shawnh Posted September 23, 2010 Posted September 23, 2010 I'm wondering if someone would please help with a complete virus and spyware check of my laptop? I have had help on this forum before for that from a couple of helpful people (Starbuck, etc.) for two of my other computers. They guided me through using a series of anti-spyware and anti-virus cleanup tools... it was great. Thanks! Shawn Quote
chiaz Posted September 25, 2010 Posted September 25, 2010 Hi shawnh, Welcome! A few things before we start.... 1. Please Read All Instructions Carefully. 2. If you don't understand something, stop and ask! Don't keep going on. 3. Please do not run any other tools or scans whilst I am helping you. 4. If you have to go away for an extended period of time, let me know. 5. Please continue to respond until I give you the "All Clear". (Just because you can't see a problem doesn't mean it isn't there) Download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. ======================= Next download OTL.exe by OldTimer to your Desktop. Close all windows and double click OTL.exe. Click Run Scan and let the program run uninterrupted. It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread. You may need to use two posts to get it all. ============ Meanwhile (while waiting for my reply), you may wish to additionally run Panda ActiveScan online scan. Click the big green Scan now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) The scan may take some time. Once the scan is completed, please hit the notepad icon next to the text Export to: Save it to a convenient location such as your Desktop. Post the contents of the ActiveScan.txt in your next reply. Quote
shawnh Posted September 30, 2010 Author Posted September 30, 2010 Hi Chiaz! Thanks very much for helping me. Okay, I ran the TFC thing and that cleaned out a big pile of old crap - almost 1.5 gigs! Attached are the two log files from the OTL run. Thanks Again! ShawnOTL.TxtExtras.Txt Quote
chiaz Posted October 2, 2010 Posted October 2, 2010 (edited) Please run OTL.exe. Download the attached file in this post named 'fixforshawn.txt'. Copy the commands by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste. Click the red Run Fix button. A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply later. Close OTL.exe If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. ======================================== I will wait for that Panda ActiveScan logfile. :)fixforshawn.txt Edited October 2, 2010 by chiaz Quote
shawnh Posted October 2, 2010 Author Posted October 2, 2010 I don't think it ran correctly Chiaz... I noticed the .txt file you sent me had little "boxes" embedded within the text... I'm betting those control characters screwed up the run. The run completed almost immediately, didn't seem like it did anything. Here is the output file: Error: Unable to interpret <:OTL O3 - HKLM\..\Toolbar: (OCDB) - {23BE4004-AC07-45FE-B87F-1782D25C90E5} - Reg Error: Value error. File not found O3 - HKCU\..\Toolbar\WebBrowser: (OCDB) - {23BE4004-AC07-45FE-B87F-1782D25C90E5} - Reg Error: Value error. File not found O4 - HKLM..\Run: [] File not found O9 - Extra Button: WH USD Casino - {096CADBA-B4F6-4899-AC65-5BE9C3803037} - C:\Documents and Settings\Moe\Desktop\WH USD Casino.lnk File not found O9 - Extra 'Tools' menuitem : WH USD Casino - {096CADBA-B4F6-4899-AC65-5BE9C3803037} - C:\Documents and Settings\Moe\Desktop\WH USD Casino.lnk File not found O9 - Extra Button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Moe\Desktop\WH GBP Casino.lnk File not found O9 - Extra 'Tools' menuitem : WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Moe\Desktop\WH GBP Casino.lnk File not found O9 - Extra Button: Europa Casino - {4C826F10-D34B-4ba8-B609-1FB8C6482A05} - C:\Program Files\Europa Casino\casino.exe File not found O9 - Ex> in the current context! Error: Unable to interpret <tra 'Tools' menuitem : Europa Casino - {4C826F10-D34B-4ba8-B609-1FB8C6482A05} - C:\Program Files\Europa Casino\casino.exe File not found O9 - Extra Button: Purple Lounge Poker - {701FD202-200A-4bd1-9380-BC8A722B43A5} - C:\Program Files\PurpleloungeMPP\MPPoker.exe File not found O9 - Extra Button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Moe\Desktop\InterCasino $$$.lnk File not found O9 - Extra 'Tools' menuitem : InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Moe\Desktop\InterCasino $$$.lnk File not found O9 - Extra Button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe File not found O9 - Extra 'Tools' menuitem : PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe File not found O9 - Extra Button: 7Sultans Online Casino - {D6058E3E-5DBF-413b-9106-C26ED8DE3566} - C:\Program Files\7sultans\casinogame.exe File not foun> in the current context! Error: Unable to interpret <d O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} http://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab (Reg Error: Value error.)> in the current context! Error: Unable to interpret <O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe (Reg Error: Value error.)> in the current context! Error: Unable to interpret <O16 - DPF: {3253534D-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/3/4/F345356C-453F-439C-8977-81149FBF0980/wms9dmo.cab (Reg Error: Value error.)> in the current context! Error: Unable to interpret <O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Value error.)> in the current context! Error: Unable to interpret <O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab (Reg Error: Value error.)> in the current context! Error: Unable to interpret <O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Value error.)> in the current context! Error: Unable to interpret <O16 - DPF: {A104EEFF-DADB-45DC-8A69-26E862666021} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Reg Error: Value error.)> in the current context! OTL by OldTimer - Version 3.2.14.1 log created on 10022010_012632 Thanks! Shawn Quote
