" = Campaign Mapper
    "CCleaner" = CCleaner
    "CdaC13Ba" = SafeCast Shared Components
    "CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0" = Conexant HSF V92 56K RTAD Speakerphone PCI Modem
    "CoreRuleUninstKey" = AD&D Core Rules
    "DivX 5.0.1 Bundle" = DivX 5.0.1 Bundle
    "Dungeon Designer 2" = Dungeon Designer 2
    "Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
    "exPressit S.E. 2.1" = exPressit S.E. 2.1
    "FastCAD" = FastCAD
    "HP Imaging Device Functions" = HP Imaging Device Functions 10.0
    "HP Photosmart Essential" = HP Photosmart Essential 2.5
    "HP Smart Web Printing" = HP Smart Web Printing 4.60
    "HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0
    "HPExtendedCapabilities" = HP Customer Participation Program 10.0
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{A662E280-64A8-4CF5-8407-13D0808602B3}" = Call of Duty - United Offensive
    "MAGIX audio cleaning lab 10" = MAGIX audio cleaning lab 10
    "MAGIX audio cleaning lab 2005" = MAGIX audio cleaning lab 2005
    "MAGIX Media Manager 2004 silver" = MAGIX Media Manager 2004 silver
    "MAGIX Media Manager silver" = MAGIX Media Manager silver
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "MiniTool Power Data Recovery_is1" = MiniTool Power Data Recovery
    "NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
    "NVIDIA Display Driver" = NVIDIA Display Driver
    "Office8.0" = Microsoft Office 97, Professional Edition
    "Panzer General 2" = Panzer General 2
    "Panzer General II Demo" = Panzer General II Demo
    "PRJPROR" = Microsoft Office Project Professional 2007
    "Quick Data Recovery Pro_is1" = Quick Data Recovery Pro
    "RealPlayer 6.0" = RealPlayer Basic
    "Renegade" = Command & Conquer Renegade
    "Sid Meier's Alpha Centauri" = Sid Meier's Alpha Centauri
    "Sound Blaster Live! Value" = Sound Blaster Live! Value
    "Super Bowl Champs Screen Saver" = Super Bowl Champs Screen Saver
    "Tiberian Sun" = Command & Conquer Tiberian Sun
    "TurboTax 2011" = TurboTax 2011
    "ViewpointMediaPlayer" = Viewpoint Media Player (Remove Only)
    "Visio Technical" = Visio Technical
    "WIC" = Windows Imaging Component
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "Works2002Setup" = Microsoft Works 2002 Setup Launcher
    "Yahoo! Companion" = Yahoo! Toolbar
    "Yahoo! Mail" = att.net Internet Mail
    "Yahoo! Mail Advisor" = Yahoo! Mail Advisor
    "Yahoo! Software Update" = Yahoo! Software Update
    "YInstHelper" = Yahoo! Install Manager

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 2/24/2012 5:55:50 PM | Computer Name = DDQSKV11 | Source = Application Error | ID = 1000
    Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
    module mshtml.dll, version 8.0.6001.19190, fault address 0x000b9f68.

    Error - 2/24/2012 6:20:54 PM | Computer Name = DDQSKV11 | Source = Application Error | ID = 1000
    Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
    module quicktimewebhelper.qtx, version 7.7.0.0, fault address 0x000057bd.

    Error - 2/27/2012 10:29:01 AM | Computer Name = DDQSKV11 | Source = Application Error | ID = 1000
    Description = Faulting application fcw32.exe, version 0.0.0.612, faulting module
    xpcc2.dll, version 0.0.0.0, fault address 0x0000c301.

    Error - 3/6/2012 2:48:51 PM | Computer Name = DDQSKV11 | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This operation returned because the timeout period expired.

    Error - 3/8/2012 4:42:34 PM | Computer Name = DDQSKV11 | Source = Application Error | ID = 1000
    Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
    module mshtml.dll, version 8.0.6001.19190, fault address 0x00067978.

    Error - 3/9/2012 5:22:36 PM | Computer Name = DDQSKV11 | Source = Application Error | ID = 1000
    Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
    module mshtml.dll, version 8.0.6001.19190, fault address 0x000b9f68.

    Error - 3/20/2012 5:48:41 PM | Computer Name = DDQSKV11 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 3/20/2012 5:50:04 PM | Computer Name = DDQSKV11 | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This operation returned because the timeout period expired.

    Error - 3/20/2012 5:50:04 PM | Computer Name = DDQSKV11 | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: The specified server cannot perform the requested operation.

    Error - 3/20/2012 7:35:38 PM | Computer Name = DDQSKV11 | Source = Application Error | ID = 1000
    Description = Faulting application systemcheckup.exe, version 3.1.0.37, faulting
    module , version 0.0.0.0, fault address 0x00000000.

    [ System Events ]
    Error - 3/28/2012 8:28:50 AM | Computer Name = DDQSKV11 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

    Error - 3/28/2012 8:31:55 AM | Computer Name = DDQSKV11 | Source = Service Control Manager | ID = 7022
    Description = The HP CUE DeviceDiscovery Service service hung on starting.

