Inactive Trojan:DOS/Alureon.H found on Non-Bootable Drive

H

hamr1965

Posts: 39   +0
So I am trying to fix a friends Acer Aspire 5336 laptop - she brought it to me saying it wouldn't boot past the Acer flash screen - just a black screen with the flashing "_" .

I pulled the drive and attached it as a usb external drive to my laptop - i could feel it whirring - but no recognition that an external drive was attached. Thinking perhaps the drive plates were stuck - I gently whacked the hard drive on the table - then swung it through the air a couple of times - then plugged it back in to the external drive port - and Voila! my laptop recognized the drive. I quickly made an image of the drive and saved it - because at this point I thought I was dealing with a failing drive. I had an extra drive - so I formatted the new drive and restored her drive image onto it. It still wouldn't boot, though, when I put it back in her laptop - so i reattached it as an external drive to my laptop, and started researching the issue, and then left it connected for the night. During the night, my laptop's AVG anti-virus and Microsoft Security Essentials ran - and one of them came back saying I had the Trojan:DOS/Alureon.H virus. At first I thought it was on MY laptop - but then I realized it was on her drive. Now I cannot run the TDSS killer or what not on her drive, because I cannot boot into it.

I do not know how should I proceed? Any assistance would be hugely appreciated.
 
Oh - I forgot - when her laptop first starts up - pressing Control-F8 does not do anything - F2 will take you into BIOS, but that's it.
 
Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================================================

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

  • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
  • Reboot your system using the boot CD you just created.
    • Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
  • Double-click on the OTLPE icon.
  • When asked Do you wish to load the remote registry, select Yes
  • When asked Do you wish to load remote user profile(s) for scanning, select Yes
  • Ensure the box Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.
 
OTL.txt

Well - that was tougher than I thought it would be - but finally saved the file back to the damaged drive - then accessed it (quickly) using it on my external drive connection to get it on my good laptop so I could post it to you.

