Possible Infection? Your assistance greatly appreciated...

View previous topic View next topic Go down

Possible Infection? Your assistance greatly appreciated...

Post by EchoWars on Mon May 10, 2010 12:31 am

My son's computer...Acrobat will not load , and I get messages at start-up about a cli-exe failure, and Net Framework errors. It was suggested that this may be due to a rootkit.

OTL logfile created on: 5/9/2010 7:18:29 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Jerry Jansen\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 548.00 Mb Available Physical Memory | 54.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.16 Gb Total Space | 20.69 Gb Free Space | 54.22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JANSENS
Current User Name: Jerry Jansen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/09 19:17:27 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jerry Jansen\My Documents\Downloads\OTL.exe
PRC - [2010/04/26 12:13:25 | 000,531,440 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Jerry Jansen\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2009/11/24 18:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2008/08/10 03:23:55 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/05/26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
PRC - [2008/04/22 02:59:28 | 003,287,552 | ---- | M] (Almico Software ([You must be registered and logged in to see this link.] -- C:\Program Files\SpeedFan\speedfan.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/06/03 20:51:54 | 000,131,072 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
PRC - [2004/04/26 03:00:00 | 000,098,304 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE
PRC - [2001/10/08 12:59:36 | 000,049,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\Fast.exe
PRC - [2001/10/08 12:59:36 | 000,045,632 | ---- | M] () -- C:\WINDOWS\system32\TaskSwitch.exe


========== Modules (SafeList) ==========

MOD - [2010/05/09 19:17:27 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jerry Jansen\My Documents\Downloads\OTL.exe
MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 18:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 18:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 18:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 18:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2001/10/08 12:59:36 | 000,049,216 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\System32\Fast.exe -- (InteractiveLogon)


========== Driver Services (SafeList) ==========

DRV - [2009/11/24 18:50:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 18:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 18:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 18:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 18:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 18:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2006/09/24 08:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2006/05/03 11:50:42 | 001,540,608 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/06/03 10:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2004/05/25 15:58:04 | 000,396,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA(R) nForce(TM)
DRV - [2004/05/25 15:58:02 | 000,048,640 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA(R) nForce(TM)
DRV - [2004/04/02 15:40:00 | 000,021,760 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2002/02/25 00:35:20 | 000,014,604 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2001/08/23 07:00:00 | 000,098,176 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\NBF.SYS -- (Nbf)
DRV - [2001/08/17 07:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)
DRV - [1996/04/03 14:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/04 16:40:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/09 19:17:00 | 000,000,000 | ---D | M]

[2008/12/25 21:00:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jerry Jansen\Application Data\Mozilla\Extensions
[2010/05/09 17:20:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jerry Jansen\Application Data\Mozilla\Firefox\Profiles\8cbc4k50.default\extensions
[2009/09/08 17:22:38 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Jerry Jansen\Application Data\Mozilla\Firefox\Profiles\8cbc4k50.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/09 19:17:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/09 19:17:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2008/02/07 21:46:12 | 000,087,360 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
[2008/02/07 21:46:20 | 000,091,448 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
[2008/02/07 21:46:16 | 000,021,824 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ctxlogging.dll
[2007/03/16 17:27:00 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcm80.dll
[2007/03/16 17:27:00 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcp80.dll
[2007/03/16 17:27:00 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcr80.dll
[2010/05/09 19:16:39 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2008/02/07 21:48:26 | 000,419,136 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
[2008/02/07 21:46:12 | 000,024,384 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll

