also @ TechSpot: Google quietly adds conversational search to Chrome 27

Trojan:DOS/Alureon.H found on Non-Bootable Drive

Discussion in 'Virus and Malware Removal' started by hamr1965, Mar 15, 2012.

Post New Reply
Page 1 of 2

  1. hamr1965 Newcomer, in training Posts: 39

    So I am trying to fix a friends Acer Aspire 5336 laptop - she brought it to me saying it wouldn't boot past the Acer flash screen - just a black screen with the flashing "_" .

    I pulled the drive and attached it as a usb external drive to my laptop - i could feel it whirring - but no recognition that an external drive was attached. Thinking perhaps the drive plates were stuck - I gently whacked the hard drive on the table - then swung it through the air a couple of times - then plugged it back in to the external drive port - and Voila! my laptop recognized the drive. I quickly made an image of the drive and saved it - because at this point I thought I was dealing with a failing drive. I had an extra drive - so I formatted the new drive and restored her drive image onto it. It still wouldn't boot, though, when I put it back in her laptop - so i reattached it as an external drive to my laptop, and started researching the issue, and then left it connected for the night. During the night, my laptop's AVG anti-virus and Microsoft Security Essentials ran - and one of them came back saying I had the Trojan:DOS/Alureon.H virus. At first I thought it was on MY laptop - but then I realized it was on her drive. Now I cannot run the TDSS killer or what not on her drive, because I cannot boot into it.

    I do not know how should I proceed? Any assistance would be hugely appreciated.
    hamr1965, Mar 15, 2012
    #1

  2. hamr1965 Newcomer, in training Posts: 39

    Oh - I forgot - when her laptop first starts up - pressing Control-F8 does not do anything - F2 will take you into BIOS, but that's it.
    hamr1965, Mar 15, 2012
    #2

  3. Broni Malware Annihilator Posts: 39,324   +175

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================================================

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
    Broni, Mar 15, 2012
    #3

  4. hamr1965 Newcomer, in training Posts: 39

    OTL.txt

    Well - that was tougher than I thought it would be - but finally saved the file back to the damaged drive - then accessed it (quickly) using it on my external drive connection to get it on my good laptop so I could post it to you.