OTL.txt

OTL logfile created on: 3/16/2012 8:22:41 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
64bit-Windows 7 Home Premium Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = E: | %SystemRoot% = E:\Windows | %ProgramFiles% = E:\Program Files (x86)
Drive C: | 100.00 Mb Total Space | 65.87 Mb Free Space | 65.87% Space Free | Partition Type: NTFS
Drive E: | 219.29 Gb Total Space | 161.54 Gb Free Space | 73.67% Space Free | Partition Type: NTFS
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/11/03 10:44:42 | 000,827,520 | ---- | M] (Check Point Software Technologies) [Auto] -- E:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
SRV:64bit: - [2011/04/27 18:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2011/04/27 18:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto] -- E:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2010/09/22 22:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled] -- E:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2010/06/11 18:27:26 | 000,868,896 | ---- | M] (Acer Incorporated) [Auto] -- E:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe -- (ePowerSvc)
SRV:64bit: - [2010/01/28 20:27:36 | 000,243,232 | ---- | M] (Acer Group) [Auto] -- E:\Program Files\Acer\Acer Updater\UpdaterService.exe -- (Updater Service)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/11/09 22:05:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) [Auto] -- E:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2011/10/01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto] -- E:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2011/08/31 19:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto] -- E:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/06/06 13:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto] -- E:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/02/28 21:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand] -- E:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 13:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto] -- E:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2010/12/16 02:24:02 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand] -- E:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/08/10 05:06:16 | 000,321,104 | ---- | M] (Dritek System Inc.) [Auto] -- E:\Program Files (x86)\Launch Manager\dsiwmis.exe -- (DsiWMIService)
SRV - [2010/06/28 19:23:06 | 000,255,744 | ---- | M] (NewTech Infosystems, Inc.) [Auto] -- E:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe -- (NTI IScheduleSvc)
SRV - [2010/06/01 19:31:28 | 002,804,568 | ---- | M] (Symantec Corporation) [Auto] -- E:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe -- (NOBU)
SRV - [2010/05/26 23:41:06 | 000,305,520 | ---- | M] (Egis Technology Inc.) [Auto] -- E:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe -- (MWLService)
SRV - [2010/04/13 13:57:58 | 000,013,336 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel(R)
SRV - [2010/04/03 19:01:24 | 000,246,520 | ---- | M] (WildTangent, Inc.) [On_Demand] -- E:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2010/03/18 17:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- E:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/01/15 08:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand] -- E:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2010/01/08 09:21:22 | 000,023,584 | ---- | M] (Acer Incorporated) [Auto] -- E:\Program Files (x86)\Acer\Registration\GREGsvc.exe -- (GREGService)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled] -- E:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto] -- E:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/11/03 10:44:22 | 000,033,672 | ---- | M] (Check Point Software Technologies) [Kernel | Auto] -- E:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV:64bit: - [2011/10/01 09:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\Sftvollh.sys -- (Sftvol)
DRV:64bit: - [2011/10/01 09:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\Sftplaylh.sys -- (Sftplay)
DRV:64bit: - [2011/10/01 09:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand] -- E:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir)
DRV:64bit: - [2011/10/01 09:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\Sftfslh.sys -- (Sftfs)
DRV:64bit: - [2011/08/31 19:00:50 | 000,025,416 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- E:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2011/05/10 09:06:08 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2011/05/07 19:51:32 | 000,454,232 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System] -- E:\Windows\System32\drivers\vsdatant.sys -- (Vsdatant)
DRV:64bit: - [2011/04/27 16:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/09/23 04:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2010/05/24 03:46:36 | 000,246,304 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2010/05/14 17:48:28 | 000,384,040 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\k57nd60a.sys -- (k57nd60a) Broadcom NetLink (TM)
DRV:64bit: - [2010/05/11 06:11:38 | 002,229,608 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009/09/01 23:54:18 | 007,369,728 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/07/09 18:45:10 | 000,139,264 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel(R)
DRV:64bit: - [2009/06/10 16:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- E:\Windows\System32\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\Windows\system32\DRIVERS\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\Windows\system32\DRIVERS\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/02 23:15:30 | 000,060,464 | ---- | M] (Egis Technology Inc.) [Kernel | System] -- E:\Windows\System32\drivers\mwlPSDVDisk.sys -- (mwlPSDVDisk)
DRV:64bit: - [2009/06/02 23:15:30 | 000,022,576 | ---- | M] (Egis Technology Inc.) [File_System | System] -- E:\Windows\System32\drivers\mwlPSDFilter.sys -- (mwlPSDFilter)
DRV:64bit: - [2009/06/02 23:15:30 | 000,020,016 | ---- | M] (Egis Technology Inc.) [Kernel | System] -- E:\Windows\System32\drivers\mwlPSDNserv.sys -- (mwlPSDNServ)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://acer.msn.com


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\courtney_barfell_ON_E\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
IE - HKU\courtney_barfell_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer.msn.com
IE - HKU\courtney_barfell_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
IE - HKU\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?l=dis&o=2159&gct=hp
IE - HKU\Deanne_Keener_ON_E\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - Reg Error: Key error. File not found
IE - HKU\Deanne_Keener_ON_E\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - Reg Error: Key error. File not found
IE - HKU\Deanne_Keener_ON_E\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - Reg Error: Key error. File not found
IE - HKU\Deanne_Keener_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Deanne_Keener_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


IE - HKU\NetworkService_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..browser.startup.homepage: "http://www.ask.com/?l=dis&o=2159&gct=hp"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: File not found
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer: E:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Apple.com/iTunes,version=:
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@checkpoint.com/FFApi: E:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin: E:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: E:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE: File not found
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: E:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: E:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: E:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: E:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: E:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\Wow6432Node\MozillaPlugins\Adobe Reader: E:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\PROGRAM FILES\CHECKPOINT\ZAFORCEFIELD\TRUSTCHECKER [2012/02/08 16:32:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker [2011/11/26 04:53:33 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 3.6.26\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/02/17 20:08:05 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 3.6.26\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/02/17 20:08:05 | 000,000,000 | ---D | M]