O1 HOSTS File: ([2008/08/10 03:12:43 | 000,000,770 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [CoolSwitch] C:\WINDOWS\system32\TaskSwitch.exe ()
O4 - HKLM..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [FastUser] C:\WINDOWS\system32\Fast.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NVMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe (NVIDIA Corporation)
O4 - HKCU..\Run: [52480058269966065115806058138386] C:\Program Files\Antivirus 2009\av2009.exe File not found
O4 - HKCU..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe File not found
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe (Almico Software ([You must be registered and logged in to see this link.]
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [You must be registered and logged in to see this link.] (QuickTime Object)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} [You must be registered and logged in to see this link.] (JuniperSetupControlXP Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Jerry Jansen\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jerry Jansen\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/10 03:03:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/08/10 03:03:03 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: mcmscsvc - Service
SafeBootMin: MCODS - Service
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: mcmscsvc - Service
SafeBootNet: MCODS - Service
SafeBootNet: MpfService - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: nm - File not found
SafeBootNet: nm.sys - File not found
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.MP42 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)
Drivers32: VIDC.MPG4 - C:\WINDOWS\System32\MPG4C32.DLL (Microsoft Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/09 19:17:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/05/09 19:17:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/05/09 19:17:00 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/09 19:17:00 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/09 19:17:00 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/09 19:17:00 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/09 19:17:00 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/09 19:16:30 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/05/09 19:16:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jerry Jansen\Application Data\Sun
[2010/05/09 19:10:44 | 000,000,000 | ---D | C] -- C:\Program Files\Hijack This
[2010/05/09 18:18:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jerry Jansen\Local Settings\Application Data\PCHealth
[2010/05/09 18:03:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\Jerry Jansen\My Documents\*.tmp files -> C:\Documents and Settings\Jerry Jansen\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/09 19:22:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/09 19:18:59 | 000,000,157 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\Desktop\Read This Before Posting.url
[2010/05/09 19:16:37 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/09 19:16:37 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/09 19:16:37 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/09 19:16:37 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/09 19:16:36 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/09 19:11:37 | 000,002,579 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\Desktop\HiJackThis.lnk
[2010/05/09 18:25:01 | 000,001,006 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2139871995-1417001333-1004UA.job
[2010/05/09 18:25:01 | 000,000,954 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2139871995-1417001333-1004Core.job
[2010/05/09 18:24:24 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/05/09 18:14:35 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/09 18:14:29 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/09 18:14:27 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/05/09 18:14:11 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/09 18:14:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/09 18:14:00 | 1073,274,880 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/09 18:13:20 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\Jerry Jansen\NTUSER.DAT
[2010/05/09 18:13:20 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Jerry Jansen\ntuser.ini
[2010/05/06 20:17:18 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\My Documents\No Quitter.doc
[2010/04/28 20:31:26 | 000,002,337 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\Desktop\Google Chrome.lnk
[2010/04/26 17:06:21 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/25 10:22:06 | 000,000,042 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\default.pls
[2010/04/22 20:34:24 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Hillbilly Bone.doc
[2010/04/22 20:32:36 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Dizzy.doc
[2010/04/16 14:46:00 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Play Something Country.doc
[2010/04/15 19:29:40 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Cinco De Mayo.doc
[2010/04/15 19:25:13 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Alligator Rock.doc
[2010/04/15 19:23:42 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Mr Postman.doc
[2010/04/15 19:22:16 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Yes I Do.doc
[2010/04/14 03:02:51 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/11 17:25:19 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\My Documents\March & April Invoice.doc
[2010/04/11 12:38:42 | 000,134,656 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Joan Conaway Interview.doc
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\Documents and Settings\Jerry Jansen\My Documents\*.tmp files -> C:\Documents and Settings\Jerry Jansen\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/09 19:18:59 | 000,000,157 | ---- | C] () -- C:\Documents and Settings\Jerry Jansen\Desktop\Read This Before Posting.url
[2010/05/09 19:10:44 | 000,002,579 | ---- | C] () -- C:\Documents and Settings\Jerry Jansen\Desktop\HiJackThis.lnk
[2010/05/06 20:17:17 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Jerry Jansen\My Documents\No Quitter.doc
[2010/04/25 10:22:06 | 000,000,042 | ---- | C] () -- C:\Documents and Settings\Jerry Jansen\default.pls
[2010/04/22 20:34:24 | 000,026,624 | ---- | C] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Hillbilly Bone.doc
[2010/04/22 20:32:36 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Dizzy.doc
[2010/04/16 14:45:58 | 000,026,624 | ---- | C] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Play Something Country.doc
[2010/04/15 19:29:40 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Cinco De Mayo.doc
[2010/04/15 19:25:13 | 000,026,624 | ---- | C] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Alligator Rock.doc
[2010/04/15 19:23:41 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Mr Postman.doc
[2010/04/15 19:22:15 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Yes I Do.doc
[2010/04/11 17:19:35 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Jerry Jansen\My Documents\March & April Invoice.doc
[2010/04/10 12:56:34 | 000,134,656 | ---- | C] () -- C:\Documents and Settings\Jerry Jansen\My Documents\Joan Conaway Interview.doc
[2008/11/06 11:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 11:34:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/11/06 11:34:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/11/06 11:33:02 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/08/22 15:17:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DVEdit.INI
[2008/08/20 11:46:17 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/08/20 11:44:14 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPSPR320.ini
[2008/08/20 11:43:30 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\EAL32.INI
[2008/08/18 21:38:06 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\dsp_trc.dll
[2008/08/10 22:23:23 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/08/10 18:49:12 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/08/10 04:54:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2008/08/10 04:45:45 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/08/10 04:45:45 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/08/10 04:45:45 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/08/10 04:45:45 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/08/10 04:45:45 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/08/10 04:45:45 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2005/07/15 13:35:56 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/07/15 13:35:56 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2001/10/08 13:24:26 | 000,148,544 | ---- | C] () -- C:\WINDOWS\System32\msvdm.dll
[2001/10/08 12:59:46 | 000,016,960 | ---- | C] () -- C:\WINDOWS\System32\mag.dll
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/08/09 21:49:00 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/08/09 21:49:00 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/08/09 21:49:00 | 000,901,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2001/08/23 07:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2001/08/23 07:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[1996/04/03 14:33:26 | 000,005,248 | ---- | M] () -- C:\WINDOWS\system32\giveio.sys
[2001/08/23 07:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2001/08/23 07:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2008/04/13 22:20:56 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2001/08/23 07:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2001/08/23 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2001/08/23 07:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2001/08/23 07:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2001/08/23 07:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2008/04/13 22:19:40 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2008/04/13 22:19:44 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2008/04/13 22:19:40 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2008/04/13 22:19:44 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2008/04/13 22:19:42 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2006/09/24 08:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\system32\speedfan.sys
[2008/04/14 00:15:00 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2009/08/14 08:21:25 | 001,850,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2006/05/03 11:10:34 | 000,040,960 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2erec.dll
[2008/04/14 05:41:56 | 000,021,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\hidserv.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2008/08/10 03:03:42 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/08/10 02:56:52 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008/08/10 03:17:29 | 000,035,151 | ---- | M] () -- C:\caavsetupLog.txt
[2009/03/29 22:14:23 | 000,027,699 | ---- | M] () -- C:\caisslog.txt
[2008/08/10 03:03:42 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/04/04 12:07:22 | 015,347,712 | ---- | M] () -- C:\debug.log
[2010/05/09 18:14:00 | 1073,274,880 | -HS- | M] () -- C:\hiberfil.sys
[2008/08/10 03:03:42 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/08/10 03:03:42 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/13 22:13:04 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 00:01:44 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/09 18:13:57 | 1207,959,552 | -HS- | M] () -- C:\pagefile.sys

