TechSpot

System check virus and lost monitor signal

Solved
By meadow
Jan 4, 2012
  1. I got system check virus like others on 12/30/2011. I was browsing the internet and suddenly I got a bunch of pop-up windows saying somthing along the lines of "Failed to save all the components for the file \\System32\\########## ... This error may be caused by a PC hardware problem" then a program called system check opened up and ask me to scan my computer and I cannot closed it. then it give a list of error on my computer like # of harddisk error, # Ram error... I lost everything on my desktop, start up menu and menu bar. I disconnect my PC from network right way.
    I goggled and before I found this forum, followed a suggestion to unhide folders and files, then rename a .exe file under application folder. then restart the PC, but I would get the pop up windows ( more than 20 of them ), I can close them one by one, but they would show up again and system check up window would open up again. I click stop button to stop it "running", but I cannot close it, I repeated unhiding the file and folder and renaming .exe then restart the pc, no use, and after a while, my monitor went blank ( showing enter power saving mode), I think I lost monitor signal. I cannot bring it back by enter ctrl+alt+del. I have to shut down pc by push the power button. So I checked micorsoft site for help. It suggests to run Safety Scanner. so I download it to a USB memory stick. Today, I power up my pc, then did unhide, rename .exe file then I ran the Safety Scanner for full scan. But after a few minute, my monitor went blank again. I don't know what virus will do to my PC if i leave it running for long time, so I shut down the pc by push the button. I found this forum now. But it looks like I cannot run any scan software for a while. What can I do? Please help. I am totally new to this virus world.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,666   +267

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ================================================================

    Start with following these instructions: http://www.bleepingcomputer.com/virus-removal/remove-system-check

    Let me know when done.
     
  3. meadow

    meadow TS Rookie Topic Starter Posts: 83

    can I run Rkill, TDSSKiller, mbam-setup off line?

    I am really scared I guess.
    I download Rkill, tdssKiller and mbam-setup through another computer to a USB memory stick. Can I run them without connecting to network? I am afraid to bring the virus to the network. if yes, do I have to move them to my desktop to run?
    If I cannot finish all the steps in one day, should I start it? or I can stop at middle and continue the next day? then can I shut down the computer?
    Thank you so much for your help.
     
  4. Broni

    Broni Malware Annihilator Posts: 47,666   +267

    Yes, you don't have to be connected.
    MBAM obviously won't update but that's fine for now.

    We can do this in a span of several days. Don't worry about it.
     
  5. meadow

    meadow TS Rookie Topic Starter Posts: 83

    I started my computer in normal mode without connectting to network.
    I followed the instruction of "Automated removal instructions for system check using Malwarebytes' Anti-Malware", ran Rkill and TDSSKiller from USB flash drive. after reboot ( step 6), the system check was still running on my pc. but I continured to try step 9 to run mbam-setup.exe from USB flash drive. at Step 10, I get error message from Malwarebytes' Anti-Malware: "An error has occurred. Please report this error code to our support team. Program_Error_Update ( 11004,0, No address found). The requested name is valid & was found in database, but it doesnot have the correct associated data being resolved. "
    then another message box pop-up "database is 126 days out of date. want to update?" I click no, since I downloaded last night. then get another message window " you intrudued trial version of Anti-Malware..." I clicked No again. then it seemed did step 11-16 as instructions. But after it reboot by itself, and I logged in, the "system check" still running, and it seems MBAM is not running to continue the rest of the steps as mentioned at step 16.
    Did I do something wrong?
     
  6. Broni

    Broni Malware Annihilator Posts: 47,666   +267

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. meadow

    meadow TS Rookie Topic Starter Posts: 83

    How can I find out if there is anti virus or anti malware programs running on my computer? I didn't install / config my pc, I have no idea what was installed on it and I cannot see task manager now.
    Thanks.
     
  8. Broni

    Broni Malware Annihilator Posts: 47,666   +267

    Run Combofix from safe mode and disregard any Combofix warnings.
     
  9. meadow

    meadow TS Rookie Topic Starter Posts: 83

    post log files.

    Here is c:\rkill.log:
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 01/05/2012 at 10:41:46.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\WINDOWS\system32\userinit.exe
    C:\Documents and Settings\All Users\Application Data\gyjAEPulVY.exe
    C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe
    C:\Documents and Settings\All Users\Application Data\3Tit7aJpHkTsZk.exe


    Rkill completed on 01/05/2012 at 10:43:00.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 01/06/2012 at 10:11:48.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:


    Rkill completed on 01/06/2012 at 10:11:50.

    -----------------------------------
    Here is log c:\Combofix.txt
    -----------------------------------