[2012/01/17 15:48:04 | 000,000,000 | ---D | M] (No name found) -- E:\Users\courtney barfell\AppData\Roaming\Mozilla\Extensions
[2012/01/17 15:48:04 | 000,000,000 | ---D | M] (No name found) -- E:\Users\courtney barfell\AppData\Roaming\Mozilla\Firefox\Profiles\egvb5azi.default\extensions
[2011/07/31 01:41:18 | 000,000,000 | ---D | M] (No name found) -- E:\Program Files (x86)\Mozilla Firefox\extensions
[2011/02/25 16:46:56 | 000,000,000 | ---D | M] (Java Console) -- E:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/02/27 13:51:41 | 000,000,000 | ---D | M] (Java Console) -- E:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/07/31 01:41:18 | 000,000,000 | ---D | M] (Java Console) -- E:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/05/04 05:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - E:\Windows\System32\drivers\etc\hosts
O2:64bit: - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - E:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - E:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - E:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3:64bit: - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - E:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - E:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - E:\Program Files (x86)\ZoneAlarm_Security\tbZone.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - E:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\courtney_barfell_ON_E\..\Toolbar\WebBrowser: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3:64bit: - HKU\courtney_barfell_ON_E\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - E:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKU\courtney_barfell_ON_E\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - E:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKU\Deanne_Keener_ON_E\..\Toolbar\WebBrowser: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3:64bit: - HKU\Deanne_Keener_ON_E\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - E:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKU\Deanne_Keener_ON_E\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - E:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4:64bit: - HKLM..\Run: [Acer ePower Management] E:\Program Files\Acer\Acer ePower Management\ePowerTray.exe (Acer Incorporated)
O4:64bit: - HKLM..\Run: [ISW] E:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4:64bit: - HKLM..\Run: [MSC] E:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [mwlDaemon] E:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe (Egis Technology Inc.)
O4:64bit: - HKLM..\Run: [RtHDVCpl] E:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ApnUpdater] E:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [APSDaemon] E:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [BackupManagerTray] E:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe (NewTech Infosystems, Inc.)
O4 - HKLM..\Run: [ClamWin] E:\Program Files (x86)\ClamWin\bin\ClamTray.exe (alch)
O4 - HKLM..\Run: [EgisTecPMMUpdate] E:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe (Egis Technology Inc.)
O4 - HKLM..\Run: [EgisUpdate] E:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe (Egis Technology Inc.)
O4 - HKLM..\Run: [IAStorIcon] E:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [LManager] E:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] E:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Norton Online Backup] E:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe (Symantec Corporation)
O4 - HKLM..\Run: [SuiteTray] E:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe (Egis Technology Inc.)
O4 - HKLM..\Run: [ZoneAlarm] E:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - HKU\Deanne_Keener_ON_E..\Run: [Facebook Update] E:\Users\Deanne Keener\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - HKU\Deanne_Keener_ON_E..\Run: [Messenger (Yahoo!)] E:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\Deanne_Keener_ON_E..\Run: [ooVoo.exe] E:\program files (x86)\oovoo\oovoo.exe (ooVoo LLC)
O4 - HKU\LocalService_ON_E..\Run: [Sidebar] E:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\NetworkService_ON_E..\Run: [Sidebar] E:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\LocalService_ON_E..\RunOnce: [mctadmin] File not found
O4 - HKU\NetworkService_ON_E..\RunOnce: [mctadmin] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - E:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - E:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13:64bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - E:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - E:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - E:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found