chiaz Posted October 2, 2010 Posted October 2, 2010 Please run OTL again. Under the Custom Scans/Fixes box at the bottom, paste in the following (Starting from :OTL): :OTL O3 - HKLM\..\Toolbar: (OCDB) - {23BE4004-AC07-45FE-B87F-1782D25C90E5} - Reg Error: Value error. File not found O3 - HKCU\..\Toolbar\WebBrowser: (OCDB) - {23BE4004-AC07-45FE-B87F-1782D25C90E5} - Reg Error: Value error. File not found O4 - HKLM..\Run: [] File not found O9 - Extra Button: WH USD Casino - {096CADBA-B4F6-4899-AC65-5BE9C3803037} - C:\Documents and Settings\Moe\Desktop\WH USD Casino.lnk File not found O9 - Extra 'Tools' menuitem : WH USD Casino - {096CADBA-B4F6-4899-AC65-5BE9C3803037} - C:\Documents and Settings\Moe\Desktop\WH USD Casino.lnk File not found O9 - Extra Button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Moe\Desktop\WH GBP Casino.lnk File not found O9 - Extra 'Tools' menuitem : WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Moe\Desktop\WH GBP Casino.lnk File not found O9 - Extra Button: Europa Casino - {4C826F10-D34B-4ba8-B609-1FB8C6482A05} - C:\Program Files\Europa Casino\casino.exe File not found O9 - Extra 'Tools' menuitem : Europa Casino - {4C826F10-D34B-4ba8-B609-1FB8C6482A05} - C:\Program Files\Europa Casino\casino.exe File not found O9 - Extra Button: Purple Lounge Poker - {701FD202-200A-4bd1-9380-BC8A722B43A5} - C:\Program Files\PurpleloungeMPP\MPPoker.exe File not found O9 - Extra Button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Moe\Desktop\InterCasino $$$.lnk File not found O9 - Extra 'Tools' menuitem : InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Moe\Desktop\InterCasino $$$.lnk File not found O9 - Extra Button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe File not found O9 - Extra 'Tools' menuitem : PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe File not found O9 - Extra Button: 7Sultans Online Casino - {D6058E3E-5DBF-413b-9106-C26ED8DE3566} - C:\Program Files\7sultans\casinogame.exe File not found O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} http://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab (Reg Error: Value error.) O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe (Reg Error: Value error.) O16 - DPF: {3253534D-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/3/4/F345356C-453F-439C-8977-81149FBF0980/wms9dmo.cab (Reg Error: Value error.) O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Value error.) O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab (Reg Error: Value error.) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Value error.) O16 - DPF: {A104EEFF-DADB-45DC-8A69-26E862666021} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Reg Error: Value error.) :commands [reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot the PC when it is done. Post the log resulting from it. Quote
shawnh Posted October 3, 2010 Author Posted October 3, 2010 Thanks Chiaz, okay I did that and when OTL was complete, it just said "Processing finished" on its status bar at the bottom - no log file was shown. Then I did a reboot and still no log file appeared. I then looked in the C drive and it had created a folder "_OTL" and in the "Movedfiles" subdirectory there were a couple of log files... I'm not sure if these are the ones you want. I've attached them (I first renamed them to .txt extension so they'd upload here). Thanks! Shawn10022010_012632.txt10032010_173236.txt Quote
chiaz Posted October 4, 2010 Posted October 4, 2010 OK, looks like that did its job. Run Panda ActiveScan and post the concomitant log here. :) Quote
shawnh Posted October 4, 2010 Author Posted October 4, 2010 Thanks Chiaz, okay here attached is the log from Panda Activescan. Looks like it found a fair bit of stuff! Thanks! ShawnActiveScan.txt Quote
chiaz Posted October 7, 2010 Posted October 7, 2010 Sorry for the late reply. Not everything's malicious, don't worry. :) I would like a deeper look into some particular files before giving any definite instructions. Please go to http://virusscan.jotti.org , click on Browse, and upload the following files for analysis: c:\winxp\system32\svers.dll c:\winxp\svers.dll c:\program files\webserver\svrproxy.exe c:\windows\system32\aspro\imscan.dll Then click Submit. Allow the files to be scanned individually, and then please Copy/Paste the respective result links here for me to see. If Jotti is busy, please go to http://www.virustotal.com. Quote
shawnh Posted October 16, 2010 Author Posted October 16, 2010 Hi Chiaz, sorry for the delay in replying. Okay, I ran Jotti scan for all 4 of those files, however with the "svers.dll" file, it had said it had already scanned it (I guess those 2 files are identical?). Here are 4 links: svers.dll - Jotti's malware scan imscan.dll - Jotti's malware scan svers.dll - Jotti's malware scan svrproxy.exe - Jotti's malware scan Thanks! Shawn Quote
chiaz Posted October 17, 2010 Posted October 17, 2010 Some of the crack programs and pirated applications you have on your PC are detected as malware. You may want to get rid of them accordingly. Let me know if you need additional information or help on this. NExt, Download The Avenger by Swandog46 from here. Unzip/extract it to a folder on your desktop. Double click on avenger.exe to run The Avenger. Click OK. Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it. Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C. Files to delete: c:\winxp\remlive.exe c:\winxp\system32\svers.dll c:\winxp\svers.dll c:\program files\webserver\svrproxy.exe c:\windows\system32\aspro\imscan.dll Registry values to delete: hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{886dde35-e585-11d0-a707-000000521958} In the avenger window, click the Paste script from Clipboard, http://i72.servimg.com/u/f72/11/72/65/32/pastet11.png button. Click the Execute button. You will be asked Are you sure you want to execute the current script?. Click Yes. You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes. Your PC will now be rebooted. Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation. If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour. After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt). Please post this log in your reply. Quote
shawnh Posted November 22, 2010 Author Posted November 22, 2010 Very sorry for the long delay Chiaz.. I hope you are still with me! OK, I ran Avenger and attached is the log file. But please note, after I clicked the EXECUTE button, Avenger gave this error message: "Error: Invalid syntax in command: "hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{886dde35-e585-11d0-a707-000000521958}" Skipping line. (Registry value deletion mode) " ... it allowed me to still proceed however. Thanks!! Shawnavenger.txt Quote
shawnh Posted January 5, 2011 Author Posted January 5, 2011 Hi Chiaz... are you still with me? :-) Shawn Quote
Starbuck Posted January 8, 2011 Posted January 8, 2011 Hi shawnh, Sorry for the delay, Chiaz is not around at the moment. I'll cover for him until his return. Let's start afresh as the reports and programs are all old now. Step 1 Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v708/starbuck50/cf1.png Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Step 2 Please right click on the Otl icon and select delete. Now download a fresh copy: Download OTL to your desktop. right click on the link and select 'Save Link/Target As'. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/Otllatest.png Now copy the lines in bold below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: Combofix.txt and both reports from Otl Thanks. Quote Member of:UNITE