    Error - 3/28/2012 8:41:18 AM | Computer Name = DDQSKV11 | Source = sfsync02 | ID = 262156
    Description =

    Error - 3/28/2012 8:41:50 AM | Computer Name = DDQSKV11 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 3/28/2012 8:41:53 AM | Computer Name = DDQSKV11 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 3/28/2012 8:42:04 AM | Computer Name = DDQSKV11 | Source = Service Control Manager | ID = 7001
    Description = The DHCP Client service depends on the NetBT service which failed
    to start because of the following error: %%31

    Error - 3/28/2012 8:42:04 AM | Computer Name = DDQSKV11 | Source = Service Control Manager | ID = 7001
    Description = The DNS Client service depends on the TCP/IP Protocol Driver service
    which failed to start because of the following error: %%31

    Error - 3/28/2012 8:42:04 AM | Computer Name = DDQSKV11 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

    Error - 3/28/2012 8:42:58 AM | Computer Name = DDQSKV11 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 3/28/2012 8:45:46 AM | Computer Name = DDQSKV11 | Source = Service Control Manager | ID = 7022
    Description = The HP CUE DeviceDiscovery Service service hung on starting.


    < End of report >
  20. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    OTL text log response

    Here is the OTL.txt log response:

    Here is the contents of the OTL text log:

    OTL logfile created on: 3/28/2012 9:44:04 PM - Run 1
    OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Garry S. Glover\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    255.01 Mb Total Physical Memory | 152.21 Mb Available Physical Memory | 59.69% Memory free
    618.04 Mb Paging File | 486.52 Mb Available in Paging File | 78.72% Paging File free
    Paging file location(s): C:\pagefile.sys 384 768 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.50 Gb Total Space | 41.56 Gb Free Space | 55.79% Space Free | Partition Type: NTFS