    OTL.txt

    OTL logfile created on: 3/16/2012 8:22:41 PM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    64bit-Windows 7 Home Premium Service Pack 1 (Version = 6.1.7601) - Type = System
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 90.00% Memory free
    3.00 Gb Paging File | 3.00 Gb Available in Paging File | 98.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = E: | %SystemRoot% = E:\Windows | %ProgramFiles% = E:\Program Files (x86)
    Drive C: | 100.00 Mb Total Space | 65.87 Mb Free Space | 65.87% Space Free | Partition Type: NTFS
    Drive E: | 219.29 Gb Total Space | 161.54 Gb Free Space | 73.67% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV:64bit: - [2011/11/03 10:44:42 | 000,827,520 | ---- | M] (Check Point Software Technologies) [Auto] -- E:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
    SRV:64bit: - [2011/04/27 18:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
    SRV:64bit: - [2011/04/27 18:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto] -- E:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
    SRV:64bit: - [2010/09/22 22:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled] -- E:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
    SRV:64bit: - [2010/06/11 18:27:26 | 000,868,896 | ---- | M] (Acer Incorporated) [Auto] -- E:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe -- (ePowerSvc)
    SRV:64bit: - [2010/01/28 20:27:36 | 000,243,232 | ---- | M] (Acer Group) [Auto] -- E:\Program Files\Acer\Acer Updater\UpdaterService.exe -- (Updater Service)
    SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2011/11/09 22:05:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) [Auto] -- E:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
    SRV - [2011/10/01 09:30:22 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand] -- E:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
    SRV - [2011/10/01 09:30:18 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto] -- E:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
    SRV - [2011/08/31 19:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto] -- E:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2011/06/06 13:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto] -- E:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2011/02/28 21:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand] -- E:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
    SRV - [2011/02/25 13:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto] -- E:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
    SRV - [2010/12/16 02:24:02 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand] -- E:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2010/08/10 05:06:16 | 000,321,104 | ---- | M] (Dritek System Inc.) [Auto] -- E:\Program Files (x86)\Launch Manager\dsiwmis.exe -- (DsiWMIService)
    SRV - [2010/06/28 19:23:06 | 000,255,744 | ---- | M] (NewTech Infosystems, Inc.) [Auto] -- E:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe -- (NTI IScheduleSvc)
    SRV - [2010/06/01 19:31:28 | 002,804,568 | ---- | M] (Symantec Corporation) [Auto] -- E:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe -- (NOBU)
    SRV - [2010/05/26 23:41:06 | 000,305,520 | ---- | M] (Egis Technology Inc.) [Auto] -- E:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe -- (MWLService)
    SRV - [2010/04/13 13:57:58 | 000,013,336 | ---- | M] (Intel Corporation) [Auto] -- E:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel(R)
    SRV - [2010/04/03 19:01:24 | 000,246,520 | ---- | M] (WildTangent, Inc.) [On_Demand] -- E:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe -- (GameConsoleService)
    SRV - [2010/03/18 17:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto] -- E:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2010/01/15 08:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand] -- E:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
    SRV - [2010/01/08 09:21:22 | 000,023,584 | ---- | M] (Acer Incorporated) [Auto] -- E:\Program Files (x86)\Acer\Registration\GREGsvc.exe -- (GREGService)
    SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled] -- E:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
    SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto] -- E:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2011/11/03 10:44:22 | 000,033,672 | ---- | M] (Check Point Software Technologies) [Kernel | Auto] -- E:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
    DRV:64bit: - [2011/10/01 09:30:22 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\Sftvollh.sys -- (Sftvol)
    DRV:64bit: - [2011/10/01 09:30:18 | 000,268,648 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\Sftplaylh.sys -- (Sftplay)
    DRV:64bit: - [2011/10/01 09:30:18 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand] -- E:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir)
    DRV:64bit: - [2011/10/01 09:30:10 | 000,764,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\Sftfslh.sys -- (Sftfs)
    DRV:64bit: - [2011/08/31 19:00:50 | 000,025,416 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand] -- E:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
    DRV:64bit: - [2011/05/10 09:06:08 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\usbaapl64.sys -- (USBAAPL64)
    DRV:64bit: - [2011/05/07 19:51:32 | 000,454,232 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System] -- E:\Windows\System32\drivers\vsdatant.sys -- (Vsdatant)
    DRV:64bit: - [2011/04/27 16:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
    DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/09/23 04:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\fssfltr.sys -- (fssfltr)
    DRV:64bit: - [2010/05/24 03:46:36 | 000,246,304 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\RtsUStor.sys -- (RSUSBSTOR)
    DRV:64bit: - [2010/05/14 17:48:28 | 000,384,040 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\k57nd60a.sys -- (k57nd60a) Broadcom NetLink (TM)
    DRV:64bit: - [2010/05/11 06:11:38 | 002,229,608 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand] -- E:\Windows\System32\drivers\athrx.sys -- (athr)
    DRV:64bit: - [2009/09/01 23:54:18 | 007,369,728 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\igdkmd64.sys -- (igfx)
    DRV:64bit: - [2009/07/09 18:45:10 | 000,139,264 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel(R)
    DRV:64bit: - [2009/06/10 16:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand] -- E:\Windows\System32\wbem\ntfs.mof -- (Ntfs)
    DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\Windows\system32\DRIVERS\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\Windows\system32\DRIVERS\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- E:\Windows\System32\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/02 23:15:30 | 000,060,464 | ---- | M] (Egis Technology Inc.) [Kernel | System] -- E:\Windows\System32\drivers\mwlPSDVDisk.sys -- (mwlPSDVDisk)
    DRV:64bit: - [2009/06/02 23:15:30 | 000,022,576 | ---- | M] (Egis Technology Inc.) [File_System | System] -- E:\Windows\System32\drivers\mwlPSDFilter.sys -- (mwlPSDFilter)
    DRV:64bit: - [2009/06/02 23:15:30 | 000,020,016 | ---- | M] (Egis Technology Inc.) [Kernel | System] -- E:\Windows\System32\drivers\mwlPSDNserv.sys -- (mwlPSDNServ)

    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
    IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://acer.msn.com


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\courtney_barfell_ON_E\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
    IE - HKU\courtney_barfell_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer.msn.com
    IE - HKU\courtney_barfell_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer.msn.com
    IE - HKU\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?l=dis&o=2159&gct=hp
    IE - HKU\Deanne_Keener_ON_E\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - Reg Error: Key error. File not found
    IE - HKU\Deanne_Keener_ON_E\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - Reg Error: Key error. File not found
    IE - HKU\Deanne_Keener_ON_E\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - Reg Error: Key error. File not found
    IE - HKU\Deanne_Keener_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\Deanne_Keener_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