shawnh Posted January 16, 2011 Author Posted January 16, 2011 Thanks for jumping in Starbuck. Well, the ComboFix wouldn't work. It came up with the DOS window and mentioned that it should only take 10 mins (double for badly infected computers)... but it just didn't do anything - I even left it going all night. Any thoughts? Cheers Shawn Quote
Starbuck Posted January 16, 2011 Posted January 16, 2011 Hi shawnh, Ok no worries at the moment. Remove your copy of OTL as described and get a fresh copy so that i can have some up to date reports. as you have run Otl before, please make sure: Under Extra Registry section, select Use SafeList. or we won't get the extras.txt produced. Thanks Quote Member of:UNITE
shawnh Posted March 25, 2011 Author Posted March 25, 2011 Awfully sorry for the long absence Starbuck, got waylayed on a lengthy project :-( I've attached the two output files from the OTL run. Thank you! OTL logfile created on: 3/24/2011 9:55:48 PM - Run 2 OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Moe\Desktop Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.11) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 767.00 Mb Total Physical Memory | 472.00 Mb Available Physical Memory | 62.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 90.00% Paging File free Paging file location(s): C:\pagefile.sys 1152 2304 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINXP | %ProgramFiles% = C:\Program Files Drive C: | 27.95 Gb Total Space | 5.56 Gb Free Space | 19.89% Space Free | Partition Type: NTFS Computer Name: N-66I8K7FUN69C1 | User Name: Moe | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2011/03/24 21:54:21 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Moe\Desktop\OTL.exe PRC - [2010/12/08 14:11:32 | 000,374,152 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe PRC - [2007/12/05 06:18:59 | 000,594,600 | ---- | M] ( ) -- C:\WINXP\system32\lxdncoms.exe PRC - [2007/06/13 07:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINXP\explorer.exe PRC - [2006/05/15 19:29:52 | 005,627,904 | ---- | M] (D-Link) -- C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\wirelesscm.exe PRC - [2006/03/21 11:30:26 | 000,368,724 | ---- | M] (Atheros) -- C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe PRC - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe PRC - [2001/10/03 21:21:52 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\WINXP\wanmpsvc.exe ========== Modules (SafeList) ========== MOD - [2011/03/24 21:54:21 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Moe\Desktop\OTL.exe MOD - [2006/08/25 12:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINXP\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- -- (r_server) SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart) SRV - File not found [Disabled | Stopped] -- -- (HidServ) SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt) SRV - [2011/01/16 20:33:25 | 000,136,584 | ---- | M] (LogMeIn, Inc.) [Auto | Stopped] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint) SRV - [2011/01/16 20:32:58 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Stopped] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn) SRV - [2010/12/08 14:11:32 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc) SRV - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) [Auto | Stopped] -- C:\WINXP\System32\ZoneLabs\vsmon.exe -- (vsmon) SRV - [2007/12/05 06:18:59 | 000,594,600 | ---- | M] ( ) [Auto | Running] -- C:\WINXP\System32\lxdncoms.exe -- (lxdn_device) SRV - [2007/12/05 06:18:53 | 000,098,984 | ---- | M] () [Auto | Stopped] -- C:\WINXP\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe -- (lxdnCATSCustConnectService) SRV - [2006/03/21 11:30:26 | 000,368,724 | ---- | M] (Atheros) [Auto | Running] -- C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe -- (ACS) SRV - [2005/06/17 23:30:32 | 000,184,320 | ---- | M] (V Communications, Inc.) [Disabled | Stopped] -- C:\Program Files\VCOM\Fix-It\MXTASK.exe -- (Fix-It Task Manager) SRV - [2004/08/04 04:56:46 | 000,006,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv) SRV - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default)) SRV - [2001/10/03 21:21:52 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\WINXP\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW) ========== Driver Services (SafeList) ========== DRV - [2011/01/16 20:32:36 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINXP\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP) DRV - [2010/02/23 10:51:48 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\WsAudio_DeviceS(5).sys -- (WsAudio_DeviceS(5)) WsAudio_DeviceS(5) DRV - [2010/02/23 10:51:48 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\WsAudio_DeviceS(4).sys -- (WsAudio_DeviceS(4)) WsAudio_DeviceS(4) DRV - [2010/02/23 10:51:48 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\WsAudio_DeviceS(3).sys -- (WsAudio_DeviceS(3)) WsAudio_DeviceS(3) DRV - [2010/02/23 10:51:48 | 000,025,704 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\WsAudio_DeviceS(2).sys -- (WsAudio_DeviceS(2)) WsAudio_DeviceS(2) DRV - [2009/06/30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINXP\system32\drivers\pavboot.sys -- (pavboot) DRV - [2009/04/23 16:51:18 | 000,016,640 | ---- | M] (Wondershare) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\WsAudio_DeviceS(1).sys -- (WsAudio_DeviceS(1)) WsAudio_DeviceS(1) DRV - [2009/02/16 00:10:26 | 000,353,672 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINXP\system32\vsdatant.sys -- (vsdatant) DRV - [2008/12/11 22:32:42 | 000,148,496 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINXP\system32\drivers\klif.sys -- (KLIF) DRV - [2008/11/17 02:24:00 | 000,051,688 | ---- | M] (Check Point Software Technologies LTD) [Kernel | Boot | Running] -- C:\WINXP\system32\ZoneLabs\srescan.sys -- (srescan) DRV - [2008/08/11 13:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINXP\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver) DRV - [2008/08/11 13:41:00 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Stopped] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo) DRV - [2008/02/29 17:08:08 | 000,024,840 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINXP\System32\drivers\swmsflt.sys -- (swmsflt) DRV - [2006/05/19 18:16:24 | 000,002,560 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINXP\System32\drivers\cdralw2k.sys -- (Cdralw2k) DRV - [2006/05/19 18:16:24 | 000,002,432 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINXP\System32\drivers\cdr4_xp.sys -- (Cdr4_xp) DRV - [2006/05/16 02:37:44 | 000,999,968 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\ar5416.sys -- (AR5416) DRV - [2005/06/17 23:30:32 | 000,051,212 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\VCOM\Fix-It\mxDisk.sys -- (mxDisk) DRV - [2004/02/23 09:40:38 | 000,014,976 | ---- | M] (CMS Peripherals, Inc.) [Kernel | Auto | Running] -- C:\WINXP\system32\drivers\portd2k.sys -- (portD) DRV - [2003/11/13 22:47:00 | 000,640,000 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2003/11/08 03:00:02 | 001,063,040 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\HSF_DP.sys -- (HSF_DP) DRV - [2003/11/08 03:00:02 | 000,631,296 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\HSF_CNXT.sys -- (winachsf) DRV - [2003/11/08 03:00:02 | 000,196,352 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2) DRV - [2001/08/17 13:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\hsf_msft.sys -- (hsf_msft) DRV - [2001/08/17 13:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\hsf_samp.sys -- (Rksample) DRV - [2001/08/17 13:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\hsf_bsc2.sys -- (basic2) DRV - [2001/08/16 22:20:34 | 000,028,396 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = <local> ========== FireFox ========== FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/19 17:32:05 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/06 20:46:43 | 000,000,000 | ---D | M] [2009/07/27 20:56:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Moe\Application Data\Mozilla\Extensions [2009/07/27 20:56:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Moe\Application Data\Mozilla\Extensions\xulapp@opencube.com [2011/03/23 13:35:59 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Moe\Application Data\Mozilla\Firefox\Profiles\aohl84rx.default\extensions [2009/07/10 12:51:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Moe\Application Data\Mozilla\Firefox\Profiles\aohl84rx.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2009/05/06 09:57:04 | 000,000,000 | ---D | M] (ReloadEvery) -- C:\Documents and Settings\Moe\Application Data\Mozilla\Firefox\Profiles\aohl84rx.default\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644} [2010/06/23 14:45:24 | 000,000,000 | ---D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Documents and Settings\Moe\Application Data\Mozilla\Firefox\Profiles\aohl84rx.default\extensions\LogMeInClient@logmein.com [2011/02/09 02:33:32 | 000,000,000 | ---D | M] (GraphOn GO-Global) -- C:\Documents and Settings\Moe\Application Data\Mozilla\Firefox\Profiles\aohl84rx.default\extensions\support@graphon.com [2011/03/23 21:15:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2011/01/16 20:41:47 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [2011/03/05 01:34:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [2011/03/05 01:33:49 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll O1 HOSTS File: ([2009/05/21 10:27:44 | 000,001,457 | ---- | M]) - C:\WINXP\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {71AAABE5-1F0F-11D7-BD6F-004854603DCE} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found. O4 - HKLM..\Run: [ATIModeChange] C:\WINXP\System32\Ati2mdxx.exe (ATI Technologies, Inc.) O4 - HKLM..\Run: [PrinTray] C:\WINXP\system32\spool\drivers\w32x86\3\printray.exe (Lexmark) O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD) O4 - Startup: C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\wirelesscm.exe (D-Link) O4 - Startup: C:\Documents and Settings\Moe\Start Menu\Programs\Startup\Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe () O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O9 - Extra Button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe (ICQ Inc.) O9 - Extra 'Tools' menuitem : ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe (ICQ Inc.) O9 - Extra Button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe () O9 - Extra 'Tools' menuitem : Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe () O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINXP\system32\nwprovau.dll (Microsoft Corporation) O15 - HKCU\..Trusted Domains: logmein.com ([secure] https in Trusted sites) O15 - HKCU\..Trusted Domains: plentyoffish.com ([www] http in Trusted sites) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINXP\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINXP\System32\LMIinit.dll (LogMeIn, Inc.) O24 - Desktop WallPaper: C:\WINXP\Web\Wallpaper\Bliss.bmp O24 - Desktop BackupWallPaper: C:\WINXP\Web\Wallpaper\Bliss.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2005/04/08 23:47:00 | 000,000,018 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2004/11/20 20:36:58 | 000,000,000 | ---D | M] - C:\autoresponder -- [ NTFS ] O32 - AutoRun File - [2009/10/13 16:51:20 | 000,000,000 | ---D | M] - C:\AutoResponsePlus -- [ NTFS ] O33 - MountPoints2\{84dada70-46d4-11e0-b00a-00038a000015}\Shell - "" = AutoRun O33 - MountPoints2\{84dada70-46d4-11e0-b00a-00038a000015}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{84dada70-46d4-11e0-b00a-00038a000015}\Shell\AutoRun\command - "" = E:\WIN\setup.exe O33 - MountPoints2\{932095b1-1f1b-11de-9eaa-00038a000015}\Shell - "" = AutoRun O33 - MountPoints2\{932095b1-1f1b-11de-9eaa-00038a000015}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{932095b1-1f1b-11de-9eaa-00038a000015}\Shell\AutoRun\command - "" = C:\WINXP\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AppLaunch.exe AUTORUN=1 O33 - MountPoints2\{a7e2caf0-59c7-11de-af91-00179a446a75}\Shell\AutoRun\command - "" = E:\CDGO.exe O33 - MountPoints2\E\Shell - "" = AutoRun O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\WIN\setup.exe O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2100/02/08 16:03:54 | 000,053,248 | ---- | C] (Silitek Corp.) -- C:\Program Files\ACMonitor_X73.exe [2012/04/13 17:21:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moe\Start Menu\Programs\Push-Button Option Trader [2012/04/13 17:21:09 | 000,000,000 | ---D | C] -- C:\Program Files\Push-Button Option Trader [2011/03/24 21:54:21 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Moe\Desktop\OTL.exe [2011/03/24 21:00:03 | 000,000,000 | --SD | C] -- C:\Combo-Fix15942C [2011/03/16 18:27:25 | 000,000,000 | ---D | C] -- C:\Pat [2011/03/10 20:50:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moe\Local Settings\Application Data\PowerLeadsPro [2011/03/10 20:47:18 | 000,000,000 | ---D | C] -- C:\MarcSchildmann [2011/03/10 