Inactive My Documents and Recycle bin have unviewable files

G

GloverG

Posts: 49   +0
Three days ago, I was upgrading an adobe program when a company called IOLO offered a free system checkup. I downloaded the program and found for $ they would fix issues with my computer. When I accepted the program that was downloaded (system checkup) self-destructed. I then became suspicious and began checking my computer. All my files in the C: drive were left alone but all the files in My Documents were changed. The computer shows the files sizes are still existing but I'm unable to view the files in the recycle bin or within the non-deleted folders in My Documents. I have performed numerous restores and it has restored my icons but not My Document files. I have also downloaded many recovery programs and have limited success but have taken no action with each. I have also contacted the IOLO company and they tried to unhide my files but to no avail. The technician told me that my issue could not be resolved and hung up. So with a friend's advice to contact you, I'm hoping to get a resolution to this issue.
 
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Scan Log Requests

1. I currently run Microsoft Security Essentials.
2. The following is the contents of the Malwarebytes log:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.24.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Garry S. Glover :: DDQSKV11 [administrator]

3/24/2012 3:10:57 PM
mbam-log-2012-03-24 (15-37-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219258
Time elapsed: 26 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D60FF48-95BE-4956-B4C6-6BB168A70310} (Trojan.KeenValue) -> No action taken.

Registry Values Detected: 4
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{5D60FF48-95BE-4956-B4C6-6BB168A70310} (Trojan.KeenValue) -> Data: -> No action taken.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{5F1ABCDB-A875-46C1-8345-B72A4567E486} (Adware.ISTBar) -> Data: -> No action taken.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{5F1ABCDB-A875-46C1-8345-B72A4567E486} (Adware.ISTBar) -> Data: Û¼_u¨ÁFƒE·*Egä† -> No action taken.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{5D60FF48-95BE-4956-B4C6-6BB168A70310} (Trojan.KeenValue) -> Data: -> No action taken.

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page_bak (Hijack.SearchPage) -> Bad: (http://www.idgsearch.com/) Good: (http://www.Google.com/) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page_bak (Hijack.SearchPage) -> Bad: (http://www.idgsearch.com/) Good: (http://www.Google.com/) -> No action taken.

Folders Detected: 1
C:\Program Files\Save (Adware.WhenU) -> No action taken.

Files Detected: 3
C:\Documents and Settings\Garry S. Glover\Engine.dll (Trojan.GamesThief) -> No action taken.
C:\Program Files\Save\ReadMe.txt (Adware.WhenU) -> No action taken.
C:\Program Files\Save\save.db (Adware.WhenU) -> No action taken.

(end)

3. Downloaded GMER from your mirrors and from Bleeping computer but all three executables gave me a "Load Driver (".\uxtyapoc.sys) error on 0xC000003A: Cannot create a stable sub by under a volatile parent key". It also generates a uxtyapoc.sys file that's 99KB. Program seems viable after error but generates a 0KB log without generating any information in the window during scan.

4. The following is the contents of the DDS by sUBS (DDS.txt log):
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Garry S. Glover at 17:32:40 on 2012-03-24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.133 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uDefault_Search_URL = hxxp://about-blank.biz/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uStart Page = hxxp://www.att.net
mSearch Bar = hxxp://www.2020search.com/search/9884/search.html
uCustomizeSearch =
uSearchAssistant = hxxp://www.2020search.com/search/9884/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.2020search.com/search/9884/search.html
mCustomizeSearch =
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: {2cf0b992-5eeb-4143-99c0-5297ef71f443} - Search Toolbar BHO Object
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: {55102325-f838-447f-93d7-d03fed8f4c3b} -
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Search: {2cf0b992-5eeb-4143-99c0-5297ef71f444} -
TB: {5C75D98F-A3FF-4C79-A106-7E088D55D5DB} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {2cf0b992-5eeb-4143-99c0-5297ef71f444} - Search
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uPolicies-explorer: <NO NAME> =
IE: {1A00C40B-DA85-4aa3-A67F-582D9347EECD}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: intuit.com\ttlc
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1268618336953
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1268795703686
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Hosts: 69.56.223.196 t.rack.cc
Hosts: 69.56.223.196 www.alfa-search.com
Hosts: 69.56.223.196 webcoolsearch.com
Hosts: 69.56.223.196 in.webcounter.cc
Hosts: 69.56.223.196 i-lookup.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
============= FINISH: 17:34:10.21 ===============

and here is the other log (Attach.txt):

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 9/24/2002 7:38:35 AM
System Uptime: 3/24/2012 3:44:32 PM (2 hours ago)
.
Motherboard: Dell Computer Corporation | | Dimension 8200
Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz | Microprocessor | 2386/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 41.45 GiB free.
D: is CDROM (CDFS)
E: is CDROM (CDFS)
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP35: 12/17/2011 7:55:20 AM - Software Distribution Service 3.0
RP36: 12/19/2011 4:46:52 PM - Software Distribution Service 3.0
RP37: 12/23/2011 10:37:30 AM - Software Distribution Service 3.0
RP38: 12/24/2011 6:59:40 PM - Software Distribution Service 3.0
RP39: 12/26/2011 11:22:03 PM - Software Distribution Service 3.0
RP40: 12/28/2011 9:09:47 AM - Software Distribution Service 3.0
RP41: 12/28/2011 5:41:24 PM - Software Distribution Service 3.0
RP42: 12/29/2011 9:42:45 AM - Software Distribution Service 3.0
RP43: 12/31/2011 8:02:09 AM - Software Distribution Service 3.0
RP44: 1/1/2012 10:39:41 AM - Software Distribution Service 3.0
RP45: 1/3/2012 7:41:13 AM - Software Distribution Service 3.0
RP46: 1/10/2012 7:47:26 AM - Printer Driver AdobePSGenericPostScriptPrinter Installed
RP47: 1/10/2012 7:53:16 AM - Printer Driver AdobePS Acrobat Distiller Installed
RP48: 1/10/2012 7:53:33 AM - Printer Driver Acrobat PDFWriter Installed
RP49: 1/12/2012 1:44:07 PM - Software Distribution Service 3.0
RP50: 1/18/2012 5:13:52 PM - Software Distribution Service 3.0
RP51: 1/19/2012 4:02:16 PM - Installed TurboTax 2011 wrapper
RP52: 1/21/2012 10:43:09 PM - Software Distribution Service 3.0
RP53: 1/21/2012 11:42:43 PM - Software Distribution Service 3.0
RP54: 1/31/2012 5:16:21 PM - Software Distribution Service 3.0
RP55: 2/6/2012 9:00:33 PM - Software Distribution Service 3.0
RP56: 2/15/2012 8:37:33 AM - IObit Uninstaller restore point
RP57: 2/15/2012 8:40:50 AM - IObit Uninstaller restore point
RP58: 2/15/2012 8:41:57 AM - Removed Apple Application Support
RP59: 2/15/2012 8:43:32 AM - IObit Uninstaller restore point
RP60: 2/15/2012 8:43:46 AM - Removed Apple Software Update
RP61: 2/15/2012 8:45:01 AM - IObit Uninstaller restore point
RP62: 2/15/2012 8:46:02 AM - IObit Uninstaller restore point
RP63: 2/15/2012 8:47:36 AM - IObit Uninstaller restore point
RP64: 2/15/2012 8:55:01 AM - IObit Uninstaller restore point
RP65: 2/15/2012 8:56:09 AM - IObit Uninstaller restore point
RP66: 2/15/2012 8:56:34 AM - Removed The Hulk(TM)
RP67: 2/15/2012 9:05:52 AM - IObit Uninstaller restore point
RP68: 2/15/2012 9:11:18 AM - IObit Uninstaller restore point
RP69: 2/15/2012 9:14:10 AM - IObit Uninstaller restore point
RP70: 2/15/2012 9:19:11 AM - IObit Uninstaller restore point
RP71: 2/15/2012 1:05:06 PM - Unsigned driver install
RP72: 2/15/2012 1:11:22 PM - Removed Microsoft Picture It! Photo 2002
RP73: 2/16/2012 9:16:41 AM - Printer Driver Acrobat PDFWriter Installed
RP74: 2/21/2012 9:36:42 AM - Software Distribution Service 3.0
RP75: 2/21/2012 4:40:49 PM - Software Distribution Service 3.0
RP76: 3/9/2012 6:56:32 PM - Software Distribution Service 3.0
RP77: 3/19/2012 10:31:58 PM - Software Distribution Service 3.0
RP78: 3/20/2012 5:32:54 PM - Removed Adobe Reader 6.0
RP79: 3/20/2012 5:33:49 PM - Installed Adobe Reader X (10.1.2).
RP80: 3/20/2012 7:52:06 PM - Software Distribution Service 3.0
RP81: 3/21/2012 7:57:21 AM - Restore Operation
RP82: 3/21/2012 8:30:51 AM - Restore Operation
RP83: 3/21/2012 9:00:56 AM - Restore Operation
RP84: 3/21/2012 1:17:14 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP85: 3/21/2012 9:27:32 PM - Restore Operation
RP86: 3/21/2012 10:33:39 PM - Software Distribution Service 3.0
RP87: 3/23/2012 3:35:57 PM - Software Distribution Service 3.0
RP88: 3/24/2012 4:02:05 PM - Software Distribution Service 3.0
.
==== Hosts File Hijack ======================
.
Hosts: 69.56.223.196 t.rack.cc
Hosts: 69.56.223.196 www.alfa-search.com
Hosts: 69.56.223.196 webcoolsearch.com
Hosts: 69.56.223.196 in.webcounter.cc
Hosts: 69.56.223.196 i-lookup.com
Hosts: 69.56.223.196 www.hand-book.com
Hosts: 69.56.223.196 www.maxxxhosters.com
Hosts: 69.56.223.196 allneedsearch.com
Hosts: 69.56.223.196 nativehardcore.com
Hosts: 69.56.223.196 best.royalsearch.net
Hosts: 69.56.223.196 default-homepage-network.com
Hosts: 69.56.223.196 xwebsearch.biz
Hosts: 69.56.223.196 www.rightfinder.net
Hosts: 69.56.223.196 www.search-1.net
Hosts: 69.56.223.196 www.searchv.com
Hosts: 69.56.223.196 www.websearch.com
Hosts: 69.56.223.196 mysearchnow.com
Hosts: 69.56.223.196 www.therealsearch.com
Hosts: 69.56.223.196 www.find-itnow.com
Hosts: 69.56.223.196 super-spider.com
Hosts: 69.56.223.196 www.searching-the-net.com
Hosts: 69.56.223.196 www.firstbookmark.com
Hosts: 69.56.223.196 just.find-itnow.com
Hosts: 69.56.223.196 www.find-itnow.com
Hosts: 69.56.223.196 qwertysearch123.biz
Hosts: 69.56.223.196 www.search-space.com
Hosts: 69.56.223.196 www.windowws.cc
Hosts: 69.56.223.196 aifind.info
Hosts: 69.56.223.196 www.find4u.net
Hosts: 69.56.223.196 find4u.net
Hosts: 69.56.223.196 www.lookfor.cc
Hosts: 69.56.223.196 www.008i.com
Hosts: 69.56.223.196 www.hugesearch.net
Hosts: 69.56.223.196 www.nova****.com
Hosts: 69.56.223.196 www.seznam.cz
Hosts: 69.56.223.196 aifind.cc
Hosts: 69.56.223.196 www.onet.pl
Hosts: 69.56.223.196 www.ttjj.com
Hosts: 69.56.223.196 www.search-dot.com
Hosts: 69.56.223.196 www.search-and-go.com
Hosts: 69.56.223.196 www.slotch.com
Hosts: 69.56.223.196 www.2fastsearch.net
Hosts: 69.56.223.196 awebfind.biz
Hosts: 69.56.223.196 www.power-search.info
Hosts: 69.56.223.196 www.naver.com
Hosts: 69.56.223.196 www.daum.net
Hosts: 69.56.223.196 www.ohcorea.com
Hosts: 69.56.223.196 www.hao123.com
Hosts: 69.56.223.196 58q.com
Hosts: 69.56.223.196 www.startium.com
Hosts: 69.56.223.196 www.gajai.com
Hosts: 69.56.223.196 www.wazzupnet.com
Hosts: 69.56.223.196 www.xgmm.com
Hosts: 69.56.223.196 searchmyrequest.com
Hosts: 69.56.223.196 yourbookmarks.ws
Hosts: 69.56.223.196 wmmse.com
Hosts: 69.56.223.196 link.startmake.com
Hosts: 69.56.223.196 approvedlinks.com
Hosts: 69.56.223.196 www.nkvd.us
Hosts: 69.56.223.196 www.8095.com
Hosts: 69.56.223.196 ie-search.com
Hosts: 69.56.223.196 auto.ie.searchforge.com
Hosts: 69.56.223.196 search.psn.cn
Hosts: 69.56.223.196 www.couldnotfind.com
Hosts: 69.56.223.196 www.iquicksearch.com
Hosts: 69.56.223.196 1-se.com
Hosts: 69.56.223.196 www.spidersearch.com
Hosts: 69.56.223.196 search.ieplugin.com
Hosts: 69.56.223.196 itseasy.us
Hosts: 69.56.223.196 searchbar.findthewebsiteyouneed.com
Hosts: 69.56.223.196 www.searchxl.com
Hosts: 69.56.223.196 www.searchforge.com
Hosts: 69.56.223.196 www.omega-search.com
Hosts: 69.56.223.196 searchcentrix.com
.
==== Installed Programs ======================
.
.
==== Event Viewer Messages From Past Week ========
.
.
==== End Of File ===========================