    ComboFix 12-01-05.04 - ip0xc3 01/06/2012 10:32:32.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1607 [GMT -5:00]
    Running from: c:\documents and settings\IP0XC3\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\All Users\Application Data\3Tit7aJpHkTsZk
    c:\documents and settings\All Users\Application Data\3Tit7aJpHkTsZk.exe
    c:\documents and settings\All Users\Application Data\c6qkZh1pW4u7fP
    c:\documents and settings\All Users\Application Data\c6qkZh1pW4u7fP.vir
    c:\documents and settings\All Users\Application Data\gyjAEPulVY.exe
    c:\documents and settings\All Users\Application Data\ysEPkrxEHeHk2n
    c:\documents and settings\All Users\Application Data\ysEPkrxEHeHk2n.vir
    c:\documents and settings\IP0XC3\Desktop\System Check.lnk
    c:\documents and settings\IP0XC3\Start Menu\Programs\System Check\System Check.lnk
    c:\documents and settings\IP0XC3\Start Menu\Programs\System Check\Uninstall System Check.lnk
    c:\windows\$NtUninstallKB30827$
    c:\windows\$NtUninstallKB30827$\1756827868\@
    c:\windows\$NtUninstallKB30827$\1756827868\cfg.ini
    c:\windows\$NtUninstallKB30827$\1756827868\Desktop.ini
    c:\windows\$NtUninstallKB30827$\1756827868\L\qyjlhyes
    c:\windows\$NtUninstallKB30827$\2951771945
    c:\windows\AutoRun.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-05 16:01 . 2012-01-05 16:01 -------- d-----w- c:\documents and settings\IP0XC3\Application Data\Malwarebytes
    2012-01-05 16:00 . 2012-01-05 16:00 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-01-05 16:00 . 2012-01-05 16:46 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-05 16:00 . 2011-08-31 22:00 22216 ---ha-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-05 15:52 . 2011-05-02 16:52 456320 ---ha-w- c:\windows\system32\drivers\mrxsmb.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SetGrammaticaLicense"="c:\windows\system32\gl.vbs" [2009-08-03 486]
    "PinAInfo"="c:\windows\system32\ai.vbs" [2009-09-04 922]
    "SetDefaultPrinter"="c:\windows\system32\dp.vbs" [2010-09-20 398]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-01-08 1044480]
    "GPUpdate"="c:\windows\system32\gpupdate.exe" [2008-08-11 57344]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-06-08 333120]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2011-9-15 6144]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylockeduserid"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-789336058-682003330-538188\Scripts\Logon\0\0]
    "Script"=firefox_login.vbs
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-789336058-682003330-538189\Scripts\Logon\0\0]
    "Script"=firefox_login.vbs
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\EVN\\BIN\\evn.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R0 megasas;megasas;c:\windows\system32\drivers\megasas.sys [5/2/2011 10:23 AM 17664]
    R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [5/2/2011 10:23 AM 10880]
    R2 iftlsnr;InfraTools Remote Control Listener;c:\progra~1\PEREGR~1\INFRAT~1\bin\iftlsnr.exe -svc --> c:\progra~1\PEREGR~1\INFRAT~1\bin\iftlsnr.exe -svc [?]
    R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [11/12/2009 8:59 PM 132392]
    R2 ldlcserv6;IBM Enterprise Extender (IPv6);c:\windows\system32\drivers\ldlcserv6.exe [3/3/2011 10:57 AM 40960]
    R2 pdlndldl6;IBM Enterprise Extender (HPR/IPv6);c:\windows\system32\drivers\pdlndldl6.sys [3/3/2011 10:57 AM 72704]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S3 csrcmds;csrcmds;c:\program files\IBM\Personal Communications\csrcmds.exe [3/3/2011 10:54 AM 49152]
    S3 cstrcser;IBM Command Line Trace;c:\windows\system32\drivers\cstrcser.exe [3/3/2011 10:57 AM 36864]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [5/2/2011 11:49 AM 168616]
    S3 iftrcdrv;InfraTools Remote Control Driver;c:\progra~1\PEREGR~1\INFRAT~1\bin\iftrcdrv.sys [5/2/2011 9:41 AM 6097]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [5/2/2011 11:52 AM 14336]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://sdolintranet:81/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 10.72.126.59 10.72.126.26
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-gyjAEPulVY.exe - c:\documents and settings\All Users\Application Data\gyjAEPulVY.exe
    SafeBoot-23570721.sys
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-06 10:36
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(956)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    .
    - - - - - - - > 'explorer.exe'(2660)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
    c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
    c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Drivers\trcboot.exe
    c:\program files\IBM\Personal Communications\PCS_AGNT.EXE
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\progra~1\PEREGR~1\INFRAT~1\bin\iftlsnr.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\McAfee\Common Framework\FrameworkService.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files\CDBurnerXP\NMSAccessU.exe
    c:\windows\system32\Drivers\ldlcserv.exe
    c:\windows\system32\SearchIndexer.exe
    c:\windows\system32\CCM\CcmExec.exe
    c:\program files\McAfee\Common Framework\naPrdMgr.exe
    c:\program files\IBM\Personal Communications\tpam.exe
    c:\windows\system32\msiexec.exe
    c:\program files\McAfee\Common Framework\McTray.exe
    c:\windows\system32\SearchProtocolHost.exe
    c:\windows\system32\SearchFilterHost.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-06 10:38:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-06 15:38
    .
    Pre-Run: 144,637,313,024 bytes free
    Post-Run: 144,797,515,776 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows" /noexecute=optin /fastdetect
    .
    - - End Of File - - 50FEE7748A23CB9FF2B5ACCAB67B7292


    Thank you very much.
     
  10. Broni

    Broni Malware Annihilator Posts: 47,666   +267

    Good.

    Restart in normal mode.
    See if you can update and run Malwarebytes.
     
  11. meadow

    meadow TS Rookie Topic Starter Posts: 83

    No.
    I ran twice. 1st time from the icon on my desktop ( which was created yesterday). I got two message box, "access denied" then " set up was not completed".
    2nd time I run from the USB flash drive, I got "the data base updated to V2012.01.06.03", then continue to install, and I got the "access denied" and "set up was not completed" like 1st time..
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,666   +267

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
  13. meadow

    meadow TS Rookie Topic Starter Posts: 83

    I forgot to mention that the "system check" icon reappread on Quick Launch bar again.
     
  14. meadow

    meadow TS Rookie Topic Starter Posts: 83

    Here is the log after run aswMBR.exe

    aswMBR version 0.9.9.1156 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-06 12:27:04
    -----------------------------
    12:27:04.367 OS Version: Windows 5.1.2600 Service Pack 3
    12:27:04.367 Number of processors: 2 586 0xF0B
    12:27:04.367 ComputerName: SHERRYG12PC UserName: ip0xc3
    12:27:06.458 Initialize success
    12:29:51.403 AVAST engine defs: 12010600
    12:30:01.086 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
    12:30:01.086 Disk 0 Vendor: ST3160318AS CC45 Size: 152587MB BusType: 3
    12:30:01.101 Disk 0 MBR read successfully
    12:30:01.101 Disk 0 MBR scan
    12:30:01.133 Disk 0 Windows 7 default MBR code
    12:30:01.148 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152578 MB offset 16065
    12:30:01.148 Disk 0 scanning sectors +312496380
    12:30:01.211 Disk 0 scanning C:\WINDOWS\system32\drivers
    12:30:07.860 Service scanning
    12:30:09.008 Modules scanning
    12:30:13.566 Disk 0 trace - called modules:
    12:30:13.582 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    12:30:13.582 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a3dbab8]
    12:30:13.582 3 CLASSPNP.SYS[ba178fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x8a381b00]
    12:30:15.248 AVAST engine scan C:\WINDOWS
    12:30:22.541 AVAST engine scan C:\WINDOWS\system32
    12:31:29.157 AVAST engine scan C:\WINDOWS\system32\drivers
    12:31:38.035 AVAST engine scan C:\Documents and Settings\IP0XC3
    12:31:41.950 File: C:\Documents and Settings\IP0XC3\Application Data\Sun\Java\Deployment\cache\6.0\63\7748147f-47c4410e **INFECTED** Win32:Karagany-EJ [Trj]
    12:31:56.928 AVAST engine scan C:\Documents and Settings\All Users
    12:32:03.991 Scan finished successfully
    12:32:25.053 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\IP0XC3\My Documents\MBR.dat"
    12:32:25.053 The log file has been saved successfully to "C:\Documents and Settings\IP0XC3\My Documents\aswMBR.txt"
    --------------------------
    the end of then report.


    and MBR.dat is under c:\Documents and Settings\IP0XC3\My Documents should I move it to desktop?
     
  15. Broni

    Broni Malware Annihilator Posts: 47,666   +267

    You can delete that file. MBR looks good.

    1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
    2. Restart your computer (very important).
    3. Download and run this utility.
    4. It will ask to restart your computer (please allow it to).
    5. After the computer restarts, install the latest version from here.

    See, if it'll update and run now.
     
  16. meadow

    meadow TS Rookie Topic Starter Posts: 83

    I was asked "You have introducted a trial of full version of the product, would you like to start the trial". should I click "decline" or "start trial" while doing step 5
     
  17. Broni

    Broni Malware Annihilator Posts: 47,666   +267

    Start trial.
     