64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/06 16:45:53 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{F4D38851-4C99-45F5-9497-26B0ECFE71BC}
[2012/03/06 16:45:40 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{6DFF9BEF-9179-4770-BDB7-7AC1C721A6A8}
[2012/03/05 16:18:39 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{58C393CB-B5D6-4DD8-BD30-2C15F200F268}
[2012/03/05 16:16:35 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{AD40DBF3-EB43-4005-B548-11A3502E1C98}
[2012/03/04 17:07:10 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{DF8717A2-F0B9-4950-BBD3-72F7D85F11ED}
[2012/03/04 17:06:58 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{81244ABC-FE14-4990-B368-D723122FEFCD}
[2012/03/03 22:38:15 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{36579FC2-2915-436D-8FBC-C02BDC92FC03}
[2012/03/03 22:37:59 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{88A1BCE3-CB9F-4B97-9BD5-2B3923D8BCD8}
[2012/03/03 10:37:06 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{1F0A52E9-F445-4599-85D8-8878ACE2B1B1}
[2012/03/02 17:37:26 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{7333D02D-BA62-41EF-B23F-8B6100277362}
[2012/03/02 17:37:07 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{6474A8C2-D786-4242-AD93-0FE98A7B2B17}
[2012/03/02 05:36:30 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{133C9F4C-60A7-4096-8C98-7045A0A48E35}
[2012/03/02 05:36:17 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{BF09B5AD-4ADB-464C-AFFF-9DE22B44A32A}
[2012/03/01 16:05:50 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{67BC645A-470A-4FD7-96FB-BE0A7DD468A7}
[2012/03/01 16:05:37 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{7F6C3B1C-9580-46A0-B546-637149467A7A}
[2012/02/29 17:23:59 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{66831460-A5F8-489B-9796-19C41DA545F7}
[2012/02/29 17:23:45 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{061A8977-E87A-49D7-9DCC-36A44E110E2F}
[2012/02/28 19:54:17 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{25EF1FC0-12B6-4F71-8395-C7DA7C53BB1A}
[2012/02/28 19:54:03 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{7C411A72-7A33-4FEE-9714-47338A5C19C4}
[2012/02/27 19:11:32 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{9DE7A8E0-9094-41CA-8999-A9F9414429EC}
[2012/02/27 19:11:18 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{B61B05CC-91FE-4C4C-8374-0A56DD73CB82}
[2012/02/26 21:18:25 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{CBFCA230-0817-4B36-961C-59A2CEDE72F0}
[2012/02/26 21:18:14 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{DE24FA60-3EBD-4207-96C1-580E172D3344}
[2012/02/26 04:13:08 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{9BB989FE-99C4-4D61-85FB-ED202329FF9C}
[2012/02/26 04:12:56 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{15F144D2-1F96-49F3-B9A9-D1B7E4A3A163}
[2012/02/25 13:32:41 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{143F7B6B-DA5D-4850-969D-1459ADCA8052}
[2012/02/25 13:32:27 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{D77961E8-3D2E-44D8-9F76-18786C4B32D5}
[2012/02/24 23:27:30 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{2A1B984D-64D3-435E-90C3-656B290FFA24}
[2012/02/24 23:27:18 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{6615F42E-0C6B-4991-B2A7-23751E81474D}
[2012/02/22 15:54:00 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{995EA31D-A934-431C-BE40-27B2B4794148}
[2012/02/22 15:53:44 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{9C918E3D-D7A1-4F1A-A2ED-37906534D339}
[2012/02/20 16:37:38 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{54E65560-1BFE-4557-96D1-4D8B17AA4B3D}
[2012/02/20 16:37:15 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{5B688762-360F-4687-AB68-A8B4707EDBF4}
[2012/02/19 15:32:53 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{602DE527-67F2-4363-A1B8-6EC4FA697171}
[2012/02/19 15:32:40 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{75E9C834-3BA1-4061-AEEC-76D32839FB5D}
[2012/02/19 01:00:50 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{8EE5B12F-4EAB-455C-9788-94E0FCB6EAFB}
[2012/02/19 01:00:31 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{09A97EF2-6B22-432B-8239-883310AAFF8F}
[2012/02/18 12:59:55 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{F5D11D12-5C9B-469C-A9EF-DF04311C1830}
[2012/02/18 12:59:42 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{D761B4D4-F5A7-4A67-A2C9-7DB292D567BD}
[2012/02/17 16:59:37 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{9F89129D-79BC-4B66-9F64-91DA30630E1B}
[2012/02/17 16:59:25 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{AA765DAA-2468-4451-8B1D-4898A7E1FF79}