    Computer Name: DDQSKV11 | User Name: Garry S. Glover | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/03/28 21:39:41 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Garry S. Glover\Desktop\OTL.exe
    PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2001/08/17 23:36:42 | 000,024,064 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\SYSTEM32\devldr32.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/03/10 21:24:49 | 000,043,520 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CmdLineExt03.dll
    MOD - [2011/05/28 14:47:00 | 000,127,376 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 4\ASCv4ExtMenu.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
    SRV - [2011/08/25 18:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)
    SRV - [2011/05/28 14:46:56 | 000,353,168 | ---- | M] (IObit) [Disabled | Stopped] -- C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe -- (AdvancedSystemCareService)
    SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
    SRV - [2003/03/02 13:16:38 | 000,052,736 | ---- | M] (Macrovision) [Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\CDAC11BA.EXE -- (C-DillaCdaC11BA)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | System | Stopped] -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EA12DEB-9DD0-4F92-8854-8D730B2F6788}\MpKslc492ae9a.sys -- (MpKslc492ae9a)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - [2012/02/15 10:15:24 | 000,028,276 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k)
    DRV - [2009/09/04 13:46:04 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
    DRV - [2009/09/04 13:46:04 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
    DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\gameenum.sys -- (gameenum)
    DRV - [2005/08/10 10:06:28 | 000,019,968 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sfsync02.sys -- (sfsync02) StarForce Protection Synchronization Driver (version 2.x)
    DRV - [2005/08/10 08:44:04 | 000,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
    DRV - [2005/05/16 09:20:39 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
    DRV - [2003/03/02 13:16:37 | 000,011,376 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\CdaC15BA.SYS -- (CdaC15BA)
    DRV - [2002/09/11 02:31:07 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
    DRV - [2002/06/30 20:50:12 | 000,167,155 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
    DRV - [2002/06/30 20:49:46 | 001,172,416 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)
    DRV - [2002/06/30 20:45:12 | 000,594,832 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)
    DRV - [2001/11/09 07:10:36 | 000,031,744 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\Garry S. Glover\cdrmkaun.sys -- (cdrmkaun)
    DRV - [2001/08/17 14:52:24 | 000,038,144 | ---- | M] (HighPoint Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HPT3XX.SYS -- (hpt3xx)
    DRV - [2001/08/17 14:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_V124.sys -- (V124)
    DRV - [2001/08/17 14:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_TONE.sys -- (Tones)
    DRV - [2001/08/17 14:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_MSFT.sys -- (hsf_msft)
    DRV - [2001/08/17 14:28:10 | 000,073,279 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_SPKP.sys -- (SpeakerPhone)
    DRV - [2001/08/17 14:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_SAMP.sys -- (Rksample)
    DRV - [2001/08/17 14:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_K56K.sys -- (K56)
    DRV - [2001/08/17 14:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_FALL.sys -- (Fallback)
    DRV - [2001/08/17 14:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_FAXX.sys -- (SoftFax)
    DRV - [2001/08/17 14:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_FSKS.sys -- (Fsks)
    DRV - [2001/08/17 14:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_BSC2.sys -- (basic2)
    DRV - [2001/08/17 14:02:32 | 000,008,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\hidgame.sys -- (hidgame)
    DRV - [2001/08/17 13:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4.SYS -- (nv4)
    DRV - [2001/08/17 13:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
    DRV - [2001/08/17 13:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
    DRV - [2001/08/17 13:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
    DRV - [2001/08/17 13:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctljystk.sys -- (ctljystk)
    DRV - [2001/08/17 13:11:42 | 000,029,696 | ---- | M] (CNet Technology, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DM9PCI5.SYS -- (DM9102) DAVICOM 9102(A)
    DRV - [2001/08/17 13:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)
    DRV - [1999/12/17 02:00:00 | 000,006,752 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\PfModNT.sys -- (PfModNT)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = http://about-blank.biz/
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.Google.com/
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.biz/
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar_bak = http://www.2020search.com/search/9884/search.html
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = http://about-blank.biz/
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.Google.com/
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant_bak = http://www.2020search.com/search/9884/search.html
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\URLSearchHook: - No CLSID value found
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\SearchScopes,DefaultScope = {DECA3892-BA8F-44b8-A993-A466AD694AE4}
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\SearchScopes\{C18B72AB-610B-4DAD-AE68-2F267C7D2951}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=chr-atty
    IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/04/13 22:19:47 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/04/13 22:19:47 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2006/10/24 23:56:10 | 000,003,606 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 69.56.223.196 t.rack.cc
    O1 - Hosts: 69.56.223.196 www.alfa-search.com
    O1 - Hosts: 69.56.223.196 webcoolsearch.com
    O1 - Hosts: 69.56.223.196 in.webcounter.cc
    O1 - Hosts: 69.56.223.196 i-lookup.com
    O1 - Hosts: 69.56.223.196 www.hand-book.com
    O1 - Hosts: 69.56.223.196 www.maxxxhosters.com
    O1 - Hosts: 69.56.223.196 allneedsearch.com
    O1 - Hosts: 69.56.223.196 best.royalsearch.net
    O1 - Hosts: 69.56.223.196 default-homepage-network.com
    O1 - Hosts: 69.56.223.196 xwebsearch.biz
    O1 - Hosts: 69.56.223.196 www.rightfinder.net
    O1 - Hosts: 69.56.223.196 www.search-1.net
    O1 - Hosts: 69.56.223.196 www.searchv.com
    O1 - Hosts: 69.56.223.196 www.websearch.com
    O1 - Hosts: 69.56.223.196 mysearchnow.com
    O1 - Hosts: 69.56.223.196 www.therealsearch.com
    O1 - Hosts: 69.56.223.196 www.find-itnow.com
    O1 - Hosts: 69.56.223.196 super-spider.com
    O1 - Hosts: 69.56.223.196 www.searching-the-net.com
    O1 - Hosts: 60 more lines...
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    O2 - BHO: (Search Toolbar BHO Object) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - Reg Error: Value error. File not found
    O2 - BHO: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL File not found
    O2 - BHO: (no name) - {55102325-F838-447F-93D7-D03FED8F4C3B} - Reg Error: Value error. File not found
    O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
    O3 - HKLM\..\Toolbar: (Search) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - Reg Error: Value error. File not found
    O3 - HKLM\..\Toolbar: (no name) - {5C75D98F-A3FF-4C79-A106-7E088D55D5DB} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    O3 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\Toolbar\WebBrowser: (no name) - {5C75D98F-A3FF-4C79-A106-7E088D55D5DB} - No CLSID value found.
    O3 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = _ [binary data]
    O7 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
    O9 - Extra 'Tools' menuitem : Turbo Download - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - Reg Error: Value error. File not found