  18. meadow

    meadow TS Rookie Topic Starter Posts: 83

    It runs. Here is the log file:

    Malwarebytes Anti-Malware (Trial) 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.06.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 7.0.5730.13
    ip0xc3 :: SHERRYG12PC [administrator]

    Protection: Enabled

    1/6/2012 1:32:11 PM
    mbam-log-2012-01-06 (13-32-11).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 236940
    Time elapsed: 20 minute(s), 28 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 6
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\3Tit7aJpHkTsZk.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\c6qkZh1pW4u7fP.vir.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\gyjAEPulVY.exe.vir (Rogue.FakeHDD) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\ysEPkrxEHeHk2n.vir.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{5DFDFB86-31DD-4E93-854D-670000144448}\RP1\A0000086.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{5DFDFB86-31DD-4E93-854D-670000144448}\RP1\A0000087.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.

    (end)

    but the infected file mentioned in aswMBR log file is not deleted:
    -------------------
    12:31:41.950 File: C:\Documents and Settings\IP0XC3\Application Data\Sun\Java\Deployment\cache\6.0\63\7748147f-47c4410e **INFECTED** Win32:Karagany-EJ [Trj]
    -------------------
     
  19. Broni

    Broni Malware Annihilator Posts: 47,666   +267

    How is computer doing at the moment?

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    C:\Documents and Settings\IP0XC3\Application Data\Sun\Java\Deployment\cache\6.0\63\7748147f-47c4410e
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  20. meadow

    meadow TS Rookie Topic Starter Posts: 83

    My computer looks much better now. I haven't really try it yet, some menu itms still look "not right".
    I will not be able to work on it for a couple of days. I will report back once I have something new.
    Thank you.
     
  21. Broni

    Broni Malware Annihilator Posts: 47,666   +267

    No problem.

    I need more details.
     
  22. meadow

    meadow TS Rookie Topic Starter Posts: 83

    Here is log file of Combofix:

    ComboFix 12-01-09.03 - ip0xc3 01/09/2012 14:36:36.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1467 [GMT -5:00]
    Running from: c:\documents and settings\IP0XC3\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\IP0XC3\Desktop\CFScript.txt
    * Created a new restore point
    .
    FILE ::
    "c:\documents and settings\IP0XC3\Application Data\Sun\Java\Deployment\cache\6.0\63\7748147f-47c4410e"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-09 to 2012-01-09 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-06 18:01 . 2012-01-06 18:01 -------- d-----w- c:\documents and settings\IP0XC3\Application Data\Malwarebytes
    2012-01-06 18:01 . 2012-01-06 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-01-06 18:01 . 2012-01-06 18:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-06 18:01 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-05 15:52 . 2011-05-02 16:52 456320 ---ha-w- c:\windows\system32\drivers\mrxsmb.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-01-06_15.36.32 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-01-06 17:53 . 2012-01-06 17:53 16384 c:\windows\Temp\Perflib_Perfdata_2cc.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SetGrammaticaLicense"="c:\windows\system32\gl.vbs" [2009-08-03 486]
    "PinAInfo"="c:\windows\system32\ai.vbs" [2009-09-04 922]
    "SetDefaultPrinter"="c:\windows\system32\dp.vbs" [2010-09-20 398]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-01-08 1044480]
    "GPUpdate"="c:\windows\system32\gpupdate.exe" [2008-08-11 57344]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-06-08 333120]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2011-9-15 6144]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "dontdisplaylockeduserid"= 1 (0x1)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-789336058-682003330-538188\Scripts\Logon\0\0]
    "Script"=firefox_login.vbs
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-789336058-682003330-538189\Scripts\Logon\0\0]
    "Script"=firefox_login.vbs
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\EVN\\BIN\\evn.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R0 megasas;megasas;c:\windows\system32\drivers\megasas.sys [5/2/2011 10:23 AM 17664]
    R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [5/2/2011 10:23 AM 10880]
    R2 JuniperAccessService;Juniper Unified Network Service;c:\program files\Common Files\Juniper Networks\JUNS\dsAccessService.exe [11/12/2009 8:59 PM 132392]
    R2 pdlndldl6;IBM Enterprise Extender (HPR/IPv6);c:\windows\system32\drivers\pdlndldl6.sys [3/3/2011 10:57 AM 72704]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/6/2012 1:01 PM 20464]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S2 iftlsnr;InfraTools Remote Control Listener;c:\progra~1\PEREGR~1\INFRAT~1\bin\iftlsnr.exe -svc --> c:\progra~1\PEREGR~1\INFRAT~1\bin\iftlsnr.exe -svc [?]
    S3 csrcmds;csrcmds;c:\program files\IBM\Personal Communications\csrcmds.exe [3/3/2011 10:54 AM 49152]
    S3 cstrcser;IBM Command Line Trace;c:\windows\system32\drivers\cstrcser.exe [3/3/2011 10:57 AM 36864]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [5/2/2011 11:49 AM 168616]
    S3 iftrcdrv;InfraTools Remote Control Driver;c:\progra~1\PEREGR~1\INFRAT~1\bin\iftrcdrv.sys [5/2/2011 9:41 AM 6097]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://sdolintranet:81/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-09 14:39
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(952)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    .
    - - - - - - - > 'explorer.exe'(3984)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
    c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
    c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
    .
    Completion time: 2012-01-09 14:40:01
    ComboFix-quarantined-files.txt 2012-01-09 19:39
    ComboFix2.txt 2012-01-06 15:38
    .
    Pre-Run: 144,576,618,496 bytes free
    Post-Run: 144,704,937,984 bytes free
    .
    - - End Of File - - 514F9D9378996DDA3DD75907CA9DDBCE


    about my pc menu:
    I have a "start up" under "all programs" when I click "start", which I don't remember was there, and I still have "system check ( empty )" under "all programs" makes me nervous.
     
  23. Broni

    Broni Malware Annihilator Posts: 47,666   +267

    We'll take a look with our next step.

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  24. meadow

    meadow TS Rookie Topic Starter Posts: 83

    1 of 2 logs:

    OTL logfile created on: 1/9/2012 3:31:16 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\IP0XC3\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.97 Gb Total Physical Memory | 1.36 Gb Available Physical Memory | 69.38% Memory free
    3.81 Gb Paging File | 3.36 Gb Available in Paging File | 88.01% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 149.00 Gb Total Space | 134.79 Gb Free Space | 90.46% Space Free | Partition Type: NTFS