I appreciate the help in resolving this. Let me know what further instruction you need me to do.

Thanks
 
Your MBAM log says "No action taken".
Re-run it, FIX all issues and post new log.

Then....

Let's see, if we can recover your missing features.
Download and run UnHide
Let me know, if it worked.
 
Log Response

Broni,

Sorry, I pulled the log off for you before fixing the 11 issues. The issues were fixed. Do you want me to run the program again to just confirm? Also, I did run the unhide software and it didn't unhide the files. To give you some background, once I saw that My Document files missing (C drive files were left alone), Prior to contacting you initially, I performed about 4 window restores to earlier dates to try and get my files back but realized restores do not affect personal files. I then contacted IOLO tech support for help. The interesting thing is, when I contacted IOLO tech support about this issue, they ran a search for %temp% and then loaded their own unhide software onto my computer; which they deleted off my computer. As their unhide software ran, their software did not function as the Bleeping software version. It was as if they knew where the issue was and were searching for a particular area or file. I don't know if the restores I performed destroyed the file they were looking for but after the IOLO tech support tried their unhide version; the technician commented the problem was unresolvable and hung up.
 
Malware bytes log updated

Broni,

I decided to do run the Malware bytes software again and send you an updated log. Here is the information from that log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.24.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Garry S. Glover :: DDQSKV11 [administrator]

3/25/2012 1:27:17 AM
mbam-log-2012-03-25 (01-27-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219284
Time elapsed: 11 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
Unhide text response

I ran the unhide program referenced in your post. Here is the text:

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 03/26/2012 08:20:11 AM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 90992 files processed.

On the original it ended with: Temp doesn't exist. Unhide terminated.

I assume you saw the post stating that the GMER did not function?
Also, after IOLO was on my computer, I keep getting this Desktop INI file that runs:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
 
Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

==================================================================

Download Bootkit Remover to your desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
ASW and Bootkit logs

The ASW log follows:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-26 19:14:26
-----------------------------
19:14:26.062 OS Version: Windows 5.1.2600 Service Pack 3
19:14:26.062 Number of processors: 1 586 0x204
19:14:26.062 ComputerName: DDQSKV11 UserName:
19:14:39.078 Initialze error C000003A - driver not loaded
19:32:17.875 AVAST engine defs: 12032602
19:32:32.687 Service scanning
19:37:34.921 Modules scanning
19:37:35.109 Disk 0 trace - called modules:
19:37:35.109
19:37:53.234 AVAST engine scan C:\WINDOWS
19:38:41.171 AVAST engine scan C:\WINDOWS\system32
19:46:03.093 AVAST engine scan C:\WINDOWS\system32\drivers
19:46:24.671 AVAST engine scan C:\Documents and Settings\Garry S. Glover
19:47:38.718 AVAST engine scan C:\Documents and Settings\All Users
19:48:01.375 Scan finished successfully
19:48:38.593 The log file has been saved successfully to "C:\Documents and Settings\Garry S. Glover\My Documents\Downloads\Broni File\aswMBR.txt"


The Bootkit Remover log created:

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

Looks awful suspicious but this is the same file in the Desktop.INI file windows runs each time I reboot the system. This was not the data contained in the black screen.
 
aswMBR

When I ran this program; it did not create a MBR.dat file on my desktop. Just thought I'd bring that to your attention.
 
Re-run aswMBR and be more patient.
It doesn't look like the scan has completed.

Re-run Bootkit Remover one more time.
It's not correct log.
 
ASW and Bootkit logs 2nd run

I reran the aswMBR software again. This software gives you 4 choices to run a scan on: Quickscan, C:, ..., (none). So I ran 3 more quickscans and received the same log as I gave you before. I decided to run it against C: and here is the log from that run:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-26 22:40:29
-----------------------------
22:40:29.437 OS Version: Windows 5.1.2600 Service Pack 3
22:40:29.437 Number of processors: 1 586 0x204
22:40:29.437 ComputerName: DDQSKV11 UserName:
22:40:31.156 Initialze error C000003A - driver not loaded
22:41:17.171 AVAST engine defs: 12032602
22:41:55.656 Service scanning
22:43:39.093 Modules scanning
22:43:39.093 Disk 0 trace - called modules:
22:43:39.093
22:43:41.468 AVAST engine scan C:\
23:15:36.328 File: C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP85\A0030219.exe **INFECTED** Win32:QHost-CAH [Trj]
23:15:36.687 File: C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP85\A0030221.exe **INFECTED** Win32:Adware-gen [Adw]
23:38:29.281 Scan finished successfully
23:39:49.734 The log file has been saved successfully to "C:\Documents and Settings\Garry S. Glover\My Documents\Downloads\Broni File\aswMBR_C.txt"

I then ran the aswMBR in administrator in safe mode and got the following log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-27 07:48:24
-----------------------------
07:48:24.812 OS Version: Windows 5.1.2600 Service Pack 3
07:48:24.812 Number of processors: 1 586 0x204
07:48:24.812 ComputerName: DDQSKV11 UserName:
07:48:26.203 Initialize success
07:49:21.421 AVAST engine download error: 0
07:50:35.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
07:50:35.687 Disk 0 Vendor: ST380021A 3.75 Size: 76319MB BusType: 3
07:50:35.734 Disk 0 MBR read successfully
07:50:35.750 Disk 0 MBR scan
07:50:35.781 Disk 0 Windows XP default MBR code
07:50:35.812 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
07:50:35.843 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76285 MB offset 64260
07:50:35.875 Disk 0 scanning sectors +156296385
07:50:36.000 Disk 0 scanning C:\WINDOWS\system32\drivers
07:50:55.609 Service scanning
07:51:53.500 Modules scanning
07:52:15.093 Disk 0 trace - called modules:
07:52:15.156 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys
07:52:17.250 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x827a2030]
07:52:17.390 3 CLASSPNP.SYS[f9a42fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8275ad48]
07:52:17.515 Scan finished successfully
07:53:29.531 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
07:53:29.578 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR_AD.txt"

I hope one of these is what you were looking for.