    O12 - Plugin for: .PD7 - C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll File not found
    O15 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..Trusted Domains: ([]msn in My Computer)
    O15 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1268618336953 (WUWebControl Class)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1268795703686 (MUWebControl Class)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6243CE58-9D38-4887-9C21-31FCF61A7D18}: DhcpNameServer = 192.168.1.254
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\System32\Userinit.exe) - C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\Garry S. Glover\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Garry S. Glover\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2002/09/25 20:37:43 | 000,000,025 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: aux - C:\WINDOWS\System32\ctwdm32.dll (Creative Technology Ltd.)
    Drivers32: aux1 - C:\WINDOWS\System32\ctwdm32.dll (Creative Technology Ltd.)
    Drivers32: msacm.ctmp3 - C:\WINDOWS\SYSTEM32\ctmp3.acm (Microsoft Corporation)
    Drivers32: msacm.iac2 - C:\WINDOWS\SYSTEM32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\System32\L3CODECX.ACM (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\TSSOFT32.ACM (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.DIVX - C:\WINDOWS\System32\divx.dll (DivXNetworks, Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\IR32_32.DLL ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\IR32_32.DLL ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: vidc.tscc - C:\WINDOWS\System32\tsccvid.dll (TechSmith Corporation)
    Drivers32: wave1 - C:\WINDOWS\System32\SERWVDRV.DLL (Microsoft Corporation)
    Drivers32: wave3 - C:\WINDOWS\System32\SERWVDRV.DLL (Microsoft Corporation)
    Drivers32: wave4 - C:\WINDOWS\System32\SERWVDRV.DLL (Microsoft Corporation)
    Drivers32: wave5 - C:\WINDOWS\System32\SERWVDRV.DLL (Microsoft Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/03/28 21:39:34 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Garry S. Glover\Desktop\OTL.exe
    [2012/03/28 08:42:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX7
    [2012/03/28 08:37:34 | 004,448,689 | R--- | C] (Swearware) -- C:\Documents and Settings\Garry S. Glover\Desktop\GSG.exe
    [2012/03/28 08:28:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX6
    [2012/03/28 08:24:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX5
    [2012/03/28 08:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX4
    [2012/03/28 07:57:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX3
    [2012/03/27 21:42:36 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
    [2012/03/27 21:11:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\{281B3A29-FB12-4E82-9845-74079AB37431}
    [2012/03/27 21:04:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX2
    [2012/03/27 21:03:58 | 009,601,504 | ---- | C] (OPSWAT, Inc.) -- C:\Documents and Settings\Garry S. Glover\Desktop\AppRemover.exe
    [2012/03/27 08:01:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinZip
    [2012/03/26 22:38:22 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Garry S. Glover\Desktop\aswMBR.exe
    [2012/03/24 17:14:29 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
    [2012/03/24 17:14:28 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Garry S. Glover\Start Menu\Programs\Administrative Tools
    [2012/03/24 15:01:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\Application Data\Malwarebytes
    [2012/03/24 15:00:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/03/24 15:00:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2012/03/24 15:00:02 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2012/03/24 15:00:02 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/03/23 13:57:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\Local Settings\Application Data\LogMeIn Rescue Applet
    [2012/03/23 11:24:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\MiniTool Power Data Recovery 6.6
    [2012/03/23 11:24:34 | 000,000,000 | ---D | C] -- C:\Program Files\PowerDataRecovery
    [2012/03/23 10:54:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX1
    [2012/03/23 10:52:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\_avast4_
    [2012/03/23 10:52:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\_av4_
    [2012/03/23 10:46:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\Desktop\RK_Quarantine
    [2012/03/22 09:38:37 | 000,000,000 | ---D | C] -- C:\Log
    [2012/03/22 09:38:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2012/03/22 09:38:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Quick Data Recovery Pro
    [2012/03/22 09:38:08 | 000,000,000 | ---D | C] -- C:\Program Files\Quick Data Recovery Pro
    [2012/03/21 21:42:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\{AC76BA86-7AD7-1033-7B44-AA1000000001}
    [2012/03/21 21:42:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\Local Settings\Application Data\Solid State Networks
    [2012/03/21 21:42:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\21782
    [2012/03/21 21:08:41 | 000,000,000 | ---D | C] -- C:\Restoration
    [2012/03/21 13:16:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\MagicCute Data Recovery
    [2012/03/21 13:15:58 | 000,000,000 | ---D | C] -- C:\Program Files\MCsDataRecovery
    [2012/03/21 09:26:54 | 000,000,000 | ---D | C] -- C:\Program Files\WhenUSearch
    [2012/03/20 17:50:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\iolo
    [2012/03/20 17:39:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\Local Settings\Application Data\Google
    [2012/03/20 17:38:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\Google Toolbar
    [2012/03/20 17:38:15 | 000,000,000 | ---D | C] -- C:\Program Files\Google
    [2012/03/20 17:38:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
    [2012/03/20 17:13:08 | 000,766,728 | ---- | C] (Solid State Networks) -- C:\Documents and Settings\Garry S. Glover\install_reader10_en_gtba_aih.exe
    [47 C:\Documents and Settings\Garry S. Glover\*.tmp files -> C:\Documents and Settings\Garry S. Glover\*.tmp -> ]
    [39 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/03/28 21:39:41 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Garry S. Glover\Desktop\OTL.exe
    [2012/03/28 08:44:18 | 000,002,048 | ---- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
    [2012/03/28 08:44:17 | 267,468,800 | -HS- | M] () -- C:\hiberfil.sys
    [2012/03/28 08:37:34 | 004,448,689 | R--- | M] (Swearware) -- C:\Documents and Settings\Garry S. Glover\Desktop\GSG.exe
    [2012/03/28 08:36:22 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Desktop\rkill.exe
    [2012/03/27 21:03:58 | 009,601,504 | ---- | M] (OPSWAT, Inc.) -- C:\Documents and Settings\Garry S. Glover\Desktop\AppRemover.exe
    [2012/03/27 09:12:16 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT81.xml
    [2012/03/27 09:12:16 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT7F.xml
    [2012/03/27 09:12:16 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT80.xml
    [2012/03/27 09:11:35 | 002,232,826 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT68.xml
    [2012/03/27 09:11:35 | 000,001,022 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT69.dtd
    [2012/03/27 09:11:28 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT67.xml
    [2012/03/27 09:11:28 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT65.xml
    [2012/03/27 09:11:28 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT66.xml
    [2012/03/27 09:11:14 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT5A.xml
    [2012/03/27 09:11:13 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT58.xml
    [2012/03/27 09:11:13 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT59.xml
    [2012/03/27 09:10:22 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT4D.xml
    [2012/03/27 09:10:22 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT4B.xml
    [2012/03/27 09:10:22 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT4C.xml
    [2012/03/27 09:09:40 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT33.xml