    Computer Name: SHERRYG12PC | User Name: ip0xc3 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/01/09 15:29:35 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\IP0XC3\Desktop\OTL.exe
    PRC - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2011/12/24 17:50:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    PRC - [2011/06/08 03:06:00 | 000,345,408 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    PRC - [2011/06/08 03:06:00 | 000,333,120 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    PRC - [2011/06/08 03:06:00 | 000,132,416 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    PRC - [2011/06/08 03:06:00 | 000,075,072 | -H-- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
    PRC - [2011/04/08 11:59:52 | 000,507,624 | -H-- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    PRC - [2011/03/03 10:57:53 | 000,040,960 | -H-- | M] (IBM Corporation) -- C:\WINDOWS\system32\drivers\ldlcserv6.exe
    PRC - [2011/03/03 10:57:53 | 000,028,672 | -H-- | M] (IBM Corporation) -- C:\WINDOWS\system32\drivers\ldlcserv.exe
    PRC - [2011/03/03 10:57:08 | 000,028,672 | -H-- | M] () -- C:\Program Files\IBM\Personal Communications\tpam.exe
    PRC - [2011/03/03 10:55:05 | 000,036,864 | -H-- | M] (IBM Corporation) -- C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
    PRC - [2010/03/04 21:38:00 | 000,071,096 | -H-- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
    PRC - [2009/11/12 20:59:02 | 000,132,392 | -H-- | M] (Juniper Networks) -- C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe
    PRC - [2009/09/18 03:00:00 | 000,764,768 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
    PRC - [2008/08/29 12:58:16 | 001,528,608 | -H-- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    PRC - [2008/08/11 13:16:40 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/03/03 10:57:08 | 000,028,672 | -H-- | M] () -- C:\Program Files\IBM\Personal Communications\tpam.exe
    MOD - [2011/03/03 10:54:50 | 000,485,376 | -H-- | M] () -- C:\Program Files\IBM\Personal Communications\OOCSVCS2.DLL
    MOD - [2010/03/04 21:38:00 | 000,071,096 | -H-- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
    MOD - [2009/11/05 07:39:40 | 000,087,552 | -H-- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll
    MOD - [2008/08/29 12:58:26 | 000,197,408 | -H-- | M] () -- C:\WINDOWS\system32\vpnapi.dll
    MOD - [2007/04/18 19:30:46 | 000,471,040 | -H-- | M] () -- C:\Program Files\McAfee\Common Framework\ccme_base.dll
    MOD - [2007/04/18 19:30:46 | 000,393,216 | -H-- | M] () -- C:\Program Files\McAfee\Common Framework\cryptocme2.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2011/06/08 03:06:00 | 000,132,416 | -H-- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
    SRV - [2011/03/03 10:57:55 | 000,032,768 | -H-- | M] (IBM Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\appnnode.exe -- (AppnNode)
    SRV - [2011/03/03 10:57:54 | 000,032,768 | -H-- | M] (IBM Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\drivers\trcboot.exe -- (TrcBoot)
    SRV - [2011/03/03 10:57:53 | 000,040,960 | -H-- | M] (IBM Corporation) [Auto | Running] -- C:\WINDOWS\system32\drivers\ldlcserv6.exe -- (ldlcserv6) IBM Enterprise Extender (IPv6)
    SRV - [2011/03/03 10:57:53 | 000,036,864 | -H-- | M] (IBM Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cstrcser.exe -- (cstrcser)
    SRV - [2011/03/03 10:57:53 | 000,028,672 | -H-- | M] (IBM Corporation) [Auto | Running] -- C:\WINDOWS\system32\drivers\ldlcserv.exe -- (ldlcserv) IBM Enterprise Extender (IPv4)
    SRV - [2011/03/03 10:54:46 | 000,049,152 | -H-- | M] (IBM Corporation) [On_Demand | Stopped] -- C:\Program Files\IBM\Personal Communications\csrcmds.exe -- (csrcmds)
    SRV - [2010/03/04 21:38:00 | 000,071,096 | -H-- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
    SRV - [2009/11/12 20:59:02 | 000,132,392 | -H-- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Common Files\Juniper Networks\JUNS\dsAccessService.exe -- (JuniperAccessService)
    SRV - [2009/09/18 03:00:00 | 000,764,768 | -H-- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
    SRV - [2009/09/18 03:00:00 | 000,246,624 | -H-- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
    SRV - [2008/08/29 12:58:16 | 001,528,608 | -H-- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
    SRV - [2002/01/11 14:35:13 | 000,454,928 | -H-- | M] (Peregrine Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Peregrine\InfraTools Remote Control\bin\iftlsnr.exe -- (iftlsnr)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2011/07/08 03:12:48 | 007,023,104 | -H-- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2011/03/03 10:57:57 | 000,208,928 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\AppnBase.sys -- (AppnBase)
    DRV - [2011/03/03 10:57:57 | 000,058,432 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlnsx25.sys -- (pdlnsx25)
    DRV - [2011/03/03 10:57:57 | 000,054,416 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlnsv25.sys -- (pdlnsv25)
    DRV - [2011/03/03 10:57:57 | 000,022,384 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlnslea.sys -- (pdlnslea)
    DRV - [2011/03/03 10:57:56 | 000,067,184 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlnemap.sys -- (pdlnemap)
    DRV - [2011/03/03 10:57:56 | 000,067,072 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlndsdl.sys -- (pdlndsdl)
    DRV - [2011/03/03 10:57:56 | 000,059,504 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlnshay.sys -- (pdlnshay)
    DRV - [2011/03/03 10:57:56 | 000,053,248 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlndqll.sys -- (pdlndqll)
    DRV - [2011/03/03 10:57:56 | 000,050,336 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlnecfg.sys -- (pdlnecfg)
    DRV - [2011/03/03 10:57:56 | 000,019,984 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlnepkt.sys -- (pdlnepkt)
    DRV - [2011/03/03 10:57:56 | 000,018,944 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlndoem.sys -- (pdlndoem)
    DRV - [2011/03/03 10:57:56 | 000,012,768 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlnemsg.sys -- (pdlnemsg)
    DRV - [2011/03/03 10:57:56 | 000,008,608 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlnebas.sys -- (pdlnebas)
    DRV - [2011/03/03 10:57:55 | 000,160,288 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlncfwk.sys -- (pdlncfwk)
    DRV - [2011/03/03 10:57:55 | 000,075,200 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlnacom.sys -- (pdlnacom)
    DRV - [2011/03/03 10:57:55 | 000,070,144 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlndlpb.sys -- (pdlndlpb)
    DRV - [2011/03/03 10:57:55 | 000,064,512 | -H-- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\pdlndldl.sys -- (pdlndldl) IBM Enterprise Extender (HPR/IPv4)
    DRV - [2011/03/03 10:57:55 | 000,036,048 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlnafac.sys -- (pdlnafac)
    DRV - [2011/03/03 10:57:55 | 000,012,800 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlndint.sys -- (pdlndint)
    DRV - [2011/03/03 10:57:55 | 000,006,784 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\pdlncbas.sys -- (pdlncbas)
    DRV - [2011/03/03 10:57:54 | 001,322,080 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\appn.sys -- (Appn)
    DRV - [2011/03/03 10:57:54 | 000,120,224 | -H-- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\appnapi.sys -- (AppnApi)
    DRV - [2011/03/03 10:57:54 | 000,101,696 | -H-- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\llc2.sys -- (IBM_LLC2)
    DRV - [2011/03/03 10:57:54 | 000,072,704 | -H-- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\pdlndldl6.sys -- (pdlndldl6) IBM Enterprise Extender (HPR/IPv6)
    DRV - [2011/03/03 10:57:54 | 000,038,280 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\anydlc.sys -- (Anydlc)
    DRV - [2011/03/03 10:57:53 | 000,024,588 | -H-- | M] (IBM Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\klognt.sys -- (KLOGNT)
    DRV - [2011/03/03 10:57:53 | 000,012,028 | -H-- | M] (IBM Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\nstrcnt.sys -- (NsTrcNT)
    DRV - [2010/04/05 23:35:56 | 000,168,616 | -H-- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e1k5132.sys -- (e1kexpress) Intel(R)
    DRV - [2009/11/12 12:48:56 | 000,007,168 | -H-- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
    DRV - [2009/09/18 03:00:00 | 000,020,848 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
    DRV - [2008/10/20 19:08:06 | 000,012,448 | -H-- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smsmdm.sys -- (smsmdd)
    DRV - [2008/08/29 12:57:18 | 000,306,299 | -H-- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
    DRV - [2008/08/21 05:38:10 | 000,020,480 | RH-- | M] (Dell Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
    DRV - [2008/03/29 16:36:28 | 000,125,328 | -H-- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
    DRV - [2007/11/14 16:05:16 | 000,394,952 | -H-- | M] (Zone Labs, LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
    DRV - [2007/05/11 23:00:14 | 000,045,056 | -H-- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel(R)
    DRV - [2007/01/18 17:28:02 | 000,005,275 | -H-- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
    DRV - [2005/11/30 21:30:14 | 000,010,880 | -H-- | M] (VMware, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vmscsi.sys -- (vmscsi)
    DRV - [2005/08/12 11:46:42 | 000,062,080 | -H-- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SI3112.sys -- (SI3112)
    DRV - [2005/08/12 09:14:20 | 000,004,736 | -H-- | M] (Silicon Image, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\SiRemFil.sys -- (SiRemFil)
    DRV - [2004/11/01 11:21:32 | 000,010,368 | -H-- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys -- (SiFilter)
    DRV - [2001/04/19 02:58:05 | 000,006,097 | -H-- | M] (Peregrine Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Peregrine\InfraTools Remote Control\bin\iftrcdrv.sys -- (iftrcdrv)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://sdolintranet:81/