12:19:32 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Moe\Recent [2011/03/05 01:40:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moe\Start Menu\Programs\Interactive Brokers [2011/03/05 01:34:52 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINXP\System32\javacpl.cpl [2011/03/05 01:34:51 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINXP\System32\javaws.exe [2011/03/05 01:34:51 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINXP\System32\javaw.exe [2011/03/05 01:34:51 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINXP\System32\java.exe [2011/03/05 01:18:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Application Data\McAfee [2011/03/02 16:45:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Moe\My Documents\Mikogo [2009/04/20 16:06:15 | 000,262,144 | ---- | C] (ZoneAlarm) -- C:\Program Files\Uninstall Spy Blocker.dll [2008/09/25 18:37:57 | 000,438,272 | ---- | C] ( ) -- C:\WINXP\System32\LXDNhcp.dll [2008/09/25 18:37:56 | 000,364,544 | ---- | C] ( ) -- C:\WINXP\System32\lxdninpa.dll [2008/09/25 18:37:56 | 000,339,968 | ---- | C] ( ) -- C:\WINXP\System32\lxdniesc.dll [2008/09/25 18:37:55 | 001,101,824 | ---- | C] ( ) -- C:\WINXP\System32\lxdnserv.dll [2008/09/25 18:37:55 | 000,843,776 | ---- | C] ( ) -- C:\WINXP\System32\lxdnusb1.dll [2008/09/25 18:37:54 | 000,647,168 | ---- | C] ( ) -- C:\WINXP\System32\lxdnpmui.dll [2008/09/25 18:37:54 | 000,569,344 | ---- | C] ( ) -- C:\WINXP\System32\lxdnlmpm.dll [2008/09/25 18:37:54 | 000,053,248 | ---- | C] ( ) -- C:\WINXP\System32\lxdnprox.dll [2008/09/25 18:37:52 | 000,320,168 | ---- | C] ( ) -- C:\WINXP\System32\lxdnih.exe [2008/09/25 18:37:51 | 000,663,552 | ---- | C] ( ) -- C:\WINXP\System32\lxdnhbn3.dll [2008/09/25 18:37:49 | 000,851,968 | ---- | C] ( ) -- C:\WINXP\System32\lxdncomc.dll [2008/09/25 18:37:49 | 000,594,600 | ---- | C] ( ) -- C:\WINXP\System32\lxdncoms.exe [2008/09/25 18:37:49 | 000,376,832 | ---- | C] ( ) -- C:\WINXP\System32\lxdncomm.dll [2008/09/25 18:37:48 | 000,365,224 | ---- | C] ( ) -- C:\WINXP\System32\lxdncfg.exe ========== Files - Modified Within 30 Days ========== [2011/03/24 21:54:21 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Moe\Desktop\OTL.exe [2011/03/24 21:47:40 | 000,350,210 | ---- | M] () -- C:\WINXP\System32\vsconfig.xml [2011/03/24 21:47:36 | 000,013,002 | ---- | M] () -- C:\WINXP\System32\wpa.dbl [2011/03/24 21:47:10 | 000,000,876 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskMachineCore.job [2011/03/24 21:46:50 | 000,002,048 | --S- | M] () -- C:\WINXP\bootstat.dat [2011/03/24 21:05:13 | 1899,063,072 | -HS- | M] () -- C:\WINXP\System32\drivers\fidbox.dat [2011/03/24 20:58:56 | 004,301,706 | R--- | M] () -- C:\Documents and Settings\Moe\Desktop\Combo-Fix.exe [2011/03/24 20:11:00 | 000,000,880 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskMachineUA.job [2011/03/24 19:57:42 | 025,430,480 | -HS- | M] () -- C:\WINXP\System32\drivers\fidbox.idx [2011/03/24 01:58:46 | 000,001,437 | ---- | M] () -- C:\WINXP\ydownloaderlibpr.INI [2011/03/21 01:20:03 | 000,000,472 | ---- | M] () -- C:\WINXP\tasks\Ad-Aware Update (Weekly).job [2011/03/13 12:41:30 | 000,434,676 | ---- | M] () -- C:\WINXP\System32\perfh009.dat [2011/03/13 12:41:30 | 000,068,750 | ---- | M] () -- C:\WINXP\System32\perfc009.dat [2011/03/11 18:05:23 | 000,000,416 | RHS- | M] () -- C:\boot.ini [2011/03/05 01:40:19 | 000,001,617 | ---- | M] () -- C:\Documents and Settings\All Users.WINXP\Desktop\Trader Workstation 4.0.LNK [2011/03/05 01:39:47 | 000,000,043 | ---- | M] () -- C:\WINXP\ib.ini [2011/03/05 01:39:45 | 000,000,485 | ---- | M] () -- C:\Documents and Settings\Moe\Start Menu\Programs\Startup\Check for TWS Updates.lnk [2011/03/05 01:33:46 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINXP\System32\deployJava1.dll [2011/03/05 01:33:46 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINXP\System32\javaws.exe [2011/03/05 01:33:46 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINXP\System32\javaw.exe [2011/03/05 01:33:46 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINXP\System32\java.exe [2011/03/05 01:33:46 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINXP\System32\javacpl.cpl ========== Files Created - No Company Name ========== [2100/02/23 14:35:34 | 000,000,768 | ---- | C] () -- C:\Program Files\x73_lut.dat [2100/02/08 15:53:34 | 000,001,437 | ---- | C] () -- C:\Program Files\gtx73.ini [2011/03/05 01:40:19 | 000,001,617 | ---- | C] () -- C:\Documents and Settings\All Users.WINXP\Desktop\Trader Workstation 4.0.LNK [2011/03/05 01:39:45 | 000,000,485 | ---- | C] () -- C:\Documents and Settings\Moe\Start Menu\Programs\Startup\Check for TWS Updates.lnk [2011/03/05 01:39:44 | 000,000,473 | ---- | C] () -- C:\Documents and Settings\Moe\Start Menu\Programs\Check for TWS Updates.lnk [2011/01/24 02:06:10 | 000,256,512 | ---- | C] () -- C:\WINXP\PEV.exe [2011/01/24 02:06:10 | 000,098,816 | ---- | C] () -- C:\WINXP\sed.exe [2011/01/24 02:06:10 | 000,089,088 | ---- | C] () -- C:\WINXP\MBR.exe [2011/01/24 02:06:10 | 000,080,412 | ---- | C] () -- C:\WINXP\grep.exe [2011/01/24 02:06:10 | 000,068,096 | ---- | C] () -- C:\WINXP\zip.exe [2011/01/16 20:17:42 | 000,102,400 | ---- | C] () -- C:\WINXP\RegBootClean.exe [2011/01/16 01:56:03 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Moe\Local Settings\Application Data\housecall.guid.cache [2011/01/11 18:18:28 | 000,001,437 | ---- | C] () -- C:\WINXP\ydownloaderlibpr.INI [2010/02/17 19:30:53 | 000,000,026 | ---- | C] () -- C:\WINXP\refsdm.dll [2010/02/17 18:29:09 | 000,000,299 | ---- | C] () -- C:\WINXP\winsrvm.dll [2010/02/17 18:29:09 | 000,000,001 | ---- | C] () -- C:\WINXP\dwatson.dll [2010/02/17 18:13:55 | 000,000,006 | ---- | C] () -- C:\WINXP\client.dll [2010/02/17 18:13:53 | 000,000,019 | ---- | C] () -- C:\WINXP\MCLDR.dll [2010/02/15 00:50:49 | 000,253,952 | ---- | C] () -- C:\WINXP\ddedll.dll [2009/12/17 19:14:30 | 000,000,070 | ---- | C] () -- C:\WINXP\MediaManager.INI [2009/12/17 17:53:02 | 000,007,207 | R--- | C] () -- C:\WINXP\Disktool.INI [2009/12/17 17:53:02 | 000,006,399 | R--- | C] () -- C:\WINXP\fwupgrade.ini [2009/12/17 17:53:02 | 000,003,677 | R--- | C] () -- C:\WINXP\PlaySnd.INI [2009/05/24 14:36:13 | 1899,063,072 | -HS- | C] () -- C:\WINXP\System32\drivers\fidbox.dat [2009/04/15 23:19:12 | 000,000,000 | ---- | C] () -- C:\WINXP\nsreg.dat [2009/03/31 15:37:34 | 000,000,056 | -H-- | C] () -- C:\WINXP\System32\ezsidmv.dat [2008/11/02 19:10:45 | 000,000,043 | ---- | C] () -- C:\WINXP\ib.ini [2008/11/02 05:00:33 | 000,000,664 | ---- | C] () -- C:\WINXP\System32\d3d9caps.dat [2008/09/25 18:48:51 | 000,040,960 | ---- | C] () -- C:\WINXP\System32\lxdnvs.dll [2008/09/25 18:48:43 | 000,348,160 | ---- | C] () -- C:\WINXP\System32\lxdncoin.dll [2008/09/25 18:46:36 | 000,782,336 | ---- | C] () -- C:\WINXP\System32\lxdndrs.dll [2008/09/25 18:46:36 | 000,081,920 | ---- | C] () -- C:\WINXP\System32\lxdncaps.dll [2008/09/25 18:46:35 | 000,069,632 | ---- | C] () -- C:\WINXP\System32\lxdncnv4.dll [2008/09/25 18:44:24 | 000,012,288 | ---- | C] () -- C:\WINXP\System32\LXF3PMRC.DLL [2008/09/25 18:38:20 | 000,000,044 | ---- | C] () -- C:\WINXP\System32\lxdnrwrd.ini [2008/09/25 18:37:57 | 000,348,160 | ---- | C] () -- C:\WINXP\System32\LXDNinst.dll [2008/09/25 18:37:51 | 000,208,896 | ---- | C] () -- C:\WINXP\System32\lxdngrd.dll [2008/02/29 17:08:08 | 000,024,840 | ---- | C] () -- C:\WINXP\System32\drivers\swmsflt.sys [2008/02/15 14:42:12 | 000,027,136 | ---- | C] () -- C:\WINXP\toFront.dll [2008/02/15 14:42:12 | 000,026,624 | ---- | C] () -- C:\WINXP\GetIe.dll [2007/03/13 23:32:48 | 000,000,035 | ---- | C] () -- C:\WINXP\LMDUJBQ.INI [2007/01/01 00:37:18 | 000,000,038 | ---- | C] () -- C:\WINXP\iltwain.ini [2006/09/06 08:44:27 | 000,000,182 | ---- | C] () -- C:\WINXP\System32\EBPPORT.DAT [2006/07/18 18:54:01 | 000,000,144 | ---- | C] () -- C:\WINXP\gvcasinos.ini [2006/06/20 15:39:07 | 000,000,053 | ---- | C] () -- C:\WINXP\zbj22.ini [2006/04/10 12:18:12 | 000,008,784 | ---- | C] () -- C:\WINXP\System32\ractrlkeyhook.dll [2006/03/21 14:11:58 | 000,000,000 | ---- | C] () -- C:\WINXP\VPC32.INI [2005/11/08 21:25:12 | 000,107,520 | ---- | C] () -- C:\WINXP\System32\UnCasino5.exe [2005/10/28 15:25:47 | 000,000,059 | ---- | C] () -- C:\WINXP\ANS2000.INI [2005/10/28 15:25:47 | 000,000,020 | -H-- | C] () -- C:\WINXP\akebook.ini [2005/10/28 15:25:47 | 000,000,004 | -H-- | C] () -- C:\WINXP\a3kebook.ini [2005/09/24 00:03:41 | 000,000,227 | ---- | C] () -- C:\WINXP\ARKS-FAC.INI [2005/09/24 00:03:35 | 000,000,000 | ---- | C] () -- C:\WINXP\ARK-LOCK.DAT [2005/08/12 18:57:09 | 003,596,288 | ---- | C] () -- C:\WINXP\System32\qt-dx331.dll [2005/07/11 22:00:06 | 000,040,960 | ---- | C] () -- C:\WINXP\uneng.exe [2005/07/03 01:17:31 | 000,003,134 | ---- | C] () -- C:\WINXP\cdplayer.ini [2005/06/22 17:56:20 | 000,072,192 | ---- | C] () -- C:\WINXP\System32\zlib.dll [2005/06/21 21:17:52 | 000,000,052 | ---- | C] () -- C:\WINXP\winros.ini [2005/06/20 22:58:52 | 000,004,569 | ---- | C] () -- C:\WINXP\System32\secupd.dat [2005/06/19 23:54:46 | 000,001,252 | ---- | C] () -- C:\WINXP\ODBC.INI [2005/06/19 23:54:30 | 000,000,037 | ---- | C] () -- C:\WINXP\Server.INI [2005/06/15 19:46:12 | 000,000,043 | ---- | C] () -- C:\WINXP\WALLSTRT.INI [2005/06/14 22:04:16 | 000,000,000 | ---- | C] () -- C:\WINXP\OPPRIN~1.INI [2005/06/08 19:00:00 | 000,360,448 | ---- | C] () -- C:\WINXP\System32\fmtkit60.dll [2005/06/06 14:21:01 | 000,000,064 | ---- | C] () -- C:\WINXP\eFaxView.ini [2005/06/03 19:55:53 | 000,032,768 | ---- | C] () -- C:\WINXP\BBUninstall.exe [2005/05/30 15:24:35 | 000,000,044 | ---- | C] () -- C:\WINXP\System32\msssc.dll [2005/05/30 00:52:14 | 000,000,061 | ---- | C] () -- C:\WINXP\URLPROXY.INI [2005/05/26 19:33:18 | 000,004,212 | -H-- | C] () -- C:\WINXP\System32\zllictbl.dat [2005/05/26 19:19:41 | 000,058,880 | ---- | C] () -- C:\Documents and Settings\Moe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2005/05/26 19:03:18 | 000,002,048 | --S- | C] () -- C:\WINXP\bootstat.dat [2005/05/26 18:54:14 | 000,021,640 | ---- | C] () -- C:\WINXP\System32\emptyregdb.dat [2005/05/26 14:07:51 | 000,004,073 | ---- | C] () -- C:\WINXP\ODBCINST.INI [2005/05/26 14:06:09 | 000,134,872 | ---- | C] () -- C:\WINXP\System32\FNTCACHE.DAT [2005/05/26 14:01:09 | 000,000,006 | ---- | C] () -- C:\WINXP\System32\rasmon.bin [2005/05/26 14:01:09 | 000,000,004 | -H-- | C] () -- C:\WINXP\System32\ddefact.bin [2003/11/13 22:38:26 | 000,086,016 | ---- | C] () -- C:\WINXP\System32\ati2evxx.dll [2003/11/13 22:36:54 | 000,385,024 | ---- | C] () -- C:\WINXP\System32\ati2evxx.exe [2003/06/10 15:03:38 | 000,029,600 | ---- | C] () -- C:\WINXP\System32\mxntdfg.exe [2002/09/18 01:45:00 | 000,119,808 | ---- | C] () -- C:\WINXP\lsb_un20.exe [2002/03/10 18:36:14 | 000,012,288 | ---- | C] () -- C:\WINXP\System32\impborl.dll [2001/10/12 07:42:52 | 000,032,768 | ---- | C] () -- C:\WINXP\System32\LXARICO.DLL [2001/10/12 07:42:50 | 000,000,643 | ---- | C] () -- C:\WINXP\LEXSTAT.INI [2001/08/18 11:00:00 | 013,107,200 | ---- | C] () -- C:\WINXP\System32\oembios.bin [2001/08/18 11:00:00 | 000,673,088 | ---- | C] () -- C:\WINXP\System32\mlang.dat [2001/08/18 11:00:00 | 000,434,676 | ---- | C] () -- C:\WINXP\System32\perfh009.dat [2001/08/18 11:00:00 | 000,272,128 | ---- | C] () -- C:\WINXP\System32\perfi009.dat [2001/08/18 11:00:00 | 000,218,003 | ---- | C] () -- C:\WINXP\System32\dssec.dat [2001/08/18 11:00:00 | 000,068,750 | ---- | C] () -- C:\WINXP\System32\perfc009.dat [2001/08/18 11:00:00 | 000,046,258 | ---- | C] () -- C:\WINXP\System32\mib.bin [2001/08/18 11:00:00 | 000,028,626 | ---- | C] () -- C:\WINXP\System32\perfd009.dat [2001/08/18 11:00:00 | 000,004,461 | ---- | C] () -- C:\WINXP\System32\oembios.dat [2001/08/18 11:00:00 | 000,001,788 | ---- | C] () -- C:\WINXP\System32\dcache.bin [2001/08/18 11:00:00 | 000,000,741 | ---- | C] () -- C:\WINXP\System32\noise.dat [2001/07/20 10:48:06 | 000,008,116 | ---- | C] () -- C:\Program Files\OSLO3071b2.USB [2001/01/18 15:55:22 | 000,131,584 | ---- | C] () -- C:\WINXP\System32\Ptlic32.exe [2000/12/05 15:56:34 | 000,114,688 | ---- | C] () -- C:\Program Files\lxarscan.dll [2000/01/11 12:50:48 | 000,000,047 | ---- | C] () -- C:\Program Files\ACMonitor_X73.ini ========== Alternate Data Streams ========== @Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:0B174FAE < End of report > OTL Extras logfile created on: 3/24/2011 9:55:48 PM - Run 2 OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Moe\Desktop Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.11) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 767.00 Mb Total Physical Memory | 472.00 Mb Available Physical Memory | 62.