    IE - HKU\NetworkService_ON_E\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
    FF - prefs.js..browser.startup.homepage: "http://www.ask.com/?l=dis&o=2159&gct=hp"
    FF - prefs.js..browser.search.selectedEngine: "Ask.com"
    FF - prefs.js..browser.search.order.1: "Ask.com"
    FF - prefs.js..browser.search.defaultengine: "Ask.com"
    FF - prefs.js..browser.search.defaultenginename: "Ask.com"

    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: File not found
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer: E:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Apple.com/iTunes,version=:
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@checkpoint.com/FFApi: E:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll ()
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin: E:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: E:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE: File not found
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: E:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: E:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: E:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: E:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: E:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\Wow6432Node\MozillaPlugins\Adobe Reader: E:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\PROGRAM FILES\CHECKPOINT\ZAFORCEFIELD\TRUSTCHECKER [2012/02/08 16:32:53 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker [2011/11/26 04:53:33 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 3.6.26\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/02/17 20:08:05 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\wow6432node\mozilla\Mozilla Firefox 3.6.26\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/02/17 20:08:05 | 000,000,000 | ---D | M]

    [2012/01/17 15:48:04 | 000,000,000 | ---D | M] (No name found) -- E:\Users\courtney barfell\AppData\Roaming\Mozilla\Extensions
    [2012/01/17 15:48:04 | 000,000,000 | ---D | M] (No name found) -- E:\Users\courtney barfell\AppData\Roaming\Mozilla\Firefox\Profiles\egvb5azi.default\extensions
    [2011/07/31 01:41:18 | 000,000,000 | ---D | M] (No name found) -- E:\Program Files (x86)\Mozilla Firefox\extensions
    [2011/02/25 16:46:56 | 000,000,000 | ---D | M] (Java Console) -- E:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    [2011/02/27 13:51:41 | 000,000,000 | ---D | M] (Java Console) -- E:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    [2011/07/31 01:41:18 | 000,000,000 | ---D | M] (Java Console) -- E:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    [2011/05/04 05:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- E:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll