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = file://c:\WINDOWS\IEaccess\IEaccess.htm
    IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = file://c:\WINDOWS\IEaccess\IEaccess.htm
    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



    O1 HOSTS File: ([2012/01/06 10:36:23 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O4 - HKLM..\Run: [GPUpdate] C:\WINDOWS\System32\gpupdate.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [PinAInfo] C:\WINDOWS\system32\ai.vbs ()
    O4 - HKLM..\Run: [SetDefaultPrinter] C:\WINDOWS\system32\dp.vbs ()
    O4 - HKLM..\Run: [SetGrammaticaLicense] C:\WINDOWS\system32\gl.vbs ()
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylockeduserid = 1
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-1597753769-3272558778-1852756267-2651\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://juniper.net/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupControlXP Class)
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.72.126.59 10.72.126.26
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Grid12NT.nysdol.us
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E48819ED-8852-43E7-8370-81B6FFA49C09}: DhcpNameServer = 10.72.126.59 10.72.126.26
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2011/08/12 17:19:37 | 000,000,000 | -H-- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/01/09 15:29:35 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\IP0XC3\Desktop\OTL.exe
    [2012/01/06 13:01:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\IP0XC3\Application Data\Malwarebytes
    [2012/01/06 13:01:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/01/06 13:01:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2012/01/06 13:01:47 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2012/01/06 13:01:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/01/06 12:55:38 | 000,066,896 | ---- | C] (Malwarebytes Corporation) -- C:\Documents and Settings\IP0XC3\Desktop\mbam-clean.exe
    [2012/01/06 12:26:44 | 004,704,768 | ---- | C] (AVAST Software) -- C:\Documents and Settings\IP0XC3\Desktop\aswMBR.exe
    [2012/01/06 10:33:40 | 000,483,328 | ---- | C] (Simon Tatham) -- C:\Documents and Settings\All Users\Desktop\putty.exe
    [2012/01/06 10:24:03 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2012/01/06 10:15:10 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/01/06 10:15:10 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/01/06 10:15:10 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/01/06 10:15:10 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/01/06 10:15:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2012/01/06 10:15:03 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/01/06 10:15:01 | 000,000,000 | R--D | C] -- C:\Documents and Settings\IP0XC3\My Documents\My Videos
    [2012/01/06 10:08:58 | 004,376,389 | R--- | C] (Swearware) -- C:\Documents and Settings\IP0XC3\Desktop\ComboFix.exe
    [2012/01/05 11:52:56 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\IP0XC3\Recent
    [2011/12/30 17:36:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\IP0XC3\Start Menu\Programs\System Check
    [2011/12/22 16:37:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\IP0XC3\My Documents\Personal
    [2011/12/22 12:06:29 | 000,000,000 | R--D | C] -- C:\Documents and Settings\IP0XC3\Start Menu\Programs\Administrative Tools
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/01/09 15:29:35 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\IP0XC3\Desktop\OTL.exe
    [2012/01/09 14:35:15 | 004,376,389 | R--- | M] (Swearware) -- C:\Documents and Settings\IP0XC3\Desktop\ComboFix.exe
    [2012/01/09 14:29:22 | 000,021,660 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
    [2012/01/09 14:29:20 | 000,000,630 | RHS- | M] () -- C:\Documents and Settings\IP0XC3\ntuser.pol
    [2012/01/09 14:29:19 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    [2012/01/09 14:29:13 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/01/09 14:27:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/01/09 14:27:22 | 2111,422,464 | -HS- | M] () -- C:\hiberfil.sys
    [2012/01/06 13:01:48 | 000,000,808 | ---- | M] () -- C:\Documents and Settings\IP0XC3\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
    [2012/01/06 13:01:48 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/01/06 12:55:31 | 000,066,896 | ---- | M] (Malwarebytes Corporation) -- C:\Documents and Settings\IP0XC3\Desktop\mbam-clean.exe
    [2012/01/06 12:32:25 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\IP0XC3\My Documents\MBR.dat
    [2012/01/06 12:26:44 | 004,704,768 | ---- | M] (AVAST Software) -- C:\Documents and Settings\IP0XC3\Desktop\aswMBR.exe
    [2012/01/06 10:36:23 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2012/01/06 10:24:06 | 000,000,311 | RHS- | M] () -- C:\boot.ini
    [2011/12/30 18:15:44 | 000,000,839 | ---- | M] () -- C:\Documents and Settings\IP0XC3\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
    [2011/12/30 13:27:13 | 000,000,664 | -H-- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/12/22 11:56:19 | 000,509,030 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/12/22 11:56:19 | 000,089,494 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/01/06 13:01:48 | 000,000,808 | ---- | C] () -- C:\Documents and Settings\IP0XC3\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
    [2012/01/06 13:01:48 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/01/06 12:32:25 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\IP0XC3\My Documents\MBR.dat
    [2012/01/06 10:33:45 | 000,002,447 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    [2012/01/06 10:33:45 | 000,001,793 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    [2012/01/06 10:33:41 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
    [2012/01/06 10:33:41 | 000,001,809 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk
    [2012/01/06 10:33:41 | 000,001,562 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\CDBurnerXP.lnk
    [2012/01/06 10:33:41 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
    [2012/01/06 10:33:41 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
    [2012/01/06 10:33:40 | 000,002,329 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office Outlook 2007.lnk
    [2012/01/06 10:33:40 | 000,001,777 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VPN Client.lnk