On the bootkit remover; running normal and in safe mode yielded the same results from the Ctrl C and Ctrl V directions. However, I did notice it always left a debug log which I'm including as follows:


.\debug.cpp(238) : Debug log started at 27.03.2012 - 12:03:05
.\boot_cleaner.cpp(527) : Bootkit Remover
.\boot_cleaner.cpp(528) : (c) 2009 Esage Lab
.\boot_cleaner.cpp(529) : www.esagelab.com
.\boot_cleaner.cpp(533) : Program version: 1.2.0.1
.\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
.\debug.cpp(248) : **********************************************
.\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
.\debug.cpp(250) : **********************************************
.\debug.cpp(256) : 0x804d7000 0x00217580 "\WINDOWS\system32\ntoskrnl.exe"
.\debug.cpp(256) : 0x806ef000 0x00020300 "\WINDOWS\system32\hal.dll"
.\debug.cpp(256) : 0xf9ef2000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
.\debug.cpp(256) : 0xf9e02000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
.\debug.cpp(256) : 0xf99a3000 0x0002e000 "ACPI.sys"
.\debug.cpp(256) : 0xf9ef4000 0x00002000 "\WINDOWS\System32\DRIVERS\WMILIB.SYS"
.\debug.cpp(256) : 0xf9992000 0x00011000 "pci.sys"
.\debug.cpp(256) : 0xf99f2000 0x0000a000 "isapnp.sys"
.\debug.cpp(256) : 0xf9ef6000 0x00002000 "intelide.sys"
.\debug.cpp(256) : 0xf9c72000 0x00007000 "\WINDOWS\System32\DRIVERS\PCIIDEX.SYS"
.\debug.cpp(256) : 0xf9a02000 0x0000b000 "MountMgr.sys"
.\debug.cpp(256) : 0xf9973000 0x0001f000 "ftdisk.sys"
.\debug.cpp(256) : 0xf9c7a000 0x00005000 "PartMgr.sys"
.\debug.cpp(256) : 0xf9a12000 0x00009000 "sfsync02.sys"
.\debug.cpp(256) : 0xf9a22000 0x0000d000 "VolSnap.sys"
.\debug.cpp(256) : 0xf995b000 0x00018000 "atapi.sys"
.\debug.cpp(256) : 0xf9a32000 0x00009000 "disk.sys"
.\debug.cpp(256) : 0xf9a42000 0x0000d000 "\WINDOWS\System32\DRIVERS\CLASSPNP.SYS"
.\debug.cpp(256) : 0xf993b000 0x00020000 "fltmgr.sys"
.\debug.cpp(256) : 0xf9929000 0x00012000 "sr.sys"
.\debug.cpp(256) : 0xf9912000 0x00017000 "KSecDD.sys"
.\debug.cpp(256) : 0xf9885000 0x0008d000 "Ntfs.sys"
.\debug.cpp(256) : 0xf9858000 0x0002d000 "NDIS.sys"
.\debug.cpp(256) : 0xf9c82000 0x00008000 "sfhlp02.sys"
.\debug.cpp(256) : 0xf9846000 0x00012000 "sfdrv01.sys"
.\debug.cpp(256) : 0xf982c000 0x0001a000 "Mup.sys"
.\debug.cpp(256) : 0xf9a52000 0x0000b000 "agp440.sys"
.\debug.cpp(256) : 0xf9d52000 0x00007000 "\SystemRoot\System32\DRIVERS\fdc.sys"
.\debug.cpp(256) : 0xf9a72000 0x0000d000 "\SystemRoot\System32\DRIVERS\i8042prt.sys"
.\debug.cpp(256) : 0xf9d72000 0x00006000 "\SystemRoot\System32\DRIVERS\kbdclass.sys"
.\debug.cpp(256) : 0xf9d82000 0x00006000 "\SystemRoot\System32\DRIVERS\mouclass.sys"
.\debug.cpp(256) : 0xf9d92000 0x00007000 "\SystemRoot\System32\Drivers\MxlW2k.SYS"
.\debug.cpp(256) : 0xf9a82000 0x00010000 "\SystemRoot\System32\DRIVERS\cdrom.sys"
.\debug.cpp(256) : 0xf9a92000 0x0000f000 "\SystemRoot\System32\DRIVERS\redbook.sys"
.\debug.cpp(256) : 0xf9788000 0x00023000 "\SystemRoot\System32\DRIVERS\ks.sys"
.\debug.cpp(256) : 0xf9aa2000 0x0000b000 "\SystemRoot\System32\Drivers\Imapi.SYS"
.\debug.cpp(256) : 0xf9dea000 0x00006000 "\SystemRoot\System32\DRIVERS\usbuhci.sys"
.\debug.cpp(256) : 0xf9764000 0x00024000 "\SystemRoot\System32\DRIVERS\USBPORT.SYS"
.\debug.cpp(256) : 0xf9ab2000 0x0000a000 "\SystemRoot\System32\DRIVERS\termdd.sys"
.\debug.cpp(256) : 0xf9efc000 0x00002000 "\SystemRoot\System32\DRIVERS\swenum.sys"
.\debug.cpp(256) : 0xf9706000 0x0005e000 "\SystemRoot\System32\DRIVERS\update.sys"
.\debug.cpp(256) : 0xf9eca000 0x00004000 "\SystemRoot\System32\DRIVERS\mssmbios.sys"
.\debug.cpp(256) : 0xf9ac2000 0x0000f000 "\SystemRoot\System32\DRIVERS\usbhub.sys"
.\debug.cpp(256) : 0xf9f00000 0x00002000 "\SystemRoot\System32\DRIVERS\USBD.SYS"
.\debug.cpp(256) : 0xf9d2a000 0x00005000 "\SystemRoot\System32\DRIVERS\flpydisk.sys"
.\debug.cpp(256) : 0xf9ee2000 0x00003000 "\SystemRoot\System32\Drivers\i2omgmt.SYS"
.\debug.cpp(256) : 0xf9f04000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
.\debug.cpp(256) : 0xfa041000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
.\debug.cpp(256) : 0xf9f08000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
.\debug.cpp(256) : 0xf9d4a000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
.\debug.cpp(256) : 0xf96ca000 0x00014000 "\SystemRoot\System32\drivers\VIDEOPRT.SYS"
.\debug.cpp(256) : 0xf9d7a000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
.\debug.cpp(256) : 0xf9d9a000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
.\debug.cpp(256) : 0xf9cf2000 0x00007000 "\SystemRoot\System32\DRIVERS\USBSTOR.SYS"
.\debug.cpp(256) : 0xf9af2000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
.\debug.cpp(256) : 0xf9686000 0x00024000 "\SystemRoot\System32\Drivers\Fastfat.SYS"
.\debug.cpp(256) : 0xf966e000 0x00018000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
.\debug.cpp(256) : 0xf9f16000 0x00002000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
.\debug.cpp(256) : 0xbf800000 0x001c7000 "\SystemRoot\System32\win32k.sys"
.\debug.cpp(256) : 0xf9ec6000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
.\debug.cpp(256) : 0xf9ca2000 0x00005000 "\SystemRoot\System32\watchdog.sys"
.\debug.cpp(256) : 0xbf000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
.\debug.cpp(256) : 0xfa0b4000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
.\debug.cpp(256) : 0xbff50000 0x00003000 "\SystemRoot\System32\framebuf.dll"
.\debug.cpp(256) : 0xbf012000 0x00047000 "\SystemRoot\System32\ATMFD.DLL"
.\debug.cpp(256) : 0xf93f6000 0x0000c000 "\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aswMBR.sys"
.\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\SYSTEM32\ntdll.dll"
.\debug.cpp(263) : **********************************************
.\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
.\debug.cpp(308) : **********************************************
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
.\debug.cpp(400) : Destination "\Device\Video0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
.\debug.cpp(400) : Destination "\Device\Ndis"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\aswMBR"
.\debug.cpp(400) : Destination "\Device\aswMBR"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\00000045"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&27b1dfe0&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
.\debug.cpp(400) : Destination "\Device\CdRom1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{17bf7957-cfb1-11d6-95de-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-RW_GCE-8400B________________B104____#5&7208d00&0&0.1.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-17"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureE4651A0AOffset1F60800Length129FD37A00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\sfsync02i"
.\debug.cpp(400) : Destination "\Device\sfsync02i"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&737e51b&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
.\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
.\debug.cpp(400) : Destination "\Device\WMIDataDevice"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-RW_GCE-8400B________________B104____#5&7208d00&0&0.1.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-17"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
.\debug.cpp(400) : Destination "\Device\NamedPipe"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\sfhlp02i"
.\debug.cpp(400) : Destination "\Device\sfhlp02i"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&33a96545&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\00000056"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{17bf7959-cfb1-11d6-95de-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\Floppy0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
.\debug.cpp(400) : Destination "\Device\Mup"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
.\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-RW_GCE-8400B________________B104____#5&7208d00&0&0.1.0#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-17"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
.\debug.cpp(400) : Destination "\Device\USBFDO-0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\I2OExec"
.\debug.cpp(400) : Destination "\Device\I2OExec"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0F13#4&33a96545&0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\00000057"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\sfdrv01"
.\debug.cpp(400) : Destination "\Device\sfdrv01"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
.\debug.cpp(400) : Destination "\Device\USBFDO-1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
.\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
.\debug.cpp(400) : Destination "\DosDevices\LPT1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_JetFlash&Prod_Transcend_4GB&Rev_8.07#N8DOMYFA&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\0000005f"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1b192bea&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
.\debug.cpp(400) : Destination "\Device\Harddisk1\DR3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom1"
.\debug.cpp(400) : Destination "\Device\CdRom1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
.\debug.cpp(400) : Destination "\GLOBAL??"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\00000049"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{229d6358-74f5-11e1-a118-0008a1044128}"
.\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomLite-On_LTN486S_48x_Max_________________YDS4____#5&7208d00&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-f"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_058f&Pid_6387#N8DOMYFA#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) : Destination "\Device\USBPDO-2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomLite-On_LTN486S_48x_Max_________________YDS4____#5&7208d00&0&0.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-f"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\sfdrv01i"
.\debug.cpp(400) : Destination "\Device\sfdrv01i"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskST380021A_______________________________3.75____#483331564c565931202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
.\debug.cpp(400) : Destination "\Device\MountPointManager"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\sfsync02"
.\debug.cpp(400) : Destination "\Device\sfsync02"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\sfhlp02"
.\debug.cpp(400) : Destination "\Device\sfhlp02"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FDC#GENERIC_FLOPPY_DRIVE#5&351c866&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\FloppyPDO0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\A:"
.\debug.cpp(400) : Destination "\Device\Floppy0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{17bf7958-cfb1-11d6-95de-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\CdRom1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MxlW2k"
.\debug.cpp(400) : Destination "\Device\MxlW2k"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
.\debug.cpp(400) : Destination "\Device\FtControl"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
.\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2444&SUBSYS_010C1028&REV_04#3&172e68dd&0&FC#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0007"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
.\debug.cpp(400) : Destination "\DosDevices\COM1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
.\debug.cpp(400) : Destination "\Device\MailSlot"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
.\debug.cpp(400) : Destination ""
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
.\debug.cpp(400) : Destination "\Device\Null"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&27b1dfe0&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000003f"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2442&SUBSYS_010C1028&REV_04#3&172e68dd&0&FA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000003e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{17bf7956-cfb1-11d6-95de-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
.\debug.cpp(409) : --
.\debug.cpp(453) : **********************************************
.\boot_cleaner.cpp(565) : System volume is \\.\C:
.\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`01f60800
.\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
.\boot_cleaner.cpp(1061) :
.\boot_cleaner.cpp(1062) : Size Device Name MBR Status
.\boot_cleaner.cpp(1063) : --------------------------------------------
.\boot_cleaner.cpp(1107) : 74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
.\boot_cleaner.cpp(1113) :
.\boot_cleaner.cpp(1152) : Done;