< %PROGRAMFILES%\*. >
[2008/08/10 04:41:09 | 000,000,000 | ---D | M] -- C:\Program Files\ACDSee32
[2010/01/31 12:07:30 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2009/01/08 00:10:46 | 000,000,000 | ---D | M] -- C:\Program Files\Ahead
[2009/12/24 19:40:25 | 000,000,000 | ---D | M] -- C:\Program Files\Alwil Software
[2008/11/10 05:17:15 | 000,000,000 | ---D | M] -- C:\Program Files\Antivirus 2009
[2010/03/21 18:48:58 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2009/01/25 20:52:11 | 000,000,000 | ---D | M] -- C:\Program Files\ATI Technologies
[2009/06/09 13:15:41 | 000,000,000 | ---D | M] -- C:\Program Files\Citrix
[2010/05/09 19:17:13 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2008/08/10 02:59:45 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2009/01/25 22:28:11 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2008/08/20 11:45:59 | 000,000,000 | ---D | M] -- C:\Program Files\EPSON
[2008/08/20 11:45:07 | 000,000,000 | ---D | M] -- C:\Program Files\EPSON Print CD
[2010/01/31 14:07:04 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2010/05/09 19:10:44 | 000,000,000 | ---D | M] -- C:\Program Files\Hijack This
[2009/01/25 20:13:58 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2008/08/10 04:47:20 | 000,000,000 | ---D | M] -- C:\Program Files\InterActual
[2010/03/31 03:00:42 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2008/08/10 04:45:11 | 000,000,000 | ---D | M] -- C:\Program Files\InterVideo
[2010/05/09 19:16:30 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2008/08/14 18:54:39 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2008/08/10 18:48:08 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2009/02/14 12:07:22 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Digital Image 2006
[2008/08/10 03:04:08 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2009/08/11 11:10:47 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Games
[2008/08/10 19:02:04 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2008/08/10 18:46:44 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2010/03/10 01:43:21 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/05/09 17:20:09 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2009/04/26 19:53:10 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2008/08/10 02:58:46 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2008/08/10 02:59:17 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2008/08/10 04:46:58 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2008/08/10 03:01:14 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2008/08/10 03:56:12 | 000,000,000 | ---D | M] -- C:\Program Files\NVIDIA Corporation
[2008/08/10 03:01:43 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2009/08/13 03:09:35 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2008/08/10 20:22:27 | 000,000,000 | ---D | M] -- C:\Program Files\Padus
[2010/03/21 18:50:09 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/04/26 19:52:54 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2008/08/18 21:38:38 | 000,000,000 | ---D | M] -- C:\Program Files\SONY
[2010/05/09 18:14:36 | 000,000,000 | ---D | M] -- C:\Program Files\SpeedFan
[2008/08/10 03:09:27 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2009/06/11 03:13:12 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Desktop Search
[2009/01/26 22:41:16 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2009/01/26 22:41:13 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2008/08/10 02:59:09 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2008/08/10 03:01:48 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2008/08/10 04:43:47 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2008/08/10 03:04:08 | 000,000,000 | ---D | M] -- C:\Program Files\xerox