[2012/02/16 23:14:41 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{9821EB95-22D8-4248-90C1-DD8F19428CCA}
[2012/02/16 23:12:29 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{80F52BBA-DA87-4C98-A80C-19F3DAEC39FA}
[2012/02/16 18:25:56 | 000,000,000 | -HSD | C] -- E:\Config.Msi
[2012/02/16 18:16:49 | 000,000,000 | ---D | C] -- E:\Windows\System32\MpEngineStore
[2012/02/16 01:43:41 | 000,000,000 | ---D | C] -- E:\0576cac8f5aaf112a020dfd5d9d9
[2012/02/16 01:18:21 | 000,509,952 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ntshrui.dll
[2012/02/16 01:18:18 | 000,515,584 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\timedate.cpl
[2012/02/16 01:18:17 | 000,478,720 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\timedate.cpl
[2012/02/16 01:18:11 | 000,634,880 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msvcrt.dll
[2010/12/16 02:10:42 | 000,051,712 | ---- | C] ( ) -- E:\Windows\AutosetFrequency.exe
[1 E:\Windows\SysWow64\*.tmp files -> E:\Windows\SysWow64\*.tmp -> ]
[1 E:\Windows\System32\drivers\*.tmp files -> E:\Windows\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/06 23:38:29 | 000,067,584 | --S- | M] () -- E:\Windows\bootstat.dat
[2012/03/06 23:21:31 | 000,009,920 | -H-- | M] () -- E:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/06 23:21:31 | 000,009,920 | -H-- | M] () -- E:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/06 23:11:49 | 2360,852,480 | -HS- | M] () -- E:\hiberfil.sys
[2012/03/06 21:17:02 | 000,000,960 | ---- | M] () -- E:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1311110943-1294243375-3026464777-1001UA.job
[2012/03/06 18:17:00 | 000,000,938 | ---- | M] () -- E:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1311110943-1294243375-3026464777-1001Core.job
[2012/03/04 23:14:10 | 000,626,964 | ---- | M] () -- E:\Windows\System32\perfh009.dat
[2012/03/04 23:14:10 | 000,107,950 | ---- | M] () -- E:\Windows\System32\perfc009.dat
[2012/02/22 15:51:45 | 389,533,229 | ---- | M] () -- E:\Windows\MEMORY.DMP
[2012/02/16 23:09:59 | 000,292,728 | ---- | M] () -- E:\Windows\System32\FNTCACHE.DAT
[2012/02/16 18:26:07 | 000,747,106 | ---- | M] () -- E:\Windows\SysWow64\PerfStringBackup.INI
[2012/02/16 18:25:32 | 000,000,000 | ---D | M] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[1 E:\Windows\SysWow64\*.tmp files -> E:\Windows\SysWow64\*.tmp -> ]
[1 E:\Windows\System32\drivers\*.tmp files -> E:\Windows\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/22 15:51:45 | 389,533,229 | ---- | C] () -- E:\Windows\MEMORY.DMP
[2011/11/17 00:05:29 | 000,040,023 | ---- | C] () -- E:\Users\Deanne Keener\AppData\Roaming\UserTile.png
[2011/10/22 10:45:46 | 000,000,017 | ---- | C] () -- E:\Windows\SysWow64\shortcut_ex.dat
[2011/07/07 17:15:38 | 000,252,928 | ---- | C] () -- E:\Windows\SysWow64\DShowRdpFilter.dll
[2011/04/30 03:05:31 | 000,000,254 | ---- | C] () -- E:\Windows\wininit.ini
[2011/04/23 03:03:49 | 000,004,608 | ---- | C] () -- E:\Users\Deanne Keener\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/04 11:17:55 | 000,000,081 | ---- | C] () -- E:\Users\Deanne Keener\AppData\Roaming\RSBuddy_tnawwefan.ini
[2011/04/04 11:17:12 | 000,000,009 | ---- | C] () -- E:\Users\Deanne Keener\AppData\Roaming\RSBuddy Login.ini
[2011/03/27 13:15:10 | 000,747,106 | ---- | C] () -- E:\Windows\SysWow64\PerfStringBackup.INI
[2011/02/24 18:41:00 | 000,000,000 | ---- | C] () -- E:\Windows\nsreg.dat
[2010/12/16 02:10:42 | 000,206,208 | ---- | C] () -- E:\Windows\PLFSetI.exe
[2010/12/16 02:10:42 | 000,191,688 | ---- | C] () -- E:\Windows\flicker.dll
[2010/12/16 02:10:42 | 000,011,976 | ---- | C] () -- E:\Windows\setpwlin.exe
[2010/12/16 02:10:42 | 000,000,637 | ---- | C] () -- E:\Windows\AutoSetFrequency.ini
[2010/12/16 02:10:42 | 000,000,378 | ---- | C] () -- E:\Windows\PidList.ini
[2010/11/22 03:44:06 | 000,982,220 | ---- | C] () -- E:\Windows\SysWow64\igkrng500.bin
[2010/11/22 03:44:05 | 000,439,300 | ---- | C] () -- E:\Windows\SysWow64\igcompkrng500.bin
[2010/11/22 03:44:05 | 000,134,592 | ---- | C] () -- E:\Windows\SysWow64\igfcg500.bin
[2010/11/22 03:44:05 | 000,092,216 | ---- | C] () -- E:\Windows\SysWow64\igfcg500m.bin
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- E:\Windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- E:\Windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- E:\Windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- E:\Windows\mib.bin
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- E:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 18:25:04 | 000,197,632 | ---- | C] () -- E:\Windows\SysWow64\ir32_32.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- E:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- E:\Windows\SysWow64\mlang.dat