    [2012/03/27 09:09:40 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT31.xml
    [2012/03/27 09:09:40 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT32.xml
    [2012/03/27 09:09:11 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT30.xml
    [2012/03/27 09:09:11 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT2E.xml
    [2012/03/27 09:09:11 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT2F.xml
    [2012/03/27 09:08:34 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT23.xml
    [2012/03/27 09:08:34 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT21.xml
    [2012/03/27 09:08:34 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT22.xml
    [2012/03/27 09:06:06 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
    [2012/03/26 22:38:22 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Garry S. Glover\Desktop\aswMBR.exe
    [2012/03/24 16:28:37 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMTC.xml
    [2012/03/24 16:28:36 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMTA.xml
    [2012/03/24 16:28:36 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMTB.xml
    [2012/03/24 15:00:52 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/03/23 13:26:55 | 000,000,070 | ---- | M] () -- C:\WINDOWS\qdrp.INI
    [2012/03/23 11:24:38 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MiniTool Power Data Recovery 6.6.lnk
    [2012/03/22 09:38:11 | 000,000,763 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Desktop\Quick Data Recovery Pro.lnk
    [2012/03/22 07:26:22 | 000,000,211 | ---- | M] () -- C:\BOOT.INI
    [2012/03/22 06:57:34 | 000,472,948 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
    [2012/03/22 06:57:33 | 000,076,042 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
    [2012/03/21 13:16:18 | 000,000,693 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Application Data\Microsoft\Internet Explorer\Quick Launch\MagicCute Data Recovery.lnk
    [2012/03/21 13:16:18 | 000,000,675 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MagicCute Data Recovery.lnk
    [2012/03/21 13:08:20 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT24.xml
    [2012/03/21 13:08:16 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT20.xml
    [2012/03/21 13:08:15 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT1F.xml
    [2012/03/21 13:07:18 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT1E.xml
    [2012/03/21 13:07:18 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT1C.xml
    [2012/03/21 13:07:18 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT1D.xml
    [2012/03/21 12:02:39 | 000,016,907 | ---- | M] () -- C:\WINDOWS\Garry S. Glover8.xlb
    [2012/03/21 09:13:53 | 000,356,160 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/03/20 17:41:46 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cd06e23fae4ad8.job
    [2012/03/20 17:13:22 | 000,766,728 | ---- | M] (Solid State Networks) -- C:\Documents and Settings\Garry S. Glover\install_reader10_en_gtba_aih.exe
    [2012/03/19 22:33:15 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/03/19 20:46:43 | 000,002,393 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2011.lnk
    [2012/03/10 21:24:51 | 000,024,748 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\SIntfNT.dll
    [2012/03/10 21:24:51 | 000,020,020 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\SIntf32.dll
    [2012/03/10 21:24:51 | 000,012,305 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\SIntf16.dll
    [2012/03/10 21:24:49 | 000,043,520 | ---- | M] () -- C:\WINDOWS\System32\CmdLineExt03.dll
    [47 C:\Documents and Settings\Garry S. Glover\*.tmp files -> C:\Documents and Settings\Garry S. Glover\*.tmp -> ]
    [39 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/03/28 08:44:17 | 267,468,800 | -HS- | C] () -- C:\hiberfil.sys
    [2012/03/28 08:36:11 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\Desktop\rkill.exe
    [2012/03/27 09:12:16 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT81.xml
    [2012/03/27 09:12:16 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT7F.xml
    [2012/03/27 09:12:16 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT80.xml
    [2012/03/27 09:11:35 | 000,001,022 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT69.dtd
    [2012/03/27 09:11:34 | 002,232,826 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT68.xml
    [2012/03/27 09:11:28 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT67.xml
    [2012/03/27 09:11:28 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT65.xml
    [2012/03/27 09:11:28 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT66.xml
    [2012/03/27 09:11:13 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT5A.xml
    [2012/03/27 09:11:13 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT58.xml
    [2012/03/27 09:11:13 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT59.xml
    [2012/03/27 09:10:22 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT4D.xml
    [2012/03/27 09:10:22 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT4B.xml
    [2012/03/27 09:10:22 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT4C.xml
    [2012/03/27 09:09:40 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT33.xml
    [2012/03/27 09:09:40 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT31.xml
    [2012/03/27 09:09:40 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT32.xml
    [2012/03/27 09:09:11 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT30.xml
    [2012/03/27 09:09:11 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT2E.xml
    [2012/03/27 09:09:11 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT2F.xml
    [2012/03/27 09:08:34 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT23.xml
    [2012/03/27 09:08:34 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT21.xml
    [2012/03/27 09:08:34 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT22.xml
    [2012/03/24 16:28:36 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMTC.xml
    [2012/03/24 16:28:36 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMTA.xml
    [2012/03/24 16:28:36 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMTB.xml
    [2012/03/24 15:00:52 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/03/23 11:24:38 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MiniTool Power Data Recovery 6.6.lnk
    [2012/03/22 09:38:11 | 000,000,763 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\Desktop\Quick Data Recovery Pro.lnk
    [2012/03/22 09:38:10 | 000,000,070 | ---- | C] () -- C:\WINDOWS\qdrp.INI
    [2012/03/21 13:16:18 | 000,000,693 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\Application Data\Microsoft\Internet Explorer\Quick Launch\MagicCute Data Recovery.lnk
    [2012/03/21 13:16:18 | 000,000,675 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MagicCute Data Recovery.lnk
    [2012/03/21 13:08:20 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT24.xml
    [2012/03/21 13:08:16 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT20.xml
    [2012/03/21 13:08:15 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT1F.xml
    [2012/03/21 13:07:18 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT1E.xml
    [2012/03/21 13:07:18 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT1C.xml
    [2012/03/21 13:07:18 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT1D.xml
    [2012/03/20 17:41:46 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cd06e23fae4ad8.job
    [2012/02/21 10:36:20 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/01/19 18:48:40 | 001,565,222 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3766738458-558522827-3833581854-1006-0.dat
    [2012/01/19 18:48:38 | 000,314,802 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
    [2012/01/19 17:07:52 | 000,000,590 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc
    [2011/04/10 21:50:09 | 000,712,152 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2011/02/22 11:25:57 | 000,021,504 | ---- | C] () -- C:\WINDOWS\jestertb.dll
    [2011/02/20 22:22:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\homeDVD-Music.INI
    [2010/04/13 22:16:22 | 000,023,108 | ---- | C] () -- C:\WINDOWS\hpqins15.dat