< %appdata%\*.* >
[2008/08/09 21:50:20 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Jerry Jansen\Application Data\desktop.ini
[2008/08/10 22:17:43 | 000,000,066 | ---- | M] () -- C:\Documents and Settings\Jerry Jansen\Application Data\nero_photoshow_express_4_us_row.txt


< MD5 for: AGP440.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/04/14 00:10:48 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2004/06/03 10:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation) MD5=46DEED4C6C5FA765F9A2C723BE60348D -- C:\NVIDIA\nForceWin2KXP\5.10\IDE\Win2K\NvAtaBus.sys
[2004/06/03 10:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation) MD5=46DEED4C6C5FA765F9A2C723BE60348D -- C:\NVIDIA\nForceWin2KXP\5.10\IDE\WinXP\NvAtaBus.sys
[2004/06/03 10:40:46 | 000,079,360 | ---- | M] (NVIDIA Corporation) MD5=46DEED4C6C5FA765F9A2C723BE60348D -- C:\WINDOWS\system32\drivers\nvatabus.sys

< MD5 for: SCECLI.DLL >
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2008/04/14 00:15:40 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\dllcache\usbstor.sys
[2008/04/14 00:15:40 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\USBSTOR.SYS

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-04-14 08:02:52
< End of report >

EchoWars
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-13
Gender Gender : Male
OS OS : XP
Points Points : 28023
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Infection? Your assistance greatly appreciated...

Post by EchoWars on Mon May 10, 2010 12:32 am

Extras.txt:

OTL Extras logfile created on: 5/9/2010 7:18:29 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Jerry Jansen\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 548.00 Mb Available Physical Memory | 54.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.16 Gb Total Space | 20.69 Gb Free Space | 54.22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JANSENS
Current User Name: Jerry Jansen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ACDBrowse] -- C:\Program Files\ACDSee32\ACDSee32.exe "%1" (ACD Systems, Ltd.)
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\InterVideo\DVD7\WinDVD.exe" = C:\Program Files\InterVideo\DVD7\WinDVD.exe:*:Enabled:WinDVD -- (InterVideo Inc.)
"C:\Documents and Settings\Jerry Jansen\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServ.exe" = C:\Documents and Settings\Jerry Jansen\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServ.exe:*:Enabled:Juniper Terminal Services Client -- (Juniper Networks)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{109D28C7-FB38-483A-9C91-001CB59E2699}" = EPSON CardMonitor
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5983C895-DDA4-45D9-A8D1-877D5DE7693E}" = EPSON PhotoStarter3.0
"{5D95AD35-368F-47D5-B63A-A082DDF00119}" = Microsoft Digital Image Suite 2006 Editor
"{691F4068-81BF-49E3-B32E-FE3E16400119}" = Microsoft Digital Image Suite 2006 Library
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C31E111-96BB-4ADC-9C81-E6D3EEDDD8D3}" = Powertoys For Windows XP
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B7917E0-AF55-4E8A-9473-017F0AA03AC8}" = QuickTime
"{90120409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard
"{90190409-6000-11D3-8CFE-0050048383C9}" = Microsoft Publisher 2002
"{90885A82-9673-49EA-AB39-AF776639C67C}" = InterVideo WinDVD 7
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3C538E5-524C-4253-AA74-0EEEF34990EA}" = DiscJuggler
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D7A6C517-11F2-419F-B5BB-27772B939698}" = NvMixer
"{E9459BCF-0982-498B-ABA7-26C34323493F}" = Citrix Presentation Server Client - Web Only
"{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}" = ATI Catalyst Control Center
"{FC47C7A5-BE63-11D5-B7C9-005004566E4D}" = ViewSonic Windows XP Signed Files
"{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}" = EPSON Print CD
"ACDSee 32" = ACDSee 32
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"avast!" = avast! Antivirus
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Combat Flight Simulator 1.00" = Microsoft Combat Flight Simulator
"Combat Flight Simulator 2.0" = Microsoft Combat Flight Simulator 2
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"EPSON Printer and Utilities" = EPSON Printer Software
"Google Updater" = Google Updater
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InterActual Player" = InterActual Player
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Midtown Madness 2.0" = Microsoft Midtown Madness 2
"Motocross Madness 2" = Microsoft Motocross Madness 2
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NMIX!UninstallKey" = NeroMIX
"NVIDIA Drivers" = NVIDIA Drivers
"PictureItSuite_v11" = Microsoft Digital Image Suite 2006
"Silent Package Run-Time Sample" = ESPR320 Reference Guide
"Sony Digital Voice Editor 2" = Sony Digital Voice Editor 2
"SpeedFan" = SpeedFan (remove only)
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Juniper_Term_Services" = Juniper Terminal Services Client

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/9/2010 7:02:22 PM | Computer Name = JANSENS | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft .NET Framework 3.0 Service Pack 2 -- The installer
has encountered an unexpected error installing this package. This may indicate
a problem with this package. The error code is 2908. The arguments are: {06E55FA7-ED36-4A74-8C82-F3D505C50F2E},
,

Error - 5/9/2010 7:02:22 PM | Computer Name = JANSENS | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft .NET Framework 3.0 Service Pack 2 -- The installer
has encountered an unexpected error installing this package. This may indicate
a problem with this package. The error code is 2908. The arguments are: {0D304EBB-563D-49B0-A425-276DF339BC8D},
,

Error - 5/9/2010 7:02:22 PM | Computer Name = JANSENS | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft .NET Framework 3.0 Service Pack 2 -- The installer
has encountered an unexpected error installing this package. This may indicate
a problem with this package. The error code is 2908. The arguments are: {676EBB4C-BDB0-4953-A590-2524A732A854},
,

Error - 5/9/2010 7:02:22 PM | Computer Name = JANSENS | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft .NET Framework 3.0 Service Pack 2 -- The installer
has encountered an unexpected error installing this package. This may indicate
a problem with this package. The error code is 2908. The arguments are: {5368DCA9-E312-415B-9FAC-DC47A1AC461D},
,

Error - 5/9/2010 7:02:22 PM | Computer Name = JANSENS | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft .NET Framework 3.0 Service Pack 2 -- The installer
has encountered an unexpected error installing this package. This may indicate
a problem with this package. The error code is 2908. The arguments are: {01FDA4F6-CF9B-4886-A616-75384D54714D},
,