    O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - E:\Windows\System32\drivers\etc\hosts
    O2:64bit: - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - E:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - E:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
    O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - E:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O2 - BHO: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
    O3:64bit: - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - E:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - E:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
    O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - E:\Program Files (x86)\ZoneAlarm_Security\tbZone.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - E:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\courtney_barfell_ON_E\..\Toolbar\WebBrowser: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    O3:64bit: - HKU\courtney_barfell_ON_E\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - E:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
    O3 - HKU\courtney_barfell_ON_E\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - E:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
    O3 - HKU\Deanne_Keener_ON_E\..\Toolbar\WebBrowser: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
    O3:64bit: - HKU\Deanne_Keener_ON_E\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - E:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
    O3 - HKU\Deanne_Keener_ON_E\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - E:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
    O4:64bit: - HKLM..\Run: [Acer ePower Management] E:\Program Files\Acer\Acer ePower Management\ePowerTray.exe (Acer Incorporated)
    O4:64bit: - HKLM..\Run: [ISW] E:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
    O4:64bit: - HKLM..\Run: [MSC] E:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4:64bit: - HKLM..\Run: [mwlDaemon] E:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe (Egis Technology Inc.)
    O4:64bit: - HKLM..\Run: [RtHDVCpl] E:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [ApnUpdater] E:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)
    O4 - HKLM..\Run: [APSDaemon] E:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [BackupManagerTray] E:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe (NewTech Infosystems, Inc.)
    O4 - HKLM..\Run: [ClamWin] E:\Program Files (x86)\ClamWin\bin\ClamTray.exe (alch)
    O4 - HKLM..\Run: [EgisTecPMMUpdate] E:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe (Egis Technology Inc.)
    O4 - HKLM..\Run: [EgisUpdate] E:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe (Egis Technology Inc.)
    O4 - HKLM..\Run: [IAStorIcon] E:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
    O4 - HKLM..\Run: [LManager] E:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] E:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [Norton Online Backup] E:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe (Symantec Corporation)
    O4 - HKLM..\Run: [SuiteTray] E:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe (Egis Technology Inc.)
    O4 - HKLM..\Run: [ZoneAlarm] E:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
    O4 - HKU\Deanne_Keener_ON_E..\Run: [Facebook Update] E:\Users\Deanne Keener\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
    O4 - HKU\Deanne_Keener_ON_E..\Run: [Messenger (Yahoo!)] E:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
    O4 - HKU\Deanne_Keener_ON_E..\Run: [ooVoo.exe] E:\program files (x86)\oovoo\oovoo.exe (ooVoo LLC)
    O4 - HKU\LocalService_ON_E..\Run: [Sidebar] E:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKU\NetworkService_ON_E..\Run: [Sidebar] E:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
    O4 - HKU\LocalService_ON_E..\RunOnce: [mctadmin] File not found
    O4 - HKU\NetworkService_ON_E..\RunOnce: [mctadmin] File not found
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - E:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - E:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
    O13:64bit: - gopher Prefix: missing
    O13 - gopher Prefix: missing
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
    O18:64bit: - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - Reg Error: Key error. File not found
    O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - E:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - E:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: Shell - (explorer.exe) - E:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    64bit: O35 - HKLM\..comfile [open] -- "%1" %* File not found
    64bit: O35 - HKLM\..exefile [open] -- "%1" %* File not found
    O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/03/06 16:45:53 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{F4D38851-4C99-45F5-9497-26B0ECFE71BC}
    [2012/03/06 16:45:40 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{6DFF9BEF-9179-4770-BDB7-7AC1C721A6A8}
    [2012/03/05 16:18:39 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{58C393CB-B5D6-4DD8-BD30-2C15F200F268}
    [2012/03/05 16:16:35 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{AD40DBF3-EB43-4005-B548-11A3502E1C98}
    [2012/03/04 17:07:10 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{DF8717A2-F0B9-4950-BBD3-72F7D85F11ED}
    [2012/03/04 17:06:58 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{81244ABC-FE14-4990-B368-D723122FEFCD}
    [2012/03/03 22:38:15 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{36579FC2-2915-436D-8FBC-C02BDC92FC03}
    [2012/03/03 22:37:59 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{88A1BCE3-CB9F-4B97-9BD5-2B3923D8BCD8}
    [2012/03/03 10:37:06 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{1F0A52E9-F445-4599-85D8-8878ACE2B1B1}
    [2012/03/02 17:37:26 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{7333D02D-BA62-41EF-B23F-8B6100277362}
    [2012/03/02 17:37:07 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{6474A8C2-D786-4242-AD93-0FE98A7B2B17}
    [2012/03/02 05:36:30 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{133C9F4C-60A7-4096-8C98-7045A0A48E35}
    [2012/03/02 05:36:17 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{BF09B5AD-4ADB-464C-AFFF-9DE22B44A32A}
    [2012/03/01 16:05:50 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{67BC645A-470A-4FD7-96FB-BE0A7DD468A7}
    [2012/03/01 16:05:37 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{7F6C3B1C-9580-46A0-B546-637149467A7A}
    [2012/02/29 17:23:59 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{66831460-A5F8-489B-9796-19C41DA545F7}
    [2012/02/29 17:23:45 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{061A8977-E87A-49D7-9DCC-36A44E110E2F}
    [2012/02/28 19:54:17 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{25EF1FC0-12B6-4F71-8395-C7DA7C53BB1A}
    [2012/02/28 19:54:03 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{7C411A72-7A33-4FEE-9714-47338A5C19C4}
    [2012/02/27 19:11:32 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{9DE7A8E0-9094-41CA-8999-A9F9414429EC}
    [2012/02/27 19:11:18 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{B61B05CC-91FE-4C4C-8374-0A56DD73CB82}
    [2012/02/26 21:18:25 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{CBFCA230-0817-4B36-961C-59A2CEDE72F0}