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 90.00% Paging File free Paging file location(s): C:\pagefile.sys 1152 2304 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINXP | %ProgramFiles% = C:\Program Files Drive C: | 27.95 Gb Total Space | 5.56 Gb Free Space | 19.89% Space Free | Partition Type: NTFS Computer Name: N-66I8K7FUN69C1 | User Name: Moe | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\Winamp.exe" /BOOKMARK "%1" (Nullsoft) Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\Winamp.exe" /ADD "%1" (Nullsoft) Directory [Winamp.Play] -- "C:\Program Files\Winamp\Winamp.exe" "%1" (Nullsoft) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 1 "FirewallOverride" = 0 "AntiVirusDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] "DisableMonitoring" = 1 ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 0 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\ICQ\Icq.exe" = C:\Program Files\ICQ\Icq.exe:*:Enabled:ICQ -- (ICQ Inc.) "C:\Program Files\IBP 10\IBP.exe" = C:\Program Files\IBP 10\IBP.exe:*:Enabled:Internet Business Promoter (IBP) -- (Axandra GmbH) "C:\WINXP\system32\lxdncoms.exe" = C:\WINXP\system32\lxdncoms.exe:*:Enabled:Lexmark Communications System -- ( ) "C:\Program Files\Lexmark 2600 Series\lxdnamon.exe" = C:\Program Files\Lexmark 2600 Series\lxdnamon.exe:*:Enabled:Lexmark Device Monitor -- () "C:\Program Files\Lexmark 2600 Series\frun.exe" = C:\Program Files\Lexmark 2600 Series\frun.exe:*:Enabled:Lexmark Productivity Studio -- () "C:\Program Files\Lexmark 2600 Series\lxdnmon.exe" = C:\Program Files\Lexmark 2600 Series\lxdnmon.exe:*:Enabled:Printer Device Monitor -- () "C:\WINXP\system32\spool\drivers\w32x86\3\lxdnpswx.exe" = C:\WINXP\system32\spool\drivers\w32x86\3\lxdnpswx.exe:*:Enabled:Printer Status Window Interface -- () "C:\WINXP\system32\spool\drivers\w32x86\3\lxdntime.exe" = C:\WINXP\system32\spool\drivers\w32x86\3\lxdntime.exe:*:Enabled:Lexmark Connect Time Executable -- (Lexmark International, Inc.) "C:\WINXP\system32\spool\drivers\w32x86\3\lxdnjswx.exe" = C:\WINXP\system32\spool\drivers\w32x86\3\lxdnjswx.exe:*:Enabled:Job Status Window Interface -- () "C:\Program Files\Lexmark 2600 Series\lxdnlscn.exe" = C:\Program Files\Lexmark 2600 Series\lxdnlscn.exe:*:Enabled: -- () "C:\WINXP\system32\ZoneLabs\vsmon.exe" = C:\WINXP\system32\ZoneLabs\vsmon.exe:*:Enabled:TrueVector Service -- (Check Point Software Technologies LTD) "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.) "C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL Inc.) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "[web:reg] Unit root test (ADF-test)_is1" = [web:reg] Unit root test (ADF-test) Add In 0.9 "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime "{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java 6 Update 24 "{2AD738DC-FC24-4342-A2DA-BB6DCCF6B048}" = Jing "{34F93E31-E1A0-421C-8E86-BCF7C4193A91}" = LogMeIn "{3E5CBADD-2E51-47C1-BBE2-B802DB6DA56A}" = MT4 ECN powered by ATC Brokers 4.00 "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{6F6F39E3-D24D-4EEE-9AEA-DEDAF991385D}" = D-Link RangeBooster N DWA-642 "{72263053-50D1-4598-9502-51ED64E54C51}" = Borland Delphi 7 "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003 "{91FA5123-41A2-401D-9A60-7A0E075A9A5E}" = Roulette Sniper Version 2.0 "{930B2432-43D4-11D5-9871-00C04F8EEB39}" = Macromedia Fireworks MX "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{95632566-071E-4A02-92C1-4BD907065736}" = BounceBack Express "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3 Lite "{AF9C41C1-EC1D-4FCD-9C5D-1AFEFCB67CD1}" = VCOM Fix-It Utilities 5 "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C1939820-A945-11D4-86F6-0001031E5712}" = InterVideo WinDVD "{C8811335-8B3B-4BC4-AD47-3A8AC1AD407B}" = Visual CSS QuickMenu "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{E0233B01-BE70-4D0B-8B69-64331593535C}" = eBook Pro Viewer 5.54 "{EB900AF8-CC61-4E15-871B-98D1EA3E8025}" = QuickTime "{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform "{EFE356A6-91C3-450F-A469-504ACA655A7A}_is1" = PADGen 3.1.0.41 "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729) "{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01 "{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 "{FFF3BAB1-9E90-4039-BB17-64CC7125DFDB}" = FXDD "ActiveScan 2.0" = Panda ActiveScan 2.0 "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "AIM_7" = AIM 7 "All ATI Software" = ATI - Software Uninstall Utility "ATI Display Driver" = ATI Display Driver "AutoHotkey" = AutoHotkey 1.0.47.03 "Canon Digital Camera USB Driver" = Canon Digital Camera USB Driver "CCleaner" = CCleaner "Club Player Casino" = Club Player Casino "Compare and Merge_is1" = Compare and Merge 2.3 "GoFTP_is1" = GoFTP v2 "Good Keywords v2.01_is1" = Good Keywords v2.01.100107 "HijackThis" = HijackThis 2.0.2 "IBP10_is1" = IBP 10.0.3 "ICQ" = ICQ "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "InstallShield_{0C60AA8A-6BC0-4F0B-AB04-A96F2709BE48}" = TradeStation 8.0 (Build 1869) "InstallShield_{40ABF1E0-8B6F-4D32-B343-E19FA2F04B3C}" = StuffIt Standard "InstallShield_{50987EA3-6641-4E36-814F-4F2EEE4D12FE}" = ValidMate "InstallShield_{59B847F6-CA9D-4957-89C7-A0CB911FE6CC}" = TradeStation 8.1 (Build 2172) "install-us" = install-us 2007 (Rev.1) "Lexmark 2600 Series" = Lexmark 2600 Series "ListMate Express DEMO" = ListMate Express DEMO 4.81 "ListMate Pro PLATINUM" = ListMate Pro PLATINUM 2.01 "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Mozilla Firefox (3.6.2)" = Mozilla Firefox (3.6.2) "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "MTReport 4.0" = MTReport 4.0 "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "NNSTP-2" = NNSTP-2 "OmniCasinoV8" = Omni Casino "PairsTrade Gold Edition" = PairsTrade Gold Edition 1.0 "PC Guard for Win32 V5_is1" = PC Guard for Win32 V5.02.0360 "RealVNC_is1" = VNC Free Edition 4.1.1 "RemoteCapture" = Canon Utilities RemoteCapture 1.3 "Sage Blackjack Shareware" = Sage Blackjack Shareware "SMAP-2" = SMAP-2 "SMAP-3" = SMAP-3 "Smart Defrag_is1" = Smart Defrag 1.11 "ST6UNST #1" = Push-Button Option Trader "Teleport Ultra" = Teleport Ultra (Trial Version) "Trader Workstation 4.0" = Trader Workstation 4.0 "Trellian SEO Toolkit_is1" = Trellian SEO Toolkit v2.0 "Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 "WIC" = Windows Imaging Component "Winamp" = Winamp "winbj.exe" = winbj.exe "WinClear_is1" = WinClear v2.0 "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 2 "WinLiveSuite_Wave3" = Windows Live Essentials "WinPoker6" = WinPoker 6 "WinRAR archiver" = WinRAR archiver "winusb0100" = Microsoft WinUsb 1.0 "WinZip Self-Extractor" = WinZip Self-Extractor "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7 "Yahoo! Messenger" = Yahoo! Messenger "ZoneAlarm" = ZoneAlarm "ZoomBrowserEXDeInstall" = Canon Utilities ZoomBrowser EX ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "0362fcd94ca01b7e" = RBet32 "GoToMeeting" = GoToMeeting 4.5.0.457 "Omega Research ProSuite 2000i" = Omega Research ProSuite 2000i ========== Last 10 Event Log Errors ========== [ System Events ] Error - 3/24/2011 7:27:02 PM | Computer Name = N-66I8K7FUN69C1 | Source = Disk | ID = 262151 Description = The device, \Device\Harddisk0\D, has a bad