    [2012/01/06 10:33:40 | 000,000,821 | ---- | C] () -- C:\Documents and Settings\IP0XC3\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2012/01/06 10:33:40 | 000,000,750 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\UGent VPN.lnk
    [2012/01/06 10:33:40 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\IP0XC3\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
    [2012/01/06 10:28:46 | 2111,422,464 | -HS- | C] () -- C:\hiberfil.sys
    [2012/01/06 10:24:06 | 000,000,195 | ---- | C] () -- C:\Boot.bak
    [2012/01/06 10:24:04 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2012/01/06 10:15:10 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/01/06 10:15:10 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/01/06 10:15:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/01/06 10:15:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/01/06 10:15:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/12/30 15:02:24 | 000,000,839 | ---- | C] () -- C:\Documents and Settings\IP0XC3\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
    [2011/12/15 12:50:57 | 000,000,664 | -H-- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/08/25 11:28:01 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\IP0XC3\Local Settings\Application Data\PUTTY.RND
    [2011/08/12 17:38:18 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\ativpsrm.bin
    [2011/08/12 17:35:18 | 000,887,724 | -H-- | C] () -- C:\WINDOWS\System32\ativva6x.dat
    [2011/08/12 17:35:18 | 000,234,142 | -H-- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
    [2011/08/12 17:35:18 | 000,000,003 | -H-- | C] () -- C:\WINDOWS\System32\ativva5x.dat
    [2011/08/12 14:17:33 | 000,004,764 | -H-- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
    [2011/05/02 11:52:04 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2011/05/02 11:52:04 | 000,509,030 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/05/02 11:52:04 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2011/05/02 11:52:04 | 000,089,494 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/05/02 11:52:04 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2011/05/02 11:52:04 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2011/05/02 11:52:04 | 000,004,463 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2011/05/02 11:52:04 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat
    [2011/05/02 11:52:00 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2011/05/02 11:52:00 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
    [2011/05/02 11:51:59 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2011/05/02 11:51:59 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2011/05/02 10:32:02 | 000,000,393 | -H-- | C] () -- C:\WINDOWS\smscfg.ini
    [2011/05/02 09:46:29 | 000,316,416 | -H-- | C] () -- C:\WINDOWS\System32\ct_corct.dll
    [2011/05/02 09:46:29 | 000,272,384 | -H-- | C] () -- C:\WINDOWS\System32\ct_bar.dll
    [2011/05/02 09:46:29 | 000,176,640 | -H-- | C] () -- C:\WINDOWS\System32\ct_file.dll
    [2011/05/02 09:46:29 | 000,025,088 | -H-- | C] () -- C:\WINDOWS\System32\ct_zset.dll
    [2011/05/02 09:46:28 | 000,022,944 | -H-- | C] () -- C:\WINDOWS\System32\ci_file.dll
    [2011/05/02 09:46:28 | 000,007,680 | -H-- | C] () -- C:\WINDOWS\System32\ci_corct.dll
    [2011/05/02 09:46:28 | 000,005,888 | -H-- | C] () -- C:\WINDOWS\System32\ci_srv.dll
    [2011/05/02 09:46:28 | 000,003,968 | -H-- | C] () -- C:\WINDOWS\System32\ci_bar.dll
    [2011/05/02 09:41:41 | 000,000,261 | -H-- | C] () -- C:\WINDOWS\iftagt.ini
    [2011/05/02 09:41:40 | 000,000,072 | -H-- | C] () -- C:\WINDOWS\iftlsnr.ini
    [2011/05/02 09:40:46 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\pcsmig.INI
    [2011/05/02 09:39:53 | 000,411,391 | -H-- | C] () -- C:\WINDOWS\System32\Info.exe
    [2011/05/02 09:04:37 | 000,007,168 | -H-- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
    [2011/05/02 09:03:49 | 000,000,078 | -H-- | C] () -- C:\WINDOWS\init.ini
    [2011/05/02 09:03:00 | 000,028,672 | -H-- | C] () -- C:\WINDOWS\System32\ps2pdf.dll
    [2011/05/02 08:54:33 | 000,087,552 | -H-- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
    [2011/05/02 08:53:30 | 012,832,768 | -H-- | C] () -- C:\WINDOWS\System32\gsdll32.dll
    [2011/05/02 08:01:27 | 000,000,051 | -H-- | C] () -- C:\WINDOWS\smsts.ini
    [2011/05/02 08:00:24 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2011/05/02 07:57:59 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2011/05/02 07:57:47 | 000,001,793 | -H-- | C] () -- C:\WINDOWS\System32\fxsperf.ini
    [2011/05/02 03:56:23 | 000,004,161 | -H-- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2011/05/02 03:55:55 | 000,267,800 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/03/03 10:57:53 | 000,000,251 | -H-- | C] () -- C:\WINDOWS\System32\drivers\hlldrvr.com
    [2010/09/20 09:09:50 | 000,495,616 | -H-- | C] () -- C:\WINDOWS\System32\softcoin.dll
    [2010/09/20 09:09:50 | 000,356,352 | -H-- | C] () -- C:\WINDOWS\System32\gencoin.dll
    [2008/08/29 12:58:26 | 000,197,408 | -H-- | C] () -- C:\WINDOWS\System32\vpnapi.dll
    [2008/08/29 12:58:16 | 000,193,312 | -H-- | C] () -- C:\WINDOWS\System32\CSGina.dll
    [2008/05/26 20:59:42 | 000,018,904 | -H-- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
    [2008/05/26 20:59:40 | 000,106,605 | -H-- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
    [2007/09/27 09:51:02 | 000,020,698 | -H-- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
    [2007/09/27 09:48:48 | 000,030,628 | -H-- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
    [2007/09/27 09:48:28 | 000,031,698 | -H-- | C] () -- C:\WINDOWS\System32\gthrctr.ini

    ========== LOP Check ==========

    [2011/05/02 09:39:00 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator\Application Data\Grammatica
    [2011/05/02 09:06:59 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator\Application Data\IBM
    [2011/08/15 12:05:36 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\Administrator.SHERRYG12PC\Application Data\Windows Desktop Search
    [2011/08/12 13:55:02 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\GroupPolicy
    [2011/05/02 09:10:34 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\IBM
    [2011/05/02 09:04:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
    [2011/08/25 08:29:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\IP0XC3\Application Data\Windows Desktop Search