    ========== LOP Check ==========

    [2010/04/05 21:53:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ATTToolbar
    [2007/03/03 09:11:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg7
    [2002/09/11 02:26:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
    [2007/01/25 22:10:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
    [2011/09/09 07:15:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
    [2012/03/21 21:42:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
    [2012/03/23 13:27:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2007/03/11 14:49:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TurboTax 2006
    [2011/09/06 20:46:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
    [2012/03/21 21:39:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\ATTToolbar
    [2012/03/21 21:39:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\AVG7
    [2012/02/14 14:22:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\ConsumerSoft
    [2010/09/16 13:11:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\fhnetwork.com
    [2012/03/20 19:46:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\FileOpen
    [2012/02/16 10:15:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\InterTrust
    [2012/03/21 21:40:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\IObit
    [2006/01/22 13:55:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\Leadertech
    [2003/12/03 22:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\Lycos
    [2006/04/07 04:58:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\Magix
    [2011/09/05 13:17:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\Uniblue
    [2012/03/20 19:46:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\winlink
    [2012/03/21 21:41:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\winshow
    [2003/12/01 11:11:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
    [2007/01/27 09:39:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVG7
    [2011/09/09 07:09:41 | 000,000,290 | ---- | M] () -- C:\WINDOWS\Tasks\ASC4_PerformanceMonitor.job

    ========== Purity Check ==========
  21. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    OTL text log response PT 2

    ========== Custom Scans ==========

    < %SYSTEMDRIVE%\*.* >
    [2002/09/25 20:37:43 | 000,000,025 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2012/03/22 07:26:22 | 000,000,211 | ---- | M] () -- C:\BOOT.INI
    [2001/11/14 17:35:22 | 000,000,512 | ---- | M] () -- C:\BOOTSECT.DOS
    [2002/09/25 20:37:31 | 000,000,010 | ---- | M] () -- C:\CONFIG.SYS
    [2002/09/11 01:06:56 | 000,004,574 | ---- | M] () -- C:\DELL.SDR
    [2003/11/06 17:02:26 | 000,005,153 | ---- | M] () -- C:\ffastun.ffa
    [2003/11/06 17:02:18 | 001,581,056 | ---- | M] () -- C:\ffastun.ffl
    [2003/11/06 17:02:26 | 001,064,960 | ---- | M] () -- C:\ffastun.ffo
    [2003/11/06 17:02:18 | 003,526,656 | ---- | M] () -- C:\ffastun0.ffx
    [2012/03/28 08:44:17 | 267,468,800 | -HS- | M] () -- C:\hiberfil.sys
    [2001/11/15 08:31:14 | 000,000,000 | ---- | M] () -- C:\IO.SYS
    [2002/09/11 02:31:22 | 000,000,315 | ---- | M] () -- C:\IPH.PH
    [2001/11/15 08:31:14 | 000,000,000 | ---- | M] () -- C:\MSDOS.SYS
    [2005/06/16 19:16:53 | 000,000,016 | ---- | M] () -- C:\mxfilerelatedcache.mxc2
    [2010/03/16 23:31:28 | 000,047,564 | ---- | M] () -- C:\NTDETECT.COM
    [2010/03/27 12:45:40 | 000,250,048 | ---- | M] () -- C:\NTLDR
    [2012/03/28 08:44:10 | 402,653,184 | -HS- | M] () -- C:\pagefile.sys
    [2004/04/03 18:58:30 | 000,004,608 | ---- | M] () -- C:\Personal.CDX
    [2004/04/03 18:58:30 | 000,000,552 | ---- | M] () -- C:\personal.dbf
    [2012/03/23 10:55:05 | 000,000,282 | ---- | M] () -- C:\rkill.log

    < %systemroot%\Fonts\*.com >
    [2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2001/11/15 08:30:48 | 000,000,067 | ---- | M] () -- C:\WINDOWS\Fonts\DESKTOP.INI

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2007/10/20 19:21:50 | 000,278,016 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5mu.dll
    [2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >
    [1997/07/11 01:00:00 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Application Data\Microsoft\ArtGalry.cag

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2001/11/15 08:22:22 | 000,090,112 | ---- | M] () -- C:\WINDOWS\System32\config\DEFAULT.SAV
    [2001/11/15 08:22:22 | 000,606,208 | ---- | M] () -- C:\WINDOWS\System32\config\SOFTWARE.SAV
    [2001/11/15 08:22:22 | 000,380,928 | ---- | M] () -- C:\WINDOWS\System32\config\SYSTEM.SAV

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2010/03/27 13:13:17 | 000,000,272 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\DESKTOP.INI

    < %systemroot%\system32\config\systemprofile\*.dat /x >
    [2010/03/16 22:26:40 | 000,000,383 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\HPZIDS000.log
    [2002/09/11 02:29:09 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\INSTALL.LOG
    [2010/03/16 22:26:37 | 000,000,609 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\update000.log

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2010/03/27 13:12:54 | 000,000,177 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Application Data\Microsoft\Internet Explorer\Quick Launch\DESKTOP.INI