Let me know if none of these is what you expected. I made all these downloads with the microsoft essentials off. When I ran bootkit remover, the window showed the following:

Bootkit Remover
(c) 2009 Esage Lab
www.esage.com
Program version: 1.2.0.1
OS version: microsoft windows XP home edition service pack 3 (build 2600)
System Volume is \\.\C:
\\.\C:->\\.\Physical Drive0 at offset 0x00000000'01f60800
Boot sector MD5 is:6def5ffcbcdbdb4082f1015625e597bd
Size Device MBR Status
74GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Done;
Press any key to Quit . . .

This window displayed all these contents everytime and very quickly. I waited one time for an hour to see if it would continue but to no avail. When I "selected all" and "Ctrl C"; "opened a notepad" and "Ctrl V"; I got the log contents I showed you before that looked like the Desktop INI notepad. I have not been successful in getting a functional response from the bootkit remover. Could the infection in the aswMBR be affecting the bootkit from not performing as expected?
 
aswMBR dat file

Also, running in safe mode as administrator was the only time I received the file aswMBR.dat file on the desktop
 
You did well this time :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
ComboFix and Rkill attempts

I deactivated all antivirus and security programs. I even ran the AppRemover, it identified Microsoft Security Essentials and I uninstalled that program.

I tried running ComboFix in Normal mode, it began deleting and extracting files and then the screen just went black. I let it run all night but nothing else happened.

I then tried ComboFix in Safe mode, it made it through deleting and extracting files but as soon as it it began the output folder process (this is about 3/4 of the way through), the computer crashed and a blue screen appeared stating that a problem had been detected and windows has been shut down to prevent damage to the computer.

I then deleted ComboFix, reloaded and ran in Safe mode only. Once again, the computer crashed at the output folder and stated the same as above.

I then deleted ComboFix again, downloaded Rkill.com and ComboFix and saved in my name. Rkill functioned properly but when running ComboFix, it began deleting and extracting files and then the screen went black again.

I rebooted and brought up in Safe Mode and ran Rkill.com again; it again ran properly but ComboFIx ran through all deleting and extracting files but when output folder came up, the computer crashed with the same warning screen as before.

I repeated deleting the Rkill and ComboFix programs and downloaded the next two Rkills (.scr and .exe) and when I downloaded ComboFix gave it different versions of my name (used my initials first and then with my middle name). Ran both in normal and Safe Mode again but the same things happened again.

I also tried different variations by leaving the internet connection up or down. Neither had any browsers open just an internet connection or not.

I'm unable to download the programs in Safe Mode so I had to download in Normal mode, reboot in Safe Mode, and then run the programs.

Each time I boot in Normal mode, I'm still getting the Desktop.ini file that pops up but twice now. Window allows me to close both.
 
Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\tasks\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
OTL logs response

I ran the OTL program in normal mode. Here is the contents of the Extras.txt log:

OTL Extras logfile created on: 3/28/2012 9:44:04 PM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Garry S. Glover\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.01 Mb Total Physical Memory | 152.21 Mb Available Physical Memory | 59.69% Memory free
618.04 Mb Paging File | 486.52 Mb Available in Paging File | 78.72% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 41.56 Gb Free Space | 55.79% Space Free | Partition Type: NTFS

Computer Name: DDQSKV11 | User Name: Garry S. Glover | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe:*:Enabled:hpqsudi.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe:*:Enabled:hpqpsapp.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe:*:Enabled:hpqpse.exe -- (Hewlett-Packard Development Co. L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)
"C:\WINDOWS\SYSTEM32\USMT\migwiz.exe" = C:\WINDOWS\SYSTEM32\USMT\migwiz.exe:*:Disabled:Files and Settings Transfer Wizard -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05F26168-B5E6-4118-B510-FBD1BFB423FA}" = Microsoft Office Project 2007 Step by Step
"{0CE5F45E-F6CC-4638-B0DD-BB7F6EF56713}" = HP Deskjet D1500 Printer Driver Software 10.0 Rel .3
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{0F8267D9-3E3D-4187-83AE-863207A935CC}" = MX-3000 Editor
"{1243EFD1-E2A7-4A57-976B-29EC6CA855F7}" = CC2-Pro
"{127B684B-A002-44C8-99A7-6CF8F1E26873}" = PunkBuster for Battlefield 1942
"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
"{280C7673-2DF8-4E74-B031-D8F108BE2A6D}" = PRO200WL
"{305468A6-DE2D-43ba-A168-2F45A97A89DA}" = DJ_SF_03_D1500_Software_Min
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{47836B39-2465-4F39-9D7E-52F70A1C3D72}" = Axis & Allies
"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
"{54BB0384-1C33-488F-A95B-877E480D3EDC}" = MSXML 4.0
"{54DD126C-E5F5-404C-B4B7-66DF7FD4F2FF}" = MSSoap
"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6790B26E-19BC-46E2-8206-BCC9B4984E88}" = CC2-Pro Demo
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}" = Battlefield 1942
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7AEF6F04-BCAD-4AC1-A77D-D69EE1BAF6D8}" = Tome of Ultimate Mapping
"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PRJPROR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PRJPROR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PRJPROR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PRJPROR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00B4-0409-0000-0000000FF1CE}" = Microsoft Office Project MUI (English) 2007
"{90120000-00B4-0409-0000-0000000FF1CE}_PRJPROR_{F3CD3F3F-726C-4414-A1FE-5CD0968313EA}" = Microsoft Office Project 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PRJPROR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91120000-003B-0000-0000-0000000FF1CE}" = Microsoft Office Project Professional 2007
"{91120000-003B-0000-0000-0000000FF1CE}_PRJPROR_{8446EB22-A746-46DC-B1BD-E0DFA1F3CDDA}" = Microsoft Office Project 2007 Service Pack 3 (SP3)
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{91E8A85F-2960-40ED-BA84-7F4567BB00C0}" = Dell | Support
"{927D5D39-5B7F-488E-ACC8-D1AEE56B4631}" = Fractal Terrains Pro Demo
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status
"{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}" = Microsoft Works 6.0
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter
"{A662E280-64A8-4CF5-8407-13D0808602B3}" = Call of Duty - United Offensive
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{B1421599-A42D-47ef-B512-B9B0317BD599}" = DJ_SF_03_D1500_Software
"{B252ADE8-8F39-4CBD-89CB-5919008754FE}" = VC User CRT71 RTL X86 ---
"{B73B4A99-4173-4747-BBEC-0F05E966F9D2}" = Battlefield 1942: Secret Weapons of WWII
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3A439E4-7303-491F-A678-CEA36A87D517}" = Microsoft Works Suite Add-in for Microsoft Word
"{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CAF5B770-082F-40C4-853D-3973BB81BDAA}" = TurboTax 2011 WinPerTaxSupport
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D057AA08-8CBF-42E3-9EAB-23B8FED1C279}" = Battlefield 1942: The Road To Rome
"{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch
"{DC19E750-988B-4005-A355-85EF66055EFE}" = Works Suite OS Pack
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E463E171-4082-4744-A466-F7CBE8502789}" = TurboTax 2011 WinPerReleaseEngine
"{EE556A3E-EB37-4392-9637-BAA8EC2F47FA}" = TurboTax 2011 wrapper
"{F2E6EB42-B04D-4F63-853F-8016BF71B25A}" = VC User MFC71 RTL X86 ---
"{FAD3D68B-2F9C-459B-AA79-C04B9090FD72}" = TurboTax 2011 WinPerFedFormset
"AD&D Core Rules II" = Advanced Dungeons & Dragons Core Rules CD-ROM 2.0
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Advanced SystemCare 4_is1" = Advanced SystemCare 4
"ATTToolbar" = AT&T Toolbar
"AutoREALM_is1" = AutoREALM Version 2.0
"Axis and Allies" = Axis and Allies
"Call of Duty" = Call of Duty
"CalorieKing Nutrition and Exercise Manager" = CalorieKing Nutrition and Exercise Manager (remove only)
"Campaign Mapper" = Campaign Mapper
"CCleaner" = CCleaner
"CdaC13Ba" = SafeCast Shared Components
"CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0" = Conexant HSF V92 56K RTAD Speakerphone PCI Modem
"CoreRuleUninstKey" = AD&D Core Rules
"DivX 5.0.1 Bundle" = DivX 5.0.1 Bundle
"Dungeon Designer 2" = Dungeon Designer 2
"Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
"exPressit S.E. 2.1" = exPressit S.E. 2.1
"FastCAD" = FastCAD
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0
"HPExtendedCapabilities" = HP Customer Participation Program 10.0
"ie8" = Windows Internet Explorer 8
"InstallShield_{A662E280-64A8-4CF5-8407-13D0808602B3}" = Call of Duty - United Offensive
"MAGIX audio cleaning lab 10" = MAGIX audio cleaning lab 10
"MAGIX audio cleaning lab 2005" = MAGIX audio cleaning lab 2005
"MAGIX Media Manager 2004 silver" = MAGIX Media Manager 2004 silver
"MAGIX Media Manager silver" = MAGIX Media Manager silver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MiniTool Power Data Recovery_is1" = MiniTool Power Data Recovery
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"NVIDIA Display Driver" = NVIDIA Display Driver
"Office8.0" = Microsoft Office 97, Professional Edition
"Panzer General 2" = Panzer General 2
"Panzer General II Demo" = Panzer General II Demo
"PRJPROR" = Microsoft Office Project Professional 2007
"Quick Data Recovery Pro_is1" = Quick Data Recovery Pro
"RealPlayer 6.0" = RealPlayer Basic
"Renegade" = Command & Conquer Renegade
"Sid Meier's Alpha Centauri" = Sid Meier's Alpha Centauri
"Sound Blaster Live! Value" = Sound Blaster Live! Value
"Super Bowl Champs Screen Saver" = Super Bowl Champs Screen Saver
"Tiberian Sun" = Command & Conquer Tiberian Sun
"TurboTax 2011" = TurboTax 2011
"ViewpointMediaPlayer" = Viewpoint Media Player (Remove Only)
"Visio Technical" = Visio Technical
"WIC" = Windows Imaging Component
"Windows XP Service Pack" = Windows XP Service Pack 3
"Works2002Setup" = Microsoft Works 2002 Setup Launcher
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Mail" = att.net Internet Mail
"Yahoo! Mail Advisor" = Yahoo! Mail Advisor
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/24/2012 5:55:50 PM | Computer Name = DDQSKV11 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19190, fault address 0x000b9f68.