========== LOP Check ==========

[2010/11/22 04:29:56 | 000,000,000 | ---D | M] -- E:\ProgramData\Acer
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Application Data
[2010/11/22 04:35:17 | 000,000,000 | ---D | M] -- E:\ProgramData\BackupManager
[2011/02/25 17:28:57 | 000,000,000 | ---D | M] -- E:\ProgramData\CheckPoint
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Desktop
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Documents
[2010/12/16 02:08:49 | 000,000,000 | ---D | M] -- E:\ProgramData\EgisTec IPS
[2010/11/22 04:20:13 | 000,000,000 | ---D | M] -- E:\ProgramData\eSobi
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Favorites
[2011/07/07 02:23:24 | 000,000,000 | ---D | M] -- E:\ProgramData\KingsIsle Entertainment
[2010/12/16 02:25:47 | 000,000,000 | ---D | M] -- E:\ProgramData\NTI Launcher
[2011/02/24 01:44:23 | 000,000,000 | ---D | M] -- E:\ProgramData\oem
[2011/02/24 01:43:01 | 000,000,000 | ---D | M] -- E:\ProgramData\OEM_E471269A730D
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Start Menu
[2010/12/16 02:13:00 | 000,000,000 | ---D | M] -- E:\ProgramData\Temp
[2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Templates
[2011/05/09 11:29:08 | 000,000,000 | ---D | M] -- E:\ProgramData\VirtualizedApplications
[2010/11/22 04:26:40 | 000,000,000 | ---D | M] -- E:\ProgramData\WildTangent
[2011/06/13 21:51:51 | 000,000,000 | ---D | M] -- E:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
[2012/03/06 18:17:00 | 000,000,938 | ---- | M] () -- E:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1311110943-1294243375-3026464777-1001Core.job
[2012/03/06 21:17:02 | 000,000,960 | ---- | M] () -- E:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1311110943-1294243375-3026464777-1001UA.job
[2012/02/25 13:30:50 | 000,032,566 | ---- | M] () -- E:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========


< End of report >
 
Well - that was tougher than I thought it would be - but finally saved the file back to the damaged drive - then accessed it (quickly) using it on my external drive connection to get it on my good laptop so I could post it to you.
Click to expand...
I'm not sure if I understand it correctly.
Was the drive in its original location when you were booting from OTLPE CD?