    [2012/02/26 21:18:14 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{DE24FA60-3EBD-4207-96C1-580E172D3344}
    [2012/02/26 04:13:08 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{9BB989FE-99C4-4D61-85FB-ED202329FF9C}
    [2012/02/26 04:12:56 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{15F144D2-1F96-49F3-B9A9-D1B7E4A3A163}
    [2012/02/25 13:32:41 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{143F7B6B-DA5D-4850-969D-1459ADCA8052}
    [2012/02/25 13:32:27 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{D77961E8-3D2E-44D8-9F76-18786C4B32D5}
    [2012/02/24 23:27:30 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{2A1B984D-64D3-435E-90C3-656B290FFA24}
    [2012/02/24 23:27:18 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{6615F42E-0C6B-4991-B2A7-23751E81474D}
    [2012/02/22 15:54:00 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{995EA31D-A934-431C-BE40-27B2B4794148}
    [2012/02/22 15:53:44 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{9C918E3D-D7A1-4F1A-A2ED-37906534D339}
    [2012/02/20 16:37:38 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{54E65560-1BFE-4557-96D1-4D8B17AA4B3D}
    [2012/02/20 16:37:15 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{5B688762-360F-4687-AB68-A8B4707EDBF4}
    [2012/02/19 15:32:53 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{602DE527-67F2-4363-A1B8-6EC4FA697171}
    [2012/02/19 15:32:40 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{75E9C834-3BA1-4061-AEEC-76D32839FB5D}
    [2012/02/19 01:00:50 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{8EE5B12F-4EAB-455C-9788-94E0FCB6EAFB}
    [2012/02/19 01:00:31 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{09A97EF2-6B22-432B-8239-883310AAFF8F}
    [2012/02/18 12:59:55 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{F5D11D12-5C9B-469C-A9EF-DF04311C1830}
    [2012/02/18 12:59:42 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{D761B4D4-F5A7-4A67-A2C9-7DB292D567BD}
    [2012/02/17 16:59:37 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{9F89129D-79BC-4B66-9F64-91DA30630E1B}
    [2012/02/17 16:59:25 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{AA765DAA-2468-4451-8B1D-4898A7E1FF79}
    [2012/02/16 23:14:41 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{9821EB95-22D8-4248-90C1-DD8F19428CCA}
    [2012/02/16 23:12:29 | 000,000,000 | ---D | C] -- E:\Users\Deanne Keener\AppData\Local\{80F52BBA-DA87-4C98-A80C-19F3DAEC39FA}
    [2012/02/16 18:25:56 | 000,000,000 | -HSD | C] -- E:\Config.Msi
    [2012/02/16 18:16:49 | 000,000,000 | ---D | C] -- E:\Windows\System32\MpEngineStore
    [2012/02/16 01:43:41 | 000,000,000 | ---D | C] -- E:\0576cac8f5aaf112a020dfd5d9d9
    [2012/02/16 01:18:21 | 000,509,952 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\ntshrui.dll
    [2012/02/16 01:18:18 | 000,515,584 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\timedate.cpl
    [2012/02/16 01:18:17 | 000,478,720 | ---- | C] (Microsoft Corporation) -- E:\Windows\SysWow64\timedate.cpl
    [2012/02/16 01:18:11 | 000,634,880 | ---- | C] (Microsoft Corporation) -- E:\Windows\System32\msvcrt.dll
    [2010/12/16 02:10:42 | 000,051,712 | ---- | C] ( ) -- E:\Windows\AutosetFrequency.exe
    [1 E:\Windows\SysWow64\*.tmp files -> E:\Windows\SysWow64\*.tmp -> ]
    [1 E:\Windows\System32\drivers\*.tmp files -> E:\Windows\System32\drivers\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/03/06 23:38:29 | 000,067,584 | --S- | M] () -- E:\Windows\bootstat.dat
    [2012/03/06 23:21:31 | 000,009,920 | -H-- | M] () -- E:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/03/06 23:21:31 | 000,009,920 | -H-- | M] () -- E:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/03/06 23:11:49 | 2360,852,480 | -HS- | M] () -- E:\hiberfil.sys
    [2012/03/06 21:17:02 | 000,000,960 | ---- | M] () -- E:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1311110943-1294243375-3026464777-1001UA.job
    [2012/03/06 18:17:00 | 000,000,938 | ---- | M] () -- E:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1311110943-1294243375-3026464777-1001Core.job
    [2012/03/04 23:14:10 | 000,626,964 | ---- | M] () -- E:\Windows\System32\perfh009.dat
    [2012/03/04 23:14:10 | 000,107,950 | ---- | M] () -- E:\Windows\System32\perfc009.dat
    [2012/02/22 15:51:45 | 389,533,229 | ---- | M] () -- E:\Windows\MEMORY.DMP
    [2012/02/16 23:09:59 | 000,292,728 | ---- | M] () -- E:\Windows\System32\FNTCACHE.DAT
    [2012/02/16 18:26:07 | 000,747,106 | ---- | M] () -- E:\Windows\SysWow64\PerfStringBackup.INI
    [2012/02/16 18:25:32 | 000,000,000 | ---D | M] -- E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
    [1 E:\Windows\SysWow64\*.tmp files -> E:\Windows\SysWow64\*.tmp -> ]
    [1 E:\Windows\System32\drivers\*.tmp files -> E:\Windows\System32\drivers\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/02/22 15:51:45 | 389,533,229 | ---- | C] () -- E:\Windows\MEMORY.DMP
    [2011/11/17 00:05:29 | 000,040,023 | ---- | C] () -- E:\Users\Deanne Keener\AppData\Roaming\UserTile.png
    [2011/10/22 10:45:46 | 000,000,017 | ---- | C] () -- E:\Windows\SysWow64\shortcut_ex.dat
    [2011/07/07 17:15:38 | 000,252,928 | ---- | C] () -- E:\Windows\SysWow64\DShowRdpFilter.dll
    [2011/04/30 03:05:31 | 000,000,254 | ---- | C] () -- E:\Windows\wininit.ini
    [2011/04/23 03:03:49 | 000,004,608 | ---- | C] () -- E:\Users\Deanne Keener\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/04/04 11:17:55 | 000,000,081 | ---- | C] () -- E:\Users\Deanne Keener\AppData\Roaming\RSBuddy_tnawwefan.ini
    [2011/04/04 11:17:12 | 000,000,009 | ---- | C] () -- E:\Users\Deanne Keener\AppData\Roaming\RSBuddy Login.ini
    [2011/03/27 13:15:10 | 000,747,106 | ---- | C] () -- E:\Windows\SysWow64\PerfStringBackup.INI
    [2011/02/24 18:41:00 | 000,000,000 | ---- | C] () -- E:\Windows\nsreg.dat
    [2010/12/16 02:10:42 | 000,206,208 | ---- | C] () -- E:\Windows\PLFSetI.exe
    [2010/12/16 02:10:42 | 000,191,688 | ---- | C] () -- E:\Windows\flicker.dll
    [2010/12/16 02:10:42 | 000,011,976 | ---- | C] () -- E:\Windows\setpwlin.exe
    [2010/12/16 02:10:42 | 000,000,637 | ---- | C] () -- E:\Windows\AutoSetFrequency.ini
    [2010/12/16 02:10:42 | 000,000,378 | ---- | C] () -- E:\Windows\PidList.ini
    [2010/11/22 03:44:06 | 000,982,220 | ---- | C] () -- E:\Windows\SysWow64\igkrng500.bin
    [2010/11/22 03:44:05 | 000,439,300 | ---- | C] () -- E:\Windows\SysWow64\igcompkrng500.bin
    [2010/11/22 03:44:05 | 000,134,592 | ---- | C] () -- E:\Windows\SysWow64\igfcg500.bin
    [2010/11/22 03:44:05 | 000,092,216 | ---- | C] () -- E:\Windows\SysWow64\igfcg500m.bin
    [2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- E:\Windows\bootstat.dat
    [2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- E:\Windows\SysWow64\NOISE.DAT
    [2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- E:\Windows\SysWow64\dssec.dat
    [2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- E:\Windows\mib.bin
    [2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- E:\Windows\SysWow64\BWContextHandler.dll
    [2009/07/13 18:25:04 | 000,197,632 | ---- | C] () -- E:\Windows\SysWow64\ir32_32.dll
    [2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- E:\Windows\SysWow64\msjetoledb40.dll
    [2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- E:\Windows\SysWow64\mlang.dat