Error - 2/24/2012 6:20:54 PM | Computer Name = DDQSKV11 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module quicktimewebhelper.qtx, version 7.7.0.0, fault address 0x000057bd.

Error - 2/27/2012 10:29:01 AM | Computer Name = DDQSKV11 | Source = Application Error | ID = 1000
Description = Faulting application fcw32.exe, version 0.0.0.612, faulting module
xpcc2.dll, version 0.0.0.0, fault address 0x0000c301.

Error - 3/6/2012 2:48:51 PM | Computer Name = DDQSKV11 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 3/8/2012 4:42:34 PM | Computer Name = DDQSKV11 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19190, fault address 0x00067978.

Error - 3/9/2012 5:22:36 PM | Computer Name = DDQSKV11 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19190, fault address 0x000b9f68.

Error - 3/20/2012 5:48:41 PM | Computer Name = DDQSKV11 | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 3/20/2012 5:50:04 PM | Computer Name = DDQSKV11 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 3/20/2012 5:50:04 PM | Computer Name = DDQSKV11 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 3/20/2012 7:35:38 PM | Computer Name = DDQSKV11 | Source = Application Error | ID = 1000
Description = Faulting application systemcheckup.exe, version 3.1.0.37, faulting
module , version 0.0.0.0, fault address 0x00000000.

[ System Events ]
Error - 3/28/2012 8:28:50 AM | Computer Name = DDQSKV11 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 3/28/2012 8:31:55 AM | Computer Name = DDQSKV11 | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.

Error - 3/28/2012 8:41:18 AM | Computer Name = DDQSKV11 | Source = sfsync02 | ID = 262156
Description =

Error - 3/28/2012 8:41:50 AM | Computer Name = DDQSKV11 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/28/2012 8:41:53 AM | Computer Name = DDQSKV11 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 3/28/2012 8:42:04 AM | Computer Name = DDQSKV11 | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBT service which failed
to start because of the following error: %%31

Error - 3/28/2012 8:42:04 AM | Computer Name = DDQSKV11 | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 3/28/2012 8:42:04 AM | Computer Name = DDQSKV11 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 3/28/2012 8:42:58 AM | Computer Name = DDQSKV11 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 3/28/2012 8:45:46 AM | Computer Name = DDQSKV11 | Source = Service Control Manager | ID = 7022
Description = The HP CUE DeviceDiscovery Service service hung on starting.


< End of report >
 
OTL text log response

Here is the OTL.txt log response:

Here is the contents of the OTL text log:

OTL logfile created on: 3/28/2012 9:44:04 PM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Garry S. Glover\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.01 Mb Total Physical Memory | 152.21 Mb Available Physical Memory | 59.69% Memory free
618.04 Mb Paging File | 486.52 Mb Available in Paging File | 78.72% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 41.56 Gb Free Space | 55.79% Space Free | Partition Type: NTFS

Computer Name: DDQSKV11 | User Name: Garry S. Glover | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/28 21:39:41 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Garry S. Glover\Desktop\OTL.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/08/17 23:36:42 | 000,024,064 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\SYSTEM32\devldr32.exe