Do this on the computer you are posting from:
Copy the text in the codebox below:


Code: 
:OTL
IE - HKU\Deanne_Keener_ON_E\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - Reg Error: Key error. File not found
IE - HKU\Deanne_Keener_ON_E\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - Reg Error: Key error. File not found
IE - HKU\Deanne_Keener_ON_E\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - Reg Error: Key error. File not found
IE - HKU\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?l=dis&o=2159&gct=hp
FF - prefs.js..browser.startup.homepage: "http://www.ask.com/?l=dis&o=2159&gct=hp"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
O2 - BHO: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\courtney_barfell_ON_E\..\Toolbar\WebBrowser: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\Deanne_Keener_ON_E\..\Toolbar\WebBrowser: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ApnUpdater] E:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)
O4 - HKU\LocalService_ON_E..\RunOnce: [mctadmin] File not found
O4 - HKU\NetworkService_ON_E..\RunOnce: [mctadmin] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1


:Services

:Reg

:Files

:Commands
[purity]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

  • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
    • (The content of Fix.txt should appear in the box)
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the log produced (you'll need to transfer it with USB stick)
  • Remove the CD and shut down computer manually.
  • Attempt to reboot normally into Windows.
 
Yes - I created the cd on MY laptop - also the ONLY laptop I can post from - then I put her defective non-booting hard drive back in HER laptop -(I had originally pulled it to access it as an external hard drive attached via usb to MY laptop) put the bootable cd that the OTLPENet.exe program created into HER laptop's CD-ROM drive - and booted HER laptop from that CD - then when the REATOGO-X-PE desktop came up - I followed your instructions to run the program and scan. Her laptop would not recognize my network - running the REATOGO-X-PE desktop - would not recognize any additional drives - would not let me write to a new CD-r in her CD-rom drive - would not connect to any network or the internet - and wouldn't even recognize an SD card - so I finally had to pull her hard drive out again to attach it to mine via USB so I could get the OTL.txt file off of it.
 
Also - I am lacking a USB flash drive - I use a second external drive connected by USB to transfer my files between computers - but her laptop running the REATOGO-X-PE desktop would not recognize my external drive when I plugged it into her USB port.
 
Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive
Click to expand...

I am thinking I will have to save this onto her infected hard drive again through my usb external hard drive hook-up (I remove my personal external drive - and connect it to her defective one), and then re-install it into her actual laptop - and access the file that way. I do not know why - but that boot disk's REATOGO-X-PE version of windows will not recognize any other drives - though it CAN see her defective hard drive and it's files, so I should be able to access the Fix.txt file and proceed with your instructions. Does this sound okay? By the way - I was reading over this - I hope the caps when I use them aren't making me sound overly forceful - it is a confusing thing to read through, and I am just trying to clarify which laptop and which drive I am referring to - I am - as always, super grateful for your help. A donation to your account is pending as soon as my paycheck hits the bank!
 
Fix Log File

Here's the log - after this - i rebooted without the cd per your instructions - it went to the same black screen with the flashing underscore symbol.