    ========== LOP Check ==========

    [2010/11/22 04:29:56 | 000,000,000 | ---D | M] -- E:\ProgramData\Acer
    [2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Application Data
    [2010/11/22 04:35:17 | 000,000,000 | ---D | M] -- E:\ProgramData\BackupManager
    [2011/02/25 17:28:57 | 000,000,000 | ---D | M] -- E:\ProgramData\CheckPoint
    [2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Desktop
    [2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Documents
    [2010/12/16 02:08:49 | 000,000,000 | ---D | M] -- E:\ProgramData\EgisTec IPS
    [2010/11/22 04:20:13 | 000,000,000 | ---D | M] -- E:\ProgramData\eSobi
    [2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Favorites
    [2011/07/07 02:23:24 | 000,000,000 | ---D | M] -- E:\ProgramData\KingsIsle Entertainment
    [2010/12/16 02:25:47 | 000,000,000 | ---D | M] -- E:\ProgramData\NTI Launcher
    [2011/02/24 01:44:23 | 000,000,000 | ---D | M] -- E:\ProgramData\oem
    [2011/02/24 01:43:01 | 000,000,000 | ---D | M] -- E:\ProgramData\OEM_E471269A730D
    [2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Start Menu
    [2010/12/16 02:13:00 | 000,000,000 | ---D | M] -- E:\ProgramData\Temp
    [2009/07/14 01:08:56 | 000,000,000 | -HSD | M] -- E:\ProgramData\Templates
    [2011/05/09 11:29:08 | 000,000,000 | ---D | M] -- E:\ProgramData\VirtualizedApplications
    [2010/11/22 04:26:40 | 000,000,000 | ---D | M] -- E:\ProgramData\WildTangent
    [2011/06/13 21:51:51 | 000,000,000 | ---D | M] -- E:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
    [2012/03/06 18:17:00 | 000,000,938 | ---- | M] () -- E:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1311110943-1294243375-3026464777-1001Core.job
    [2012/03/06 21:17:02 | 000,000,960 | ---- | M] () -- E:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1311110943-1294243375-3026464777-1001UA.job
    [2012/02/25 13:30:50 | 000,032,566 | ---- | M] () -- E:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========