    < %USERPROFILE%\Desktop\*.exe >
    [2012/03/27 21:03:58 | 009,601,504 | ---- | M] (OPSWAT, Inc.) -- C:\Documents and Settings\Garry S. Glover\Desktop\AppRemover.exe
    [2012/03/26 22:38:22 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Garry S. Glover\Desktop\aswMBR.exe
    [2012/03/28 08:37:34 | 004,448,689 | R--- | M] (Swearware) -- C:\Documents and Settings\Garry S. Glover\Desktop\GSG.exe
    [2012/03/28 21:39:41 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Garry S. Glover\Desktop\OTL.exe
    [2012/03/28 08:36:22 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Desktop\rkill.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\tasks\*.* >
    [2011/09/09 07:09:41 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\ASC4_PerformanceMonitor.job
    [2001/08/18 07:00:00 | 000,000,065 | ---- | M] () -- C:\WINDOWS\tasks\DESKTOP.INI
    [2012/03/20 17:41:46 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cd06e23fae4ad8.job
    [2011/09/09 07:17:28 | 000,000,006 | ---- | M] () -- C:\WINDOWS\tasks\SA.DAT

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >
    [2003/09/17 08:16:38 | 000,142,608 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Garry S. Glover\atl.exe
    [2004/01/08 21:29:31 | 000,018,192 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Garry S. Glover\ChkTrust.exe
    [2005/08/05 10:08:58 | 000,122,880 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\GalleryExport.exe
    [2007/11/05 22:15:15 | 001,140,056 | ---- | M] (Hewlett-Packard) -- C:\Documents and Settings\Garry S. Glover\hpzmsi01.exe
    [2007/11/05 22:10:30 | 001,107,288 | ---- | M] (Hewlett-Packard) -- C:\Documents and Settings\Garry S. Glover\hpzscr01.EXE
    [2007/11/06 04:13:36 | 000,458,752 | ---- | M] (Hewlett-Packard) -- C:\Documents and Settings\Garry S. Glover\hpzswp01.exe
    [2012/03/20 17:13:22 | 000,766,728 | ---- | M] (Solid State Networks) -- C:\Documents and Settings\Garry S. Glover\install_reader10_en_gtba_aih.exe
    [2006/10/28 06:30:46 | 000,145,184 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Garry S. Glover\ose00000.exe
    [2008/10/05 08:29:13 | 009,730,015 | ---- | M] (UBISOFT) -- C:\Documents and Settings\Garry S. Glover\protect.exe
    [2011/09/27 13:03:34 | 003,910,024 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\SSMInstaller.exe
    [2003/12/22 08:48:45 | 012,208,816 | ---- | M] (EarthLink, Inc. ) -- C:\Documents and Settings\Garry S. Glover\TA2004_1_42_0_0_1_XP.exe
    [2003/08/27 10:08:33 | 000,173,744 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\TSCC.exe
    [1999/08/09 11:01:40 | 000,632,328 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Garry S. Glover\wmaudio.exe
    [2002/12/11 14:11:50 | 004,085,904 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Garry S. Glover\wmf9.exe
    [2002/08/21 04:56:36 | 000,793,536 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Garry S. Glover\wmpcdcs8.exe
    [2010/10/26 08:16:21 | 003,693,160 | ---- | M] (Yahoo! Inc.) -- C:\Documents and Settings\Garry S. Glover\ytb_8.1.4.26_2.1.3_ysp_2.0.1.13_mail_bts_pub_us_setup_.exe
    [2010/10/26 08:30:24 | 004,464,192 | ---- | M] (Yahoo! Inc.) -- C:\Documents and Settings\Garry S. Glover\ytb_8.3.2.24_2.3.1_ysp_2.0.2.12_mail_bts_pub_us_setup_.exe
    [47 C:\Documents and Settings\Garry S. Glover\*.tmp files -> C:\Documents and Settings\Garry S. Glover\*.tmp -> ]

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2012/03/28 21:33:33 | 000,294,912 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2008/04/13 20:12:38 | 000,208,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/13 20:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2002/02/07 14:10:20 | 000,015,692 | ---- | M] () -- C:\Program Files\Messenger\license.txt
    [2002/02/07 14:09:54 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2002/02/07 14:09:54 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2002/02/07 14:10:20 | 000,000,807 | ---- | M] () -- C:\Program Files\Messenger\mailtmpl.txt
    [2002/02/12 18:52:30 | 000,024,848 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\migrate.dll
    [2008/05/02 10:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 13:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2002/02/12 18:52:28 | 000,004,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsmigr.dll
    [2008/04/13 20:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2001/08/01 22:58:12 | 000,016,415 | ---- | M] () -- C:\Program Files\Messenger\MSMSGSIN.EXE
    [2002/02/07 14:09:42 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2002/02/07 14:09:42 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2002/02/07 14:09:42 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2002/02/07 14:10:02 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/07/17 14:41:04 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >
    [2000/09/11 08:00:00 | 000,009,597 | ---- | M] () -- C:\WINDOWS\system\RDB16.EXE