03162012_233821.log

========== OTL ==========
Registry value HKEY_USERS\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00000000-6E41-4FD3-8538-502F5495E5FC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\ deleted successfully.
Registry value HKEY_USERS\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\URLSearchHooks\\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}\ deleted successfully.
Registry value HKEY_USERS\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\URLSearchHooks\\{91da5e8a-3318-4f8c-b67e-5964de3ab546} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\ deleted successfully.
HKU\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
Prefs.js: "http://www.ask.com/?l=dis&o=2159&gct=hp" removed from browser.startup.homepage
Prefs.js: "Ask.com" removed from browser.search.selectedEngine
Prefs.js: "Ask.com" removed from browser.search.order.1
Prefs.js: "Ask.com" removed from browser.search.defaultengine
Prefs.js: "Ask.com" removed from browser.search.defaultenginename
Registry key HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll moved successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\courtney_barfell_ON_E\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_USERS\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
File E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater deleted successfully.
E:\Program Files (x86)\Ask.com\Updater\Updater.exe moved successfully.
Registry key HKEY_USERS\LocalService_ON_E\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce not found.
Registry key HKEY_USERS\NetworkService_ON_E\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

OTLPE by OldTimer - Version 3.1.48.0 log created on 03162012_233821
 
Please Boot to the System Recovery Options
If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...
NOTE. If none of the above apply you can create System Repair Disc (link in "Option two") and boot from it.

On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

Choose Command Prompt
You should see X:\SOURCES>...

Execute the following commands in bold.
Press Enter after every one of them.

bootrec /fixmbr (<--- there is a "space" after "bootrec")

bootrec /fixboot (<--- there is a "space" after "bootrec")

exit

Restart computer.
 
My own Dell laptop running 64-bit Windows 7 Home Premium is not able to create the system recovery disk. I have tried both a cd-r and a dvd-r, as well as trying typing "recdisc.exe" in the Run box under the Start Menu, and typing it at the command prompt opened with Administrator privileges. Every time I get an immediate error box: "System Repair disc could not be created. The parameter is incorrect. 0x80070057".

My friend was unable to find any original install disc that may have come with her laptop - she got it a year ago and doesn't remember if she had one or not.

What can I try next?
 
Okay - created the system recovery disk on yet another Windows 7 64-bit laptop. The laptop doesn't respond - same black screen with the blinking underscore symbol.
 
Execute the following commands in bold.
Press Enter after every one of them.

bootrec /fixmbr (<--- there is a "space" after "bootrec")

bootrec /fixboot (<--- there is a "space" after "bootrec")

exit

Restart computer.
Click to expand...

Okay - this worked so far - system has booted - triggered "Startup Repair" process - wants me to restore to an earlier point in time?
 
Okay - Selected 'Restore to earlier point'- it seems to be stuck in "Attempting repairs..." with no further action occurring.
 
Give it some more time.

If still no progress, turn the computer off, wait 1 minute and try to boot it again.
Try normal and safe mode.
 
Okay - no joy. Everything I do just brings it back to Start-Up Repair - which is then unable to repair. When it is first booting - it goes to a windows XP loading screen (I thought this was a Windows 7 system??) and the flashes a BSOD too quickly to see anything - then takes you to the Startup Repair option again
 
Okay - no joy - unable to repair - tried in safe and normal mode - when it boots it shows the Windows XP loading screen for a minute (which is odd - I thought her laptop was running Windows 7??) and then flashed a BSOD too fast to see anything - then returns to the Startup Repair option. After it attempts the repair - it gives a message - "Startup repair cannot repair this computer automatically" and wants me to send info to Microsoft about it. I can view and copy the problem details - but I don't have anywhere to paste them.
 
So are we looking at having to do a clean install of windows then? I had made an image of her infected drive onto another extra laptop hard drive earlier- I can hang onto that - and maybe later we can figure out how to recover some of her personal files without transmitting the trojan to another computer? I probably have a Windows 7 installation disk at work - I can check tomorrow. Just letting you know I am willing to do a clean install of Windows if that looks like our best option.
 
It looks like reinstallation is the only option at this moment.

After reinstallation you'll have to scan the image with an AV program.
 
You must log in or register to reply here.

Similar threads

E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
504
eriksnyman1
E
Squid Surprise
Threadripper 7980x Build - occasional black screen?
Replies
5
Views
256
Squid Surprise
Squid Surprise
spzyder
Black screen after bios update
Replies
0
Views
393
spzyder
spzyder

Latest posts

Back