========== Modules (No Company Name) ==========

MOD - [2012/03/10 21:24:49 | 000,043,520 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CmdLineExt03.dll
MOD - [2011/05/28 14:47:00 | 000,127,376 | ---- | M] () -- C:\Program Files\IObit\Advanced SystemCare 4\ASCv4ExtMenu.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2011/08/25 18:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)
SRV - [2011/05/28 14:46:56 | 000,353,168 | ---- | M] (IObit) [Disabled | Stopped] -- C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe -- (AdvancedSystemCareService)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2003/03/02 13:16:38 | 000,052,736 | ---- | M] (Macrovision) [Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\CDAC11BA.EXE -- (C-DillaCdaC11BA)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0EA12DEB-9DD0-4F92-8854-8D730B2F6788}\MpKslc492ae9a.sys -- (MpKslc492ae9a)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/02/15 10:15:24 | 000,028,276 | ---- | M] (MusicMatch, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k)
DRV - [2009/09/04 13:46:04 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2009/09/04 13:46:04 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\gameenum.sys -- (gameenum)
DRV - [2005/08/10 10:06:28 | 000,019,968 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sfsync02.sys -- (sfsync02) StarForce Protection Synchronization Driver (version 2.x)
DRV - [2005/08/10 08:44:04 | 000,050,688 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2005/05/16 09:20:39 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2003/03/02 13:16:37 | 000,011,376 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\CdaC15BA.SYS -- (CdaC15BA)
DRV - [2002/09/11 02:31:07 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2002/06/30 20:50:12 | 000,167,155 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2002/06/30 20:49:46 | 001,172,416 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - [2002/06/30 20:45:12 | 000,594,832 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2001/11/09 07:10:36 | 000,031,744 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\Garry S. Glover\cdrmkaun.sys -- (cdrmkaun)
DRV - [2001/08/17 14:52:24 | 000,038,144 | ---- | M] (HighPoint Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HPT3XX.SYS -- (hpt3xx)
DRV - [2001/08/17 14:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_V124.sys -- (V124)
DRV - [2001/08/17 14:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_TONE.sys -- (Tones)
DRV - [2001/08/17 14:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/17 14:28:10 | 000,073,279 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_SPKP.sys -- (SpeakerPhone)
DRV - [2001/08/17 14:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_SAMP.sys -- (Rksample)
DRV - [2001/08/17 14:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_K56K.sys -- (K56)
DRV - [2001/08/17 14:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_FALL.sys -- (Fallback)
DRV - [2001/08/17 14:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_FAXX.sys -- (SoftFax)
DRV - [2001/08/17 14:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_FSKS.sys -- (Fsks)
DRV - [2001/08/17 14:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_BSC2.sys -- (basic2)
DRV - [2001/08/17 14:02:32 | 000,008,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\hidgame.sys -- (hidgame)
DRV - [2001/08/17 13:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4.SYS -- (nv4)
DRV - [2001/08/17 13:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 13:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2001/08/17 13:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2001/08/17 13:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ctljystk.sys -- (ctljystk)
DRV - [2001/08/17 13:11:42 | 000,029,696 | ---- | M] (CNet Technology, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DM9PCI5.SYS -- (DM9102) DAVICOM 9102(A)
DRV - [2001/08/17 13:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)
DRV - [1999/12/17 02:00:00 | 000,006,752 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\PfModNT.sys -- (PfModNT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = http://about-blank.biz/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.Google.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://about-blank.biz/
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar_bak = http://www.2020search.com/search/9884/search.html
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = http://about-blank.biz/
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.Google.com/
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant_bak = http://www.2020search.com/search/9884/search.html
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\URLSearchHook: - No CLSID value found
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\SearchScopes,DefaultScope = {DECA3892-BA8F-44b8-A993-A466AD694AE4}
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\SearchScopes\{C18B72AB-610B-4DAD-AE68-2F267C7D2951}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=chr-atty
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/04/13 22:19:47 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/04/13 22:19:47 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/10/24 23:56:10 | 000,003,606 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 69.56.223.196 t.rack.cc
O1 - Hosts: 69.56.223.196 www.alfa-search.com
O1 - Hosts: 69.56.223.196 webcoolsearch.com
O1 - Hosts: 69.56.223.196 in.webcounter.cc
O1 - Hosts: 69.56.223.196 i-lookup.com
O1 - Hosts: 69.56.223.196 www.hand-book.com
O1 - Hosts: 69.56.223.196 www.maxxxhosters.com
O1 - Hosts: 69.56.223.196 allneedsearch.com
O1 - Hosts: 69.56.223.196 best.royalsearch.net
O1 - Hosts: 69.56.223.196 default-homepage-network.com
O1 - Hosts: 69.56.223.196 xwebsearch.biz
O1 - Hosts: 69.56.223.196 www.rightfinder.net
O1 - Hosts: 69.56.223.196 www.search-1.net
O1 - Hosts: 69.56.223.196 www.searchv.com
O1 - Hosts: 69.56.223.196 www.websearch.com
O1 - Hosts: 69.56.223.196 mysearchnow.com
O1 - Hosts: 69.56.223.196 www.therealsearch.com
O1 - Hosts: 69.56.223.196 www.find-itnow.com
O1 - Hosts: 69.56.223.196 super-spider.com
O1 - Hosts: 69.56.223.196 www.searching-the-net.com
O1 - Hosts: 60 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Search Toolbar BHO Object) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - Reg Error: Value error. File not found
O2 - BHO: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL File not found
O2 - BHO: (no name) - {55102325-F838-447F-93D7-D03FED8F4C3B} - Reg Error: Value error. File not found
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Search) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (no name) - {5C75D98F-A3FF-4C79-A106-7E088D55D5DB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\Toolbar\WebBrowser: (no name) - {5C75D98F-A3FF-4C79-A106-7E088D55D5DB} - No CLSID value found.
O3 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = _ [binary data]
O7 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: =
O9 - Extra 'Tools' menuitem : Turbo Download - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - Reg Error: Value error. File not found
O12 - Plugin for: .PD7 - C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll File not found
O15 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1268618336953 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1268795703686 (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6243CE58-9D38-4887-9C21-31FCF61A7D18}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\System32\Userinit.exe) - C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Garry S. Glover\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Garry S. Glover\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/25 20:37:43 | 000,000,025 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: aux - C:\WINDOWS\System32\ctwdm32.dll (Creative Technology Ltd.)
Drivers32: aux1 - C:\WINDOWS\System32\ctwdm32.dll (Creative Technology Ltd.)
Drivers32: msacm.ctmp3 - C:\WINDOWS\SYSTEM32\ctmp3.acm (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\SYSTEM32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\System32\L3CODECX.ACM (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\TSSOFT32.ACM (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\divx.dll (DivXNetworks, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\IR32_32.DLL ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\IR32_32.DLL ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.tscc - C:\WINDOWS\System32\tsccvid.dll (TechSmith Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\SERWVDRV.DLL (Microsoft Corporation)
Drivers32: wave3 - C:\WINDOWS\System32\SERWVDRV.DLL (Microsoft Corporation)
Drivers32: wave4 - C:\WINDOWS\System32\SERWVDRV.DLL (Microsoft Corporation)
Drivers32: wave5 - C:\WINDOWS\System32\SERWVDRV.DLL (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/03/28 21:39:34 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Garry S. Glover\Desktop\OTL.exe
[2012/03/28 08:42:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX7
[2012/03/28 08:37:34 | 004,448,689 | R--- | C] (Swearware) -- C:\Documents and Settings\Garry S. Glover\Desktop\GSG.exe
[2012/03/28 08:28:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX6
[2012/03/28 08:24:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX5
[2012/03/28 08:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX4
[2012/03/28 07:57:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX3
[2012/03/27 21:42:36 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2012/03/27 21:11:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\{281B3A29-FB12-4E82-9845-74079AB37431}
[2012/03/27 21:04:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX2
[2012/03/27 21:03:58 | 009,601,504 | ---- | C] (OPSWAT, Inc.) -- C:\Documents and Settings\Garry S. Glover\Desktop\AppRemover.exe
[2012/03/27 08:01:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinZip
[2012/03/26 22:38:22 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Garry S. Glover\Desktop\aswMBR.exe
[2012/03/24 17:14:29 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2012/03/24 17:14:28 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Garry S. Glover\Start Menu\Programs\Administrative Tools
[2012/03/24 15:01:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\Application Data\Malwarebytes
[2012/03/24 15:00:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/24 15:00:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/03/24 15:00:02 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/03/24 15:00:02 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/03/23 13:57:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\Local Settings\Application Data\LogMeIn Rescue Applet
[2012/03/23 11:24:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\MiniTool Power Data Recovery 6.6
[2012/03/23 11:24:34 | 000,000,000 | ---D | C] -- C:\Program Files\PowerDataRecovery
[2012/03/23 10:54:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\RarSFX1
[2012/03/23 10:52:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\_avast4_
[2012/03/23 10:52:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\_av4_
[2012/03/23 10:46:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\Desktop\RK_Quarantine
[2012/03/22 09:38:37 | 000,000,000 | ---D | C] -- C:\Log
[2012/03/22 09:38:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/03/22 09:38:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Quick Data Recovery Pro
[2012/03/22 09:38:08 | 000,000,000 | ---D | C] -- C:\Program Files\Quick Data Recovery Pro
[2012/03/21 21:42:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\{AC76BA86-7AD7-1033-7B44-AA1000000001}
[2012/03/21 21:42:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\Local Settings\Application Data\Solid State Networks
[2012/03/21 21:42:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\21782
[2012/03/21 21:08:41 | 000,000,000 | ---D | C] -- C:\Restoration
[2012/03/21 13:16:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\MagicCute Data Recovery
[2012/03/21 13:15:58 | 000,000,000 | ---D | C] -- C:\Program Files\MCsDataRecovery
[2012/03/21 09:26:54 | 000,000,000 | ---D | C] -- C:\Program Files\WhenUSearch
[2012/03/20 17:50:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\iolo
[2012/03/20 17:39:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\Local Settings\Application Data\Google
[2012/03/20 17:38:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Garry S. Glover\Google Toolbar
[2012/03/20 17:38:15 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2012/03/20 17:38:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2012/03/20 17:13:08 | 000,766,728 | ---- | C] (Solid State Networks) -- C:\Documents and Settings\Garry S. Glover\install_reader10_en_gtba_aih.exe
[47 C:\Documents and Settings\Garry S. Glover\*.tmp files -> C:\Documents and Settings\Garry S. Glover\*.tmp -> ]
[39 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/28 21:39:41 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Garry S. Glover\Desktop\OTL.exe
[2012/03/28 08:44:18 | 000,002,048 | ---- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2012/03/28 08:44:17 | 267,468,800 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/28 08:37:34 | 004,448,689 | R--- | M] (Swearware) -- C:\Documents and Settings\Garry S. Glover\Desktop\GSG.exe
[2012/03/28 08:36:22 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Desktop\rkill.exe
[2012/03/27 21:03:58 | 009,601,504 | ---- | M] (OPSWAT, Inc.) -- C:\Documents and Settings\Garry S. Glover\Desktop\AppRemover.exe
[2012/03/27 09:12:16 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT81.xml
[2012/03/27 09:12:16 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT7F.xml
[2012/03/27 09:12:16 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT80.xml
[2012/03/27 09:11:35 | 002,232,826 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT68.xml
[2012/03/27 09:11:35 | 000,001,022 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT69.dtd
[2012/03/27 09:11:28 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT67.xml
[2012/03/27 09:11:28 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT65.xml
[2012/03/27 09:11:28 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT66.xml
[2012/03/27 09:11:14 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT5A.xml
[2012/03/27 09:11:13 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT58.xml
[2012/03/27 09:11:13 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT59.xml
[2012/03/27 09:10:22 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT4D.xml
[2012/03/27 09:10:22 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT4B.xml
[2012/03/27 09:10:22 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT4C.xml
[2012/03/27 09:09:40 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT33.xml
[2012/03/27 09:09:40 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT31.xml
[2012/03/27 09:09:40 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT32.xml
[2012/03/27 09:09:11 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT30.xml
[2012/03/27 09:09:11 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT2E.xml
[2012/03/27 09:09:11 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT2F.xml
[2012/03/27 09:08:34 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT23.xml
[2012/03/27 09:08:34 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT21.xml
[2012/03/27 09:08:34 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT22.xml
[2012/03/27 09:06:06 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2012/03/26 22:38:22 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Garry S. Glover\Desktop\aswMBR.exe
[2012/03/24 16:28:37 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMTC.xml
[2012/03/24 16:28:36 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMTA.xml
[2012/03/24 16:28:36 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMTB.xml
[2012/03/24 15:00:52 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/23 13:26:55 | 000,000,070 | ---- | M] () -- C:\WINDOWS\qdrp.INI
[2012/03/23 11:24:38 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MiniTool Power Data Recovery 6.6.lnk
[2012/03/22 09:38:11 | 000,000,763 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Desktop\Quick Data Recovery Pro.lnk
[2012/03/22 07:26:22 | 000,000,211 | ---- | M] () -- C:\BOOT.INI
[2012/03/22 06:57:34 | 000,472,948 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2012/03/22 06:57:33 | 000,076,042 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2012/03/21 13:16:18 | 000,000,693 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Application Data\Microsoft\Internet Explorer\Quick Launch\MagicCute Data Recovery.lnk
[2012/03/21 13:16:18 | 000,000,675 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MagicCute Data Recovery.lnk
[2012/03/21 13:08:20 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT24.xml
[2012/03/21 13:08:16 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT20.xml
[2012/03/21 13:08:15 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT1F.xml
[2012/03/21 13:07:18 | 000,707,340 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT1E.xml
[2012/03/21 13:07:18 | 000,001,994 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT1C.xml
[2012/03/21 13:07:18 | 000,000,426 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\IMT1D.xml
[2012/03/21 12:02:39 | 000,016,907 | ---- | M] () -- C:\WINDOWS\Garry S. Glover8.xlb
[2012/03/21 09:13:53 | 000,356,160 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/20 17:41:46 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cd06e23fae4ad8.job
[2012/03/20 17:13:22 | 000,766,728 | ---- | M] (Solid State Networks) -- C:\Documents and Settings\Garry S. Glover\install_reader10_en_gtba_aih.exe
[2012/03/19 22:33:15 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/19 20:46:43 | 000,002,393 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TurboTax 2011.lnk
[2012/03/10 21:24:51 | 000,024,748 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\SIntfNT.dll
[2012/03/10 21:24:51 | 000,020,020 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\SIntf32.dll
[2012/03/10 21:24:51 | 000,012,305 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\SIntf16.dll
[2012/03/10 21:24:49 | 000,043,520 | ---- | M] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[47 C:\Documents and Settings\Garry S. Glover\*.tmp files -> C:\Documents and Settings\Garry S. Glover\*.tmp -> ]
[39 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/28 08:44:17 | 267,468,800 | -HS- | C] () -- C:\hiberfil.sys
[2012/03/28 08:36:11 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\Desktop\rkill.exe
[2012/03/27 09:12:16 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT81.xml
[2012/03/27 09:12:16 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT7F.xml
[2012/03/27 09:12:16 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT80.xml
[2012/03/27 09:11:35 | 000,001,022 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT69.dtd
[2012/03/27 09:11:34 | 002,232,826 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT68.xml
[2012/03/27 09:11:28 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT67.xml
[2012/03/27 09:11:28 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT65.xml
[2012/03/27 09:11:28 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT66.xml
[2012/03/27 09:11:13 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT5A.xml
[2012/03/27 09:11:13 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT58.xml
[2012/03/27 09:11:13 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT59.xml
[2012/03/27 09:10:22 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT4D.xml
[2012/03/27 09:10:22 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT4B.xml
[2012/03/27 09:10:22 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT4C.xml
[2012/03/27 09:09:40 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT33.xml
[2012/03/27 09:09:40 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT31.xml
[2012/03/27 09:09:40 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT32.xml
[2012/03/27 09:09:11 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT30.xml
[2012/03/27 09:09:11 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT2E.xml
[2012/03/27 09:09:11 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT2F.xml
[2012/03/27 09:08:34 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT23.xml
[2012/03/27 09:08:34 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT21.xml
[2012/03/27 09:08:34 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT22.xml
[2012/03/24 16:28:36 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMTC.xml
[2012/03/24 16:28:36 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMTA.xml
[2012/03/24 16:28:36 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMTB.xml
[2012/03/24 15:00:52 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/23 11:24:38 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MiniTool Power Data Recovery 6.6.lnk
[2012/03/22 09:38:11 | 000,000,763 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\Desktop\Quick Data Recovery Pro.lnk
[2012/03/22 09:38:10 | 000,000,070 | ---- | C] () -- C:\WINDOWS\qdrp.INI
[2012/03/21 13:16:18 | 000,000,693 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\Application Data\Microsoft\Internet Explorer\Quick Launch\MagicCute Data Recovery.lnk
[2012/03/21 13:16:18 | 000,000,675 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MagicCute Data Recovery.lnk
[2012/03/21 13:08:20 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT24.xml
[2012/03/21 13:08:16 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT20.xml
[2012/03/21 13:08:15 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT1F.xml
[2012/03/21 13:07:18 | 000,707,340 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT1E.xml
[2012/03/21 13:07:18 | 000,001,994 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT1C.xml
[2012/03/21 13:07:18 | 000,000,426 | ---- | C] () -- C:\Documents and Settings\Garry S. Glover\IMT1D.xml
[2012/03/20 17:41:46 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cd06e23fae4ad8.job
[2012/02/21 10:36:20 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/19 18:48:40 | 001,565,222 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3766738458-558522827-3833581854-1006-0.dat
[2012/01/19 18:48:38 | 000,314,802 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/01/19 17:07:52 | 000,000,590 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc
[2011/04/10 21:50:09 | 000,712,152 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/02/22 11:25:57 | 000,021,504 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2011/02/20 22:22:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\homeDVD-Music.INI
[2010/04/13 22:16:22 | 000,023,108 | ---- | C] () -- C:\WINDOWS\hpqins15.dat