    < End of report >
    hamr1965, Mar 16, 2012
    #4

  5. Broni Malware Annihilator Posts: 39,324   +175

    I'm not sure if I understand it correctly.
    Was the drive in its original location when you were booting from OTLPE CD?


    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
IE - HKU\Deanne_Keener_ON_E\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - Reg Error: Key error. File not found
IE - HKU\Deanne_Keener_ON_E\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - Reg Error: Key error. File not found
IE - HKU\Deanne_Keener_ON_E\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - Reg Error: Key error. File not found
IE - HKU\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?l=dis&o=2159&gct=hp
FF - prefs.js..browser.startup.homepage: "http://www.ask.com/?l=dis&o=2159&gct=hp"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
O2 - BHO: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\courtney_barfell_ON_E\..\Toolbar\WebBrowser: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\Deanne_Keener_ON_E\..\Toolbar\WebBrowser: (ooVoo toolbar, powered by Ask.com) - {D4027C7F-154A-4066-A1AD-4243D8127440} - E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ApnUpdater] E:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)
O4 - HKU\LocalService_ON_E..\RunOnce: [mctadmin] File not found
O4 - HKU\NetworkService_ON_E..\RunOnce: [mctadmin] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1


:Services

:Reg

:Files

:Commands
[purity]
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Remove the CD and shut down computer manually.
    • Attempt to reboot normally into Windows.
    Broni, Mar 16, 2012
    #5

  6. hamr1965 Newcomer, in training Posts: 39

    Yes - I created the cd on MY laptop - also the ONLY laptop I can post from - then I put her defective non-booting hard drive back in HER laptop -(I had originally pulled it to access it as an external hard drive attached via usb to MY laptop) put the bootable cd that the OTLPENet.exe program created into HER laptop's CD-ROM drive - and booted HER laptop from that CD - then when the REATOGO-X-PE desktop came up - I followed your instructions to run the program and scan. Her laptop would not recognize my network - running the REATOGO-X-PE desktop - would not recognize any additional drives - would not let me write to a new CD-r in her CD-rom drive - would not connect to any network or the internet - and wouldn't even recognize an SD card - so I finally had to pull her hard drive out again to attach it to mine via USB so I could get the OTL.txt file off of it.
    hamr1965, Mar 16, 2012
    #6
     

  7. hamr1965 Newcomer, in training Posts: 39

    Also - I am lacking a USB flash drive - I use a second external drive connected by USB to transfer my files between computers - but her laptop running the REATOGO-X-PE desktop would not recognize my external drive when I plugged it into her USB port.
    hamr1965, Mar 16, 2012
    #7

  8. Broni Malware Annihilator Posts: 39,324   +175

    Thank you :)
    Go on....
    Broni, Mar 16, 2012
    #8

  9. hamr1965 Newcomer, in training Posts: 39

    I am thinking I will have to save this onto her infected hard drive again through my usb external hard drive hook-up (I remove my personal external drive - and connect it to her defective one), and then re-install it into her actual laptop - and access the file that way. I do not know why - but that boot disk's REATOGO-X-PE version of windows will not recognize any other drives - though it CAN see her defective hard drive and it's files, so I should be able to access the Fix.txt file and proceed with your instructions. Does this sound okay? By the way - I was reading over this - I hope the caps when I use them aren't making me sound overly forceful - it is a confusing thing to read through, and I am just trying to clarify which laptop and which drive I am referring to - I am - as always, super grateful for your help. A donation to your account is pending as soon as my paycheck hits the bank!
    hamr1965, Mar 16, 2012
    #9

  10. Broni Malware Annihilator Posts: 39,324   +175

    That should be fine.
    Broni, Mar 16, 2012
    #10

  11. hamr1965 Newcomer, in training Posts: 39

    Fix Log File

    Here's the log - after this - i rebooted without the cd per your instructions - it went to the same black screen with the flashing underscore symbol.