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2011/08/12 17:19:37 | 000,000,000 | -H-- | M] () -- C:\autoexec.bat
    [2011/08/12 17:40:07 | 000,000,195 | ---- | M] () -- C:\Boot.bak
    [2012/01/06 10:24:06 | 000,000,311 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2012/01/09 14:40:30 | 000,007,379 | ---- | M] () -- C:\ComboFix.txt
    [2011/08/12 17:19:37 | 000,000,000 | -H-- | M] () -- C:\config.sys
    [2011/05/02 09:58:18 | 000,046,538 | -H-- | M] () -- C:\EditorInstallation.log
    [2012/01/09 14:27:22 | 2111,422,464 | -HS- | M] () -- C:\hiberfil.sys
    [2011/05/02 03:56:44 | 000,004,128 | -H-- | M] () -- C:\INFCACHE.1
    [2011/08/12 17:19:37 | 000,000,000 | -HS- | M] () -- C:\io.sys
    [2011/08/12 17:19:37 | 000,000,000 | -HS- | M] () -- C:\msdos.sys
    [2011/08/12 17:19:37 | 000,047,564 | -HS- | M] () -- C:\NTDETECT.COM
    [2011/08/12 17:19:37 | 000,250,048 | -HS- | M] () -- C:\ntldr
    [2011/08/12 13:50:15 | 000,000,011 | -H-- | M] () -- C:\OSD.Debug
    [2012/01/09 14:27:21 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
    [2011/05/02 09:58:11 | 000,023,636 | -H-- | M] () -- C:\pia.log
    [2012/01/06 10:11:50 | 000,000,907 | -H-- | M] () -- C:\rkill.log
    [2012/01/05 10:51:46 | 000,065,298 | -H-- | M] () -- C:\TDSSKiller.2.6.25.0_05.01.2012_10.49.10_log.txt
    [2011/05/02 09:57:50 | 000,058,206 | -H-- | M] () -- C:\VSTOR30.log
    [2011/05/02 09:57:30 | 000,182,324 | -H-- | M] () -- C:\VSTORuntime.log
    [2011/05/02 09:57:05 | 000,030,102 | -H-- | M] () -- C:\WSE30.log

    < %systemroot%\Fonts\*.com >
    [2006/04/18 14:39:28 | 000,026,040 | -H-- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 13:53:56 | 000,026,489 | -H-- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 14:39:28 | 000,029,779 | -H-- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 13:58:52 | 000,030,808 | -H-- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2011/05/02 07:59:02 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2006/10/15 15:32:00 | 000,070,144 | -H-- | M] (Lexmark International Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\DKABJ74C.DLL
    [2009/05/15 10:58:34 | 000,060,928 | -H-- | M] (Lexmark International Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\DKACI54C.DLL
    [2008/07/06 07:06:10 | 000,089,088 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2008/04/04 20:01:40 | 000,272,896 | -H-- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpcpp5r1.DLL
    [2002/01/10 09:08:34 | 000,046,592 | -H-- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpprn02.dll
    [2007/01/25 12:24:04 | 000,286,208 | -H-- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp4wm.DLL
    [2004/04/01 00:03:44 | 000,026,624 | -H-- | M] (Lexmark International Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lmaanb4c.dll
    [2005/01/28 03:15:04 | 000,026,624 | -H-- | M] (Lexmark International Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LMAATB4C.DLL
    [2006/10/26 18:58:12 | 000,030,512 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 05:50:03 | 000,597,504 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    [2007/12/05 14:58:46 | 000,019,968 | -H-- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\sdu1mpc.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2011/05/02 03:55:25 | 000,094,208 | -H-- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2011/05/02 03:55:25 | 001,089,536 | -H-- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2011/05/02 03:55:25 | 000,917,504 | -H-- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2011/08/23 12:18:11 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\IP0XC3\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2012/01/06 12:26:44 | 004,704,768 | ---- | M] (AVAST Software) -- C:\Documents and Settings\IP0XC3\Desktop\aswMBR.exe
    [2012/01/09 14:35:15 | 004,376,389 | R--- | M] (Swearware) -- C:\Documents and Settings\IP0XC3\Desktop\ComboFix.exe
    [2012/01/06 12:55:31 | 000,066,896 | ---- | M] (Malwarebytes Corporation) -- C:\Documents and Settings\IP0XC3\Desktop\mbam-clean.exe
    [2012/01/09 15:29:35 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\IP0XC3\Desktop\OTL.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2008/08/11 13:16:37 | 000,000,791 | -H-- | M] () -- C:\WINDOWS\ADDINS\fxsext.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2011/08/23 12:18:11 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\IP0XC3\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2012/01/09 14:29:22 | 000,021,660 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
    [2011/08/12 14:31:14 | 000,003,072 | -HS- | M] () -- C:\Documents and Settings\All Users\Thumbs.db

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/12/30 15:21:11 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\IP0XC3\Cookies\desktop.ini
    [2012/01/09 15:29:45 | 000,147,456 | ---- | M] () -- C:\Documents and Settings\IP0XC3\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 21:10:26 | 000,317,440 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/08/11 13:17:13 | 000,033,792 | -H-- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2007/04/02 22:37:24 | 000,004,821 | -H-- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2007/04/02 22:37:24 | 000,007,047 | -H-- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 09:01:49 | 000,083,968 | -H-- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 22:00:30 | 000,180,224 | -H-- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/14 04:42:30 | 001,695,232 | -H-- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2007/04/02 22:37:24 | 000,002,882 | -H-- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2007/04/02 22:37:24 | 000,006,156 | -H-- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2007/04/02 22:37:26 | 000,006,160 | -H-- | M] () -- C:\Program Files\Messenger\online.wav
    [2007/04/02 22:37:28 | 000,004,454 | -H-- | M] () -- C:\Program Files\Messenger\type.wav
    [2007/04/02 22:34:02 | 000,115,981 | -H-- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
    "UseWUServer" = 1
    "DetectionFrequencyEnabled" = 1
    "DetectionFrequency" = 22
    "RebootWarningTimeoutEnabled" = 1
    "RebootWarningTimeout" = 10
    "AUPowerManagement" = 1
    "NoAutoUpdate" = 0
    "AUOptions" = 4
    "ScheduledInstallDay" = 7
    "ScheduledInstallTime" = 4

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\All Users\Desktop\putty.exe:SummaryInformation

    < End of report >
     
  25. meadow

    meadow TS Rookie Topic Starter Posts: 83

    2 of 2 logs:
    OTL Extras logfile created on: 1/9/2012 3:31:16 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\IP0XC3\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.97 Gb Total Physical Memory | 1.36 Gb Available Physical Memory | 69.38% Memory free
    3.81 Gb Paging File | 3.36 Gb Available in Paging File | 88.01% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 149.00 Gb Total Space | 134.79 Gb Free Space | 90.46% Space Free | Partition Type: NTFS

    Computer Name: SHERRYG12PC | User Name: ip0xc3 | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
    "Enabled" = 1
    "RemoteAddresses" =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop]
    "Enabled" = 1
    "RemoteAddresses" =

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
    "5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
    "C:\EVN\BIN\evn.exe" = C:\EVN\BIN\evn.exe:*:Enabled:evn -- ()