========== LOP Check ==========

[2010/04/05 21:53:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ATTToolbar
[2007/03/03 09:11:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg7
[2002/09/11 02:26:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2007/01/25 22:10:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2011/09/09 07:15:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2012/03/21 21:42:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2012/03/23 13:27:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/03/11 14:49:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TurboTax 2006
[2011/09/06 20:46:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
[2012/03/21 21:39:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\ATTToolbar
[2012/03/21 21:39:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\AVG7
[2012/02/14 14:22:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\ConsumerSoft
[2010/09/16 13:11:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\fhnetwork.com
[2012/03/20 19:46:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\FileOpen
[2012/02/16 10:15:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\InterTrust
[2012/03/21 21:40:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\IObit
[2006/01/22 13:55:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\Leadertech
[2003/12/03 22:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\Lycos
[2006/04/07 04:58:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\Magix
[2011/09/05 13:17:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\Uniblue
[2012/03/20 19:46:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\winlink
[2012/03/21 21:41:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\winshow
[2003/12/01 11:11:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Garry S. Glover\Application Data\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
[2007/01/27 09:39:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\AVG7
[2011/09/09 07:09:41 | 000,000,290 | ---- | M] () -- C:\WINDOWS\Tasks\ASC4_PerformanceMonitor.job

========== Purity Check ==========
 
OTL text log response PT 2

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2002/09/25 20:37:43 | 000,000,025 | ---- | M] () -- C:\AUTOEXEC.BAT
[2012/03/22 07:26:22 | 000,000,211 | ---- | M] () -- C:\BOOT.INI
[2001/11/14 17:35:22 | 000,000,512 | ---- | M] () -- C:\BOOTSECT.DOS
[2002/09/25 20:37:31 | 000,000,010 | ---- | M] () -- C:\CONFIG.SYS
[2002/09/11 01:06:56 | 000,004,574 | ---- | M] () -- C:\DELL.SDR
[2003/11/06 17:02:26 | 000,005,153 | ---- | M] () -- C:\ffastun.ffa
[2003/11/06 17:02:18 | 001,581,056 | ---- | M] () -- C:\ffastun.ffl
[2003/11/06 17:02:26 | 001,064,960 | ---- | M] () -- C:\ffastun.ffo
[2003/11/06 17:02:18 | 003,526,656 | ---- | M] () -- C:\ffastun0.ffx
[2012/03/28 08:44:17 | 267,468,800 | -HS- | M] () -- C:\hiberfil.sys
[2001/11/15 08:31:14 | 000,000,000 | ---- | M] () -- C:\IO.SYS
[2002/09/11 02:31:22 | 000,000,315 | ---- | M] () -- C:\IPH.PH
[2001/11/15 08:31:14 | 000,000,000 | ---- | M] () -- C:\MSDOS.SYS
[2005/06/16 19:16:53 | 000,000,016 | ---- | M] () -- C:\mxfilerelatedcache.mxc2
[2010/03/16 23:31:28 | 000,047,564 | ---- | M] () -- C:\NTDETECT.COM
[2010/03/27 12:45:40 | 000,250,048 | ---- | M] () -- C:\NTLDR
[2012/03/28 08:44:10 | 402,653,184 | -HS- | M] () -- C:\pagefile.sys
[2004/04/03 18:58:30 | 000,004,608 | ---- | M] () -- C:\Personal.CDX
[2004/04/03 18:58:30 | 000,000,552 | ---- | M] () -- C:\personal.dbf
[2012/03/23 10:55:05 | 000,000,282 | ---- | M] () -- C:\rkill.log

< %systemroot%\Fonts\*.com >
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2001/11/15 08:30:48 | 000,000,067 | ---- | M] () -- C:\WINDOWS\Fonts\DESKTOP.INI

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/10/20 19:21:50 | 000,278,016 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5mu.dll
[2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >
[1997/07/11 01:00:00 | 000,000,002 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Application Data\Microsoft\ArtGalry.cag

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2001/11/15 08:22:22 | 000,090,112 | ---- | M] () -- C:\WINDOWS\System32\config\DEFAULT.SAV
[2001/11/15 08:22:22 | 000,606,208 | ---- | M] () -- C:\WINDOWS\System32\config\SOFTWARE.SAV
[2001/11/15 08:22:22 | 000,380,928 | ---- | M] () -- C:\WINDOWS\System32\config\SYSTEM.SAV

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2010/03/27 13:13:17 | 000,000,272 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\DESKTOP.INI

< %systemroot%\system32\config\systemprofile\*.dat /x >
[2010/03/16 22:26:40 | 000,000,383 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\HPZIDS000.log
[2002/09/11 02:29:09 | 000,000,246 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\INSTALL.LOG
[2010/03/16 22:26:37 | 000,000,609 | ---- | M] () -- C:\WINDOWS\system32\config\systemprofile\update000.log

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/03/27 13:12:54 | 000,000,177 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Application Data\Microsoft\Internet Explorer\Quick Launch\DESKTOP.INI