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-03-22 02:38:58

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:868B0C5C

    < End of report >
  22. Broni

    Broni Malware Annihilator Posts: 46,178   +251

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
      IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = http://about-blank.biz/
      IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
      IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar_bak = http://www.2020search.com/search/9884/search.html
      IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = http://about-blank.biz/
      IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
      IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant_bak = http://www.2020search.com/search/9884/search.html
      IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\URLSearchHook: - No CLSID value found
      O2 - BHO: (Search Toolbar BHO Object) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - Reg Error: Value error. File not found
      O2 - BHO: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL File not found
      O2 - BHO: (no name) - {55102325-F838-447F-93D7-D03FED8F4C3B} - Reg Error: Value error. File not found
      O3 - HKLM\..\Toolbar: (Search) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - Reg Error: Value error. File not found
      O3 - HKLM\..\Toolbar: (no name) - {5C75D98F-A3FF-4C79-A106-7E088D55D5DB} - No CLSID value found.
      O3 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O3 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\Toolbar\WebBrowser: (no name) - {5C75D98F-A3FF-4C79-A106-7E088D55D5DB} - No CLSID value found.
      O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
      O9 - Extra 'Tools' menuitem : Turbo Download - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - Reg Error: Value error. File not found
      O15 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..Trusted Domains: ([]msn in My Computer)
      O15 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
      O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
      [2012/03/22 09:38:10 | 000,000,070 | ---- | C] () -- C:\WINDOWS\qdrp.INI
      @Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:868B0C5C
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [resethosts]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ======================================================================

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  23. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    OTL Fix Log

    Below is the contents of the OTL Fix Log:

    All processes killed
    ========== OTL ==========
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar| /E : value set successfully!
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page_bak| /E : value set successfully!
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant| /E : value set successfully!
    HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar_bak| /E : value set successfully!
    HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page_bak| /E : value set successfully!
    HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant| /E : value set successfully!
    HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant_bak| /E : value set successfully!
    Registry value HKEY_USERS\S-1-5-21-3766738458-558522827-3833581854-1006\Software\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2CF0B992-5EEB-4143-99C0-5297EF71F443}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2CF0B992-5EEB-4143-99C0-5297EF71F443}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55102325-F838-447F-93D7-D03FED8F4C3B}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55102325-F838-447F-93D7-D03FED8F4C3B}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{2CF0B992-5EEB-4143-99C0-5297EF71F444} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2CF0B992-5EEB-4143-99C0-5297EF71F444}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{5C75D98F-A3FF-4C79-A106-7E088D55D5DB} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C75D98F-A3FF-4C79-A106-7E088D55D5DB}\ not found.
    Registry value HKEY_USERS\S-1-5-21-3766738458-558522827-3833581854-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
    Registry value HKEY_USERS\S-1-5-21-3766738458-558522827-3833581854-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5C75D98F-A3FF-4C79-A106-7E088D55D5DB} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C75D98F-A3FF-4C79-A106-7E088D55D5DB}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1A00C40B-DA85-4aa3-A67F-582D9347EECD}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A00C40B-DA85-4aa3-A67F-582D9347EECD}\ not found.
    Registry value HKEY_USERS\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\intuit.com\ttlc\ deleted successfully.
    File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
    Starting removal of ActiveX control Microsoft XML Parser for Java
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
    C:\WINDOWS\qdrp.INI moved successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:868B0C5C deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 7247308 bytes
    ->Temporary Internet Files folder emptied: 73666 bytes

    User: All Users

    User: Barbara G. Glover
    ->Temp folder emptied: 7957068 bytes
    ->Temporary Internet Files folder emptied: 284889 bytes

    User: Default User
    ->Temp folder emptied: 7247308 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Garry S. Glover
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 27966878 bytes
    ->Flash cache emptied: 2560 bytes

    User: Garry S~ Glover

    User: GARRYS~1~GLO

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 340646 bytes

    User: NetworkService
    ->Temp folder emptied: 2013936 bytes
    ->Temporary Internet Files folder emptied: 215844 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 986179 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 41132 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 158628569 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1491806 bytes
    RecycleBin emptied: 53029263 bytes

    Total Files Cleaned = 255.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: Barbara G. Glover

    User: Default User

    User: Garry S. Glover

    User: Garry S~ Glover

    User: GARRYS~1~GLO

    User: LocalService

    User: NetworkService

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Barbara G. Glover

    User: Default User

    User: Garry S. Glover
    ->Flash cache emptied: 0 bytes

    User: Garry S~ Glover

    User: GARRYS~1~GLO

    User: LocalService

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.39.2 log created on 03292012_081853

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
  24. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    Security Check Log

    Below are the contents of the security check log:

    Results of screen317's Security Check version 0.99.24
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    CCleaner
    Eusing Free Registry Cleaner
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ``````````End of Log````````````
  25. GloverG

    GloverG Newcomer, in training Topic Starter Posts: 49

    Farbar Service Scanner Log

    Below is the contents of the FSS log:

    Farbar Service Scanner Version: 01-03-2012
    Ran by Garry S. Glover (administrator) on 29-03-2012 at 08:32:35
    Running from "C:\Documents and Settings\Garry S. Glover\Desktop"
    Microsoft Windows XP Home Edition Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============
    cryptsvc Service is not running. Checking service configuration:
    The start type of cryptsvc service is set to Demand. The default start type is Auto.
    The ImagePath of cryptsvc service is OK.
    The ServiceDll of cryptsvc service is OK.


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
    0x0700000004000000010000000200000003000000050000000600000007000000
    IpSec Tag value is correct.

    **** End of log ****


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.