block. Error - 3/24/2011 7:27:04 PM | Computer Name = N-66I8K7FUN69C1 | Source = Disk | ID = 262151 Description = The device, \Device\Harddisk0\D, has a bad block. Error - 3/24/2011 7:27:06 PM | Computer Name = N-66I8K7FUN69C1 | Source = Disk | ID = 262151 Description = The device, \Device\Harddisk0\D, has a bad block. Error - 3/24/2011 7:27:08 PM | Computer Name = N-66I8K7FUN69C1 | Source = Disk | ID = 262151 Description = The device, \Device\Harddisk0\D, has a bad block. Error - 3/24/2011 7:27:10 PM | Computer Name = N-66I8K7FUN69C1 | Source = Disk | ID = 262151 Description = The device, \Device\Harddisk0\D, has a bad block. Error - 3/24/2011 8:47:13 PM | Computer Name = N-66I8K7FUN69C1 | Source = Service Control Manager | ID = 7000 Description = The Lexmark X73 MFP Scanner service failed to start due to the following error: %%2 Error - 3/24/2011 8:47:13 PM | Computer Name = N-66I8K7FUN69C1 | Source = Service Control Manager | ID = 7009 Description = Timeout (30000 milliseconds) waiting for the lxdnCATSCustConnectService service to connect. Error - 3/24/2011 8:47:13 PM | Computer Name = N-66I8K7FUN69C1 | Source = Service Control Manager | ID = 7000 Description = The lxdnCATSCustConnectService service failed to start due to the following error: %%1053 Error - 3/24/2011 8:47:17 PM | Computer Name = N-66I8K7FUN69C1 | Source = Disk | ID = 262151 Description = The device, \Device\Harddisk0\D, has a bad block. Error - 3/24/2011 8:47:34 PM | Computer Name = N-66I8K7FUN69C1 | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: Lbd < End of report > Cheers ShawnOTL.TxtExtras.Txt Quote
Starbuck Posted March 25, 2011 Posted March 25, 2011 Hi Shawn This is slightly worrying: Computer Name = N-66I8K7FUN69C1 | Source = Disk | ID = 262151 Description = The device, \Device\Harddisk0\D, has a bad block. It could be anything from a slight glitch to the hard drive about to fail. It'd recommend you back up any data you need, so that you are prepared. There is also no sign of an Anti Virus program running! You are also only running SP2 ...... why not SP3? Step 1 Let's run a check on the Hard drive: You can do this by running the Scandisk utility within Windows XP. Click on My Computer Right click on your main drive (usually 'C') Select Properties Click on the Tools tab Under Error Checking.. Click Check Now Tick the options that you require ( I recommend that you tick both options ) Click Start On the screen that comes up.. Click Yes then OK Now restart your computer. Note: Be patient. Analyzing the drive can be a lengthy process Step 2 Double click on OTL to run it. Copy the lines in the codebox below. (make sure that :Otl is on the first line ) :otl SRV - File not found [Disabled | Stopped] -- -- (r_server) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {71AAABE5-1F0F-11D7-BD6F-004854603DCE} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found. O33 - MountPoints2\{84dada70-46d4-11e0-b00a-00038a000015}\Shell - "" = AutoRun O33 - MountPoints2\{84dada70-46d4-11e0-b00a-00038a000015}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{84dada70-46d4-11e0-b00a-00038a000015}\Shell\AutoRun\command - "" = E:\WIN\setup.exe O33 - MountPoints2\{932095b1-1f1b-11de-9eaa-00038a000015}\Shell - "" = AutoRun O33 - MountPoints2\{932095b1-1f1b-11de-9eaa-00038a000015}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{932095b1-1f1b-11de-9eaa-00038a000015}\Shell\AutoRun\command - "" = C:\WINXP\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AppLaunch.exe AUTORUN=1 O33 - MountPoints2\{a7e2caf0-59c7-11de-af91-00179a446a75}\Shell\AutoRun\command - "" = E:\CDGO.exe O33 - MountPoints2\E\Shell - "" = AutoRun O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\WIN\setup.exe @Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:0B174FAE :Files ipconfig /flushdns /c :commands [emptytemp] [purity] [RESETHOSTS] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. if you lose the report, there will be a copy here: C:\_OTL\MovedFiles Step 3 Please update MBAM and run another scan: Start MBAM Click on the Update tab http://img.photobucket.com/albums/v708/starbuck50/new/mbamnew.png Click Check for Updates The latest Database Version is: 6165 If it says that MBAM needs to close to update it... let it close and then restart. If the program has been updated, you will need to run the 'Check for Updates' a second time to get the new database. Then click the Scan button. Don't forget: When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. Make sure that everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply and exit MBAM.Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Step 4 You need to install an antivirus program as soon as you can and run a complete scan of the computer: Avira AntiVir Avast free MS Security Essentials ... see note* Install one of these, update the definitions and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove. Note*: Upon installation MS Security Essentials will check that your OS is a legal copy. In your next reply, please submit: Otl fix report MBAM scan report and let me know about the scan disc outcome and also which AV you installed Thanks. Quote Member of:UNITE
shawnh Posted April 4, 2011 Author Posted April 4, 2011 Thanks Starbuck, I couldn't manage to get very far though - ran into resistance right off the bat while trying to do the Scandisk. I followed your instructions to the letter, did a reboot and while it did start to do the scandisk (blue screen, etc), it quickly said: "Cannot open volume for direct access" "Windows has finished checking the disk" ... and then it just continued to boot Windows up as normal. Any thoughts? Thanks! Shawn Quote
shawnh Posted April 4, 2011 Author Posted April 4, 2011 Oh, also you asked why I still have SP2 and not SP3. Well, I guess mainly because I only have about 5 gigs of free space left on this laptop and am trying very hard to not fill it... but I guess I should move up to SP3 eh? Shawn Quote
Starbuck Posted April 5, 2011 Posted April 5, 2011 Hi shawnh, Can you complete the other steps? Let's try and complete these and then we'll take it from there. Quote Member of:UNITE
shawnh Posted April 5, 2011 Author Posted April 5, 2011 OK let me try those Starbuck, thanks. Should I upgrade my OS to SP3 first? Quote
Starbuck Posted April 5, 2011 Posted April 5, 2011 Should I upgrade my OS to SP3 first? No, let's make sure everything is ok before we try to add the SP3. Quote Member of:UNITE
shawnh Posted April 5, 2011 Author Posted April 5, 2011 OK Starbuck thanks, I will get on that later this evening. Cheers Shawn Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.