< %USERPROFILE%\Desktop\*.exe >
[2012/03/27 21:03:58 | 009,601,504 | ---- | M] (OPSWAT, Inc.) -- C:\Documents and Settings\Garry S. Glover\Desktop\AppRemover.exe
[2012/03/26 22:38:22 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Garry S. Glover\Desktop\aswMBR.exe
[2012/03/28 08:37:34 | 004,448,689 | R--- | M] (Swearware) -- C:\Documents and Settings\Garry S. Glover\Desktop\GSG.exe
[2012/03/28 21:39:41 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Garry S. Glover\Desktop\OTL.exe
[2012/03/28 08:36:22 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Desktop\rkill.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\tasks\*.* >
[2011/09/09 07:09:41 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\ASC4_PerformanceMonitor.job
[2001/08/18 07:00:00 | 000,000,065 | ---- | M] () -- C:\WINDOWS\tasks\DESKTOP.INI
[2012/03/20 17:41:46 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cd06e23fae4ad8.job
[2011/09/09 07:17:28 | 000,000,006 | ---- | M] () -- C:\WINDOWS\tasks\SA.DAT

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >
[2003/09/17 08:16:38 | 000,142,608 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Garry S. Glover\atl.exe
[2004/01/08 21:29:31 | 000,018,192 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Garry S. Glover\ChkTrust.exe
[2005/08/05 10:08:58 | 000,122,880 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\GalleryExport.exe
[2007/11/05 22:15:15 | 001,140,056 | ---- | M] (Hewlett-Packard) -- C:\Documents and Settings\Garry S. Glover\hpzmsi01.exe
[2007/11/05 22:10:30 | 001,107,288 | ---- | M] (Hewlett-Packard) -- C:\Documents and Settings\Garry S. Glover\hpzscr01.EXE
[2007/11/06 04:13:36 | 000,458,752 | ---- | M] (Hewlett-Packard) -- C:\Documents and Settings\Garry S. Glover\hpzswp01.exe
[2012/03/20 17:13:22 | 000,766,728 | ---- | M] (Solid State Networks) -- C:\Documents and Settings\Garry S. Glover\install_reader10_en_gtba_aih.exe
[2006/10/28 06:30:46 | 000,145,184 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Garry S. Glover\ose00000.exe
[2008/10/05 08:29:13 | 009,730,015 | ---- | M] (UBISOFT) -- C:\Documents and Settings\Garry S. Glover\protect.exe
[2011/09/27 13:03:34 | 003,910,024 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\SSMInstaller.exe
[2003/12/22 08:48:45 | 012,208,816 | ---- | M] (EarthLink, Inc. ) -- C:\Documents and Settings\Garry S. Glover\TA2004_1_42_0_0_1_XP.exe
[2003/08/27 10:08:33 | 000,173,744 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\TSCC.exe
[1999/08/09 11:01:40 | 000,632,328 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Garry S. Glover\wmaudio.exe
[2002/12/11 14:11:50 | 004,085,904 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Garry S. Glover\wmf9.exe
[2002/08/21 04:56:36 | 000,793,536 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Garry S. Glover\wmpcdcs8.exe
[2010/10/26 08:16:21 | 003,693,160 | ---- | M] (Yahoo! Inc.) -- C:\Documents and Settings\Garry S. Glover\ytb_8.1.4.26_2.1.3_ysp_2.0.1.13_mail_bts_pub_us_setup_.exe
[2010/10/26 08:30:24 | 004,464,192 | ---- | M] (Yahoo! Inc.) -- C:\Documents and Settings\Garry S. Glover\ytb_8.3.2.24_2.3.1_ysp_2.0.2.12_mail_bts_pub_us_setup_.exe
[47 C:\Documents and Settings\Garry S. Glover\*.tmp files -> C:\Documents and Settings\Garry S. Glover\*.tmp -> ]

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2012/03/28 21:33:33 | 000,294,912 | ---- | M] () -- C:\Documents and Settings\Garry S. Glover\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2008/04/13 20:12:38 | 000,208,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2008/04/13 20:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
[2002/02/07 14:10:20 | 000,015,692 | ---- | M] () -- C:\Program Files\Messenger\license.txt
[2002/02/07 14:09:54 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
[2002/02/07 14:09:54 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
[2002/02/07 14:10:20 | 000,000,807 | ---- | M] () -- C:\Program Files\Messenger\mailtmpl.txt
[2002/02/12 18:52:30 | 000,024,848 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\migrate.dll
[2008/05/02 10:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
[2008/04/13 13:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
[2002/02/12 18:52:28 | 000,004,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsmigr.dll
[2008/04/13 20:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2001/08/01 22:58:12 | 000,016,415 | ---- | M] () -- C:\Program Files\Messenger\MSMSGSIN.EXE
[2002/02/07 14:09:42 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
[2002/02/07 14:09:42 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
[2002/02/07 14:09:42 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
[2002/02/07 14:10:02 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
[2004/07/17 14:41:04 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >
[2000/09/11 08:00:00 | 000,009,597 | ---- | M] () -- C:\WINDOWS\system\RDB16.EXE

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-03-22 02:38:58

========== Alternate Data Streams ==========

@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:868B0C5C

< End of report >
 
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = http://about-blank.biz/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar_bak = http://www.2020search.com/search/9884/search.html
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = http://about-blank.biz/
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant_bak = http://www.2020search.com/search/9884/search.html
IE - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\URLSearchHook: - No CLSID value found
O2 - BHO: (Search Toolbar BHO Object) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - Reg Error: Value error. File not found
O2 - BHO: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL File not found
O2 - BHO: (no name) - {55102325-F838-447F-93D7-D03FED8F4C3B} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (Search) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (no name) - {5C75D98F-A3FF-4C79-A106-7E088D55D5DB} - No CLSID value found.
O3 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..\Toolbar\WebBrowser: (no name) - {5C75D98F-A3FF-4C79-A106-7E088D55D5DB} - No CLSID value found.
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O9 - Extra 'Tools' menuitem : Turbo Download - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - Reg Error: Value error. File not found
O15 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-3766738458-558522827-3833581854-1006\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[2012/03/22 09:38:10 | 000,000,070 | ---- | C] () -- C:\WINDOWS\qdrp.INI
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:868B0C5C

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[resethosts]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

======================================================================

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


3. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


4. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
OTL Fix Log

Below is the contents of the OTL Fix Log:

All processes killed
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page_bak| /E : value set successfully!
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant| /E : value set successfully!
HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar_bak| /E : value set successfully!
HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Page_bak| /E : value set successfully!
HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant| /E : value set successfully!
HKU\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant_bak| /E : value set successfully!
Registry value HKEY_USERS\S-1-5-21-3766738458-558522827-3833581854-1006\Software\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2CF0B992-5EEB-4143-99C0-5297EF71F443}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2CF0B992-5EEB-4143-99C0-5297EF71F443}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55102325-F838-447F-93D7-D03FED8F4C3B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{55102325-F838-447F-93D7-D03FED8F4C3B}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{2CF0B992-5EEB-4143-99C0-5297EF71F444} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2CF0B992-5EEB-4143-99C0-5297EF71F444}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{5C75D98F-A3FF-4C79-A106-7E088D55D5DB} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C75D98F-A3FF-4C79-A106-7E088D55D5DB}\ not found.
Registry value HKEY_USERS\S-1-5-21-3766738458-558522827-3833581854-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-3766738458-558522827-3833581854-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5C75D98F-A3FF-4C79-A106-7E088D55D5DB} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C75D98F-A3FF-4C79-A106-7E088D55D5DB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1A00C40B-DA85-4aa3-A67F-582D9347EECD}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A00C40B-DA85-4aa3-A67F-582D9347EECD}\ not found.
Registry value HKEY_USERS\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-3766738458-558522827-3833581854-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\intuit.com\ttlc\ deleted successfully.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
C:\WINDOWS\qdrp.INI moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:868B0C5C deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 7247308 bytes
->Temporary Internet Files folder emptied: 73666 bytes

User: All Users

User: Barbara G. Glover
->Temp folder emptied: 7957068 bytes
->Temporary Internet Files folder emptied: 284889 bytes

User: Default User
->Temp folder emptied: 7247308 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Garry S. Glover
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 27966878 bytes
->Flash cache emptied: 2560 bytes

User: Garry S~ Glover

User: GARRYS~1~GLO

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 340646 bytes

User: NetworkService
->Temp folder emptied: 2013936 bytes
->Temporary Internet Files folder emptied: 215844 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 986179 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 41132 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 158628569 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1491806 bytes
RecycleBin emptied: 53029263 bytes

Total Files Cleaned = 255.00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: Barbara G. Glover

User: Default User

User: Garry S. Glover

User: Garry S~ Glover

User: GARRYS~1~GLO

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Barbara G. Glover

User: Default User

User: Garry S. Glover
->Flash cache emptied: 0 bytes

User: Garry S~ Glover

User: GARRYS~1~GLO

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.39.2 log created on 03292012_081853

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
Security Check Log

Below are the contents of the security check log:

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
```````````````````````````````
Anti-malware/Other Utilities Check:
CCleaner
Eusing Free Registry Cleaner
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````
 
Farbar Service Scanner Log

Below is the contents of the FSS log:

Farbar Service Scanner Version: 01-03-2012
Ran by Garry S. Glover (administrator) on 29-03-2012 at 08:32:35
Running from "C:\Documents and Settings\Garry S. Glover\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
cryptsvc Service is not running. Checking service configuration:
The start type of cryptsvc service is set to Demand. The default start type is Auto.
The ImagePath of cryptsvc service is OK.
The ServiceDll of cryptsvc service is OK.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0700000004000000010000000200000003000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****
 
You must log in or register to reply here.

Similar threads

E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
476
eriksnyman1
E
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
midian182
Adobe's new PDF assistant can summarize documents and answer questions
Replies
1
Views
204
ScottSoapbox
S

Latest posts

Back