    03162012_233821.log

    ========== OTL ==========
    Registry value HKEY_USERS\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00000000-6E41-4FD3-8538-502F5495E5FC} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\ deleted successfully.
    Registry value HKEY_USERS\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\URLSearchHooks\\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}\ deleted successfully.
    Registry value HKEY_USERS\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\URLSearchHooks\\{91da5e8a-3318-4f8c-b67e-5964de3ab546} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91da5e8a-3318-4f8c-b67e-5964de3ab546}\ deleted successfully.
    HKU\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
    Prefs.js: "http://www.ask.com/?l=dis&o=2159&gct=hp" removed from browser.startup.homepage
    Prefs.js: "Ask.com" removed from browser.search.selectedEngine
    Prefs.js: "Ask.com" removed from browser.search.order.1
    Prefs.js: "Ask.com" removed from browser.search.defaultengine
    Prefs.js: "Ask.com" removed from browser.search.defaultenginename
    Registry key HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
    E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll moved successfully.
    64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
    File E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
    Registry value HKEY_USERS\courtney_barfell_ON_E\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
    File E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll not found.
    Registry value HKEY_USERS\Deanne_Keener_ON_E\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
    File E:\Program Files (x86)\Ask.com\GenericAskToolbar.dll not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater deleted successfully.
    E:\Program Files (x86)\Ask.com\Updater\Updater.exe moved successfully.
    Registry key HKEY_USERS\LocalService_ON_E\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce not found.
    Registry key HKEY_USERS\NetworkService_ON_E\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.48.0 log created on 03162012_233821
    hamr1965, Mar 17, 2012
    #11

  12. Broni Malware Annihilator Posts: 39,324   +175

    Please Boot to the System Recovery Options
    If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
    It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...
    NOTE. If none of the above apply you can create System Repair Disc (link in "Option two") and boot from it.

    On the System Recovery Options menu you will get the following options:

    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt

    Choose Command Prompt
    You should see X:\SOURCES>...

    Execute the following commands in bold.
    Press Enter after every one of them.

    bootrec /fixmbr (<--- there is a "space" after "bootrec")

    bootrec /fixboot (<--- there is a "space" after "bootrec")

    exit

    Restart computer.
    Broni, Mar 17, 2012
    #12

  13. hamr1965 Newcomer, in training Posts: 39

    My own Dell laptop running 64-bit Windows 7 Home Premium is not able to create the system recovery disk. I have tried both a cd-r and a dvd-r, as well as trying typing "recdisc.exe" in the Run box under the Start Menu, and typing it at the command prompt opened with Administrator privileges. Every time I get an immediate error box: "System Repair disc could not be created. The parameter is incorrect. 0x80070057".

    My friend was unable to find any original install disc that may have come with her laptop - she got it a year ago and doesn't remember if she had one or not.

    What can I try next?
    hamr1965, Mar 17, 2012
    #13

  14. hamr1965 Newcomer, in training Posts: 39

    Okay - created the system recovery disk on yet another Windows 7 64-bit laptop. The laptop doesn't respond - same black screen with the blinking underscore symbol.
    hamr1965, Mar 17, 2012
    #14

  15. hamr1965 Newcomer, in training Posts: 39

    Wait - I made a stupid mistake - trying again....
    hamr1965, Mar 17, 2012
    #15

  16. hamr1965 Newcomer, in training Posts: 39

    Okay - this worked so far - system has booted - triggered "Startup Repair" process - wants me to restore to an earlier point in time?
    hamr1965, Mar 17, 2012
    #16

  17. hamr1965 Newcomer, in training Posts: 39

    Okay - Selected 'Restore to earlier point'- it seems to be stuck in "Attempting repairs..." with no further action occurring.
    hamr1965, Mar 17, 2012
    #17

  18. Broni Malware Annihilator Posts: 39,324   +175

    Give it some more time.

    If still no progress, turn the computer off, wait 1 minute and try to boot it again.
    Try normal and safe mode.
    Broni, Mar 17, 2012
    #18

  19. hamr1965 Newcomer, in training Posts: 39

    Okay - seem to be stuck in the startup repair infinite loop
    hamr1965, Mar 17, 2012
    #19

  20. hamr1965 Newcomer, in training Posts: 39

    Let me try from Safe Mode
    hamr1965, Mar 17, 2012
    #20
Page 1 of 2

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.