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{2609EDF1-34C4-4B03-B634-55F3B3BC4931}" = Configuration Manager Client
    "{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1" = Media Player Classic - Home Cinema v1.4.2499.0
    "{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 26
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
    "{3A31B199-99D8-4203-9E0E-E3C9D8902534}" = xEditor
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{447D8B58-880C-4627-BF57-9C408219313E}" = Juniper Installer Service
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
    "{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}" = Cisco Systems VPN Client 5.0.04.0300
    "{5DBE95F6-823A-4547-9921-CEDFADA1D2D8}" = McAfee Agent
    "{721ABC3B-5F12-4332-9C0C-C11424EF666C}" = WIMGAPI
    "{73868DD9-CC9A-4F7F-B708-99F096DEAB6D}" = Adobe Shockwave Player 11.5
    "{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
    "{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
    "{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
    "{95120000-0052-0409-0000-0000000FF1CE}" = Microsoft Office Visio Viewer 2007
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
    "{B3AE8231-C74A-4412-8701-EB494088C7A5}" = IBM Personal Communications
    "{B7BDAF22-9647-4846-8EA9-6E0A5B785651}" = Adobe Flash Player 10 Plugin
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D787C24E-809D-4C48-BF53-EC5C76689A13}" = PolicyMakerâ„¢ Registry Extension Client
    "{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
    "{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
    "1CF754F21E4C8FD08B6F7C7CC3879C7395616841" = Windows Driver Package - Hewlett-Packard DOT4 (11/04/2007 10.1.1.3)
    "2ED8EBC618ADA2092998C1AD5B6F07600EC8CEDB" = Windows Driver Package - Hewlett-Packard DOT4USB (02/18/2008 10.1.1.3)
    "44A1336677759DD100DBA0E475E6C92114FFA5E8" = Windows Driver Package - Hewlett-Packard DOT4 (02/18/2008 10.1.1.3)
    "656EF72B6C5328B8FB837688D9282663C5046571" = Windows Driver Package - Hewlett-Packard DOT4USB (07/25/2007 10.1.1.3)
    "66373F198F5809ED38963BFA32FAC8008F8371D2" = Windows Driver Package - HP HP LaserJet P4010_P4510 Series PCL 6 (02/28/2008 61.072.51.02)
    "66ED737C9D2B25C479FE362736CDC0734A1BC20A" = Windows Driver Package - Hewlett-Packard (HPZs2k12) DiskDrive (02/18/2008 10.1.1.5)
    "6BFBF3E69880B92F09E46EAAF1A5BCA3EC73B329" = Windows Driver Package - Hewlett-Packard DOT4PRT (02/18/2008 10.1.1.3)
    "8688956EC139638F031FB8EFEB14ECA17BCF98DA" = Windows Driver Package - HP HP LaserJet 5200LX PCL 6 (07/24/2007 61.063.941.00)
    "997246873C67DB6031D55D0688BF87DFFB21EB69" = Windows Driver Package - Hewlett-Packard DOT4 (02/18/2008 10.1.1.3)
    "9F1C57C4F855806D0B6F9BB24E2041E3FE19A2E1" = Windows Driver Package - Hewlett-Packard DOT4 (07/25/2007 10.1.1.3)
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "BE25A62BB7041ED0F5643AA34A6FB49F7F8A63D6" = Windows Driver Package - Hewlett-Packard DOT4PRT (07/25/2007 10.1.1.3)
    "CutePDF Writer Installation" = CutePDF Writer 2.8
    "D3BBA59DAEC58919DF6127C26F86D481A4B90B73" = Windows Driver Package - Hewlett-Packard Ports (07/25/2007 10.1.1.3)
    "F2BC9F814E94612B191E1AD48872E3B5349686AC" = Windows Driver Package - Hewlett-Packard Ports (02/18/2008 10.1.1.3)
    "GPL Ghostscript 9.00" = GPL Ghostscript 9.00
    "Grammatica_is1" = Grammatica 7.0.3
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "InfraTools Remote Control@5.53@en" = InfraTools Remote Control version 5.53 en
    "IWPMNTV2R3" = IWPM for Windows XP
    "Juniper_Setup_Client Activex Control" = Juniper Networks Setup Client Activex Control
    "Letter Generator" = Letter Generator
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft Visual Studio 2005 Tools for Office Runtime" = Microsoft Visual Studio 2005 Tools for Office Runtime
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "PROPLUS" = Microsoft Office Professional Plus 2007
    "RDC" = RDC
    "Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "YTdetect" = Yahoo! Detect

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 1/6/2012 11:28:08 AM | Computer Name = SHERRYG12PC | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    Error - 1/6/2012 11:50:13 AM | Computer Name = SHERRYG12PC | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    Error - 1/6/2012 11:50:13 AM | Computer Name = SHERRYG12PC | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 1/6/2012 11:50:24 AM | Computer Name = SHERRYG12PC | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    Error - 1/6/2012 1:01:00 PM | Computer Name = SHERRYG12PC | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    Error - 1/6/2012 1:01:01 PM | Computer Name = SHERRYG12PC | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 1/6/2012 1:01:17 PM | Computer Name = SHERRYG12PC | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    Error - 1/6/2012 2:56:45 PM | Computer Name = SHERRYG12PC | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    Error - 1/6/2012 2:56:46 PM | Computer Name = SHERRYG12PC | Source = AutoEnrollment | ID = 15
    Description = Automatic certificate enrollment for local system failed to contact
    the active directory (0x8007054b). The specified domain either does not exist
    or could not be contacted. Enrollment will not be performed.

    Error - 1/6/2012 3:00:21 PM | Computer Name = SHERRYG12PC | Source = Userenv | ID = 1054
    Description = Windows cannot obtain the domain controller name for your computer
    network. (The specified domain either does not exist or could not be contacted.
    ). Group Policy processing aborted.

    [ System Events ]
    Error - 1/9/2012 3:27:34 PM | Computer Name = SHERRYG12PC | Source = NETLOGON | ID = 5776
    Description = Failed to create/open file \system32\config\netlogon.ftl with the
    following error: %%5

    Error - 1/9/2012 3:27:52 PM | Computer Name = SHERRYG12PC | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    SiRemFil

    Error - 1/9/2012 3:28:44 PM | Computer Name = SHERRYG12PC | Source = Windows Update Agent | ID = 16
    Description = Unable to Connect: Windows is unable to connect to the automatic updates
    service and therefore cannot download and install updates according to the set
    schedule. Windows will continue to try to establish a connection.

    Error - 1/9/2012 3:34:38 PM | Computer Name = SHERRYG12PC | Source = Service Control Manager | ID = 7034
    Description = The InfraTools Remote Control Listener service terminated unexpectedly.
    It has done this 1 time(s).

    Error - 1/9/2012 3:34:42 PM | Computer Name = SHERRYG12PC | Source = Service Control Manager | ID = 7034
    Description = The IBM Trace Facility service terminated unexpectedly. It has done
    this 1 time(s).

    Error - 1/9/2012 3:36:31 PM | Computer Name = SHERRYG12PC | Source = NETLOGON | ID = 5719
    Description = No Domain Controller is available for domain GRID12NT due to the following:
    %%1311. Make sure that the computer is connected to the network and try again. If
    the problem persists, please contact your domain administrator.

    Error - 1/9/2012 3:37:10 PM | Computer Name = SHERRYG12PC | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the ldlcserv service.

    Error - 1/9/2012 3:37:40 PM | Computer Name = SHERRYG12PC | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the ldlcserv6 service.

    Error - 1/9/2012 3:40:00 PM | Computer Name = SHERRYG12PC | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the ldlcserv service.

    Error - 1/9/2012 3:40:30 PM | Computer Name = SHERRYG12PC | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the ldlcserv6 service.


    < End of report >


    and I had network connection while I was running OTL.
    Thanks.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.