Error - 5/9/2010 7:02:22 PM | Computer Name = JANSENS | Source = MsiInstaller | ID = 10005
Description = Product: Microsoft .NET Framework 3.0 Service Pack 2 -- The installer
has encountered an unexpected error installing this package. This may indicate
a problem with this package. The error code is 2908. The arguments are: {31ABBB3E-78C4-47DD-A35B-A35EC6049B73},
,

Error - 5/9/2010 7:02:22 PM | Computer Name = JANSENS | Source = MsiInstaller | ID = 11935
Description = Product: Microsoft .NET Framework 3.0 Service Pack 2 -- Error 1935.
An error occurred during the installation of assembly 'System.Runtime.Serialization,fileVersion="3.0.4506.3613",culture="neutral",version="3.0.0.0",publicKeyToken="b77a5c561934e089",processorArchitecture="MSIL"'.
Please refer to Help and Support for more information. HRESULT: 0x8002802F. assembly
interface: , function: CreateAssemblyCache, component: {CA8693B8-3F44-47A7-B1C7-D1BDB9C580E1}

Error - 5/9/2010 7:02:23 PM | Computer Name = JANSENS | Source = MsiInstaller | ID = 1023
Description = Product: Microsoft .NET Framework 3.0 Service Pack 2 - Update 'KB976570'
could not be installed. Error code 1603. Additional information is available in
the log file C:\DOCUME~1\JERRYJ~1\LOCALS~1\Temp\Microsoft .NET Framework 3.0-KB976570_20100509_230213265-Msi0.txt.

Error - 5/9/2010 7:02:23 PM | Computer Name = JANSENS | Source = HotFixInstaller | ID = 5000
Description = EventType visualstudio8setup, P1 microsoft .net framework 3.0-kb976570,
P2 1033, P3 1603, P4 msi, P5 f, P6 9.0.40302.0, P7 install, P8 x86, P9 xp, P10
1935.

Error - 5/9/2010 7:03:23 PM | Computer Name = JANSENS | Source = MsiInstaller | ID = 1013
Description = Product: Microsoft .NET Framework 3.0 Service Pack 2 -- Microsoft
.NET Framework 3.0 Service Pack 2 cannot be uninstalled because it will affect other
applications that are installed. For more information, see [You must be registered and logged in to see this link.]

[ System Events ]
Error - 3/11/2010 6:55:34 PM | Computer Name = JANSENS | Source = Print | ID = 6161
Description = The document 1957.pdf owned by Jerry Jansen failed to print on printer
Lexmark Z31 Color Jetprinter. Data type: NT EMF 1.008. Size of the spool file in
bytes: 469324. Number of bytes printed: 469324. Total number of pages in the document:
1. Number of pages printed: 1. Client machine: \\JANSENS. Win32 error code returned
by the print processor: 21 (0x15). The device is not ready.

Error - 4/4/2010 12:49:58 PM | Computer Name = JANSENS | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom1, has a bad block.

Error - 5/9/2010 7:02:04 PM | Computer Name = JANSENS | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Microsoft .NET Framework 2.0 Service Pack 2 Update for Windows
Server 2003 and Windows XP x86 (KB976569).

Error - 5/9/2010 7:02:29 PM | Computer Name = JANSENS | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Microsoft .NET Framework 3.0 Service Pack 2 Update for Windows
Server 2003 and Windows XP x86 (KB976570).


< End of report >

EchoWars
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-13
Gender Gender : Male
OS OS : XP
Points Points : 28023
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Infection? Your assistance greatly appreciated...

Post by EchoWars on Mon May 10, 2010 1:21 am

My apologies...my son insisted on running MalwareBytes before we went further. I make it clear that if he wanted help that he needed to wait until he heard from me (and you).

In any event, here's the log:
Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4084

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/9/2010 8:16:48 PM
mbam-log-2010-05-09 (20-16-48).txt

Scan type: Quick scan
Objects scanned: 122041
Time elapsed: 9 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\52480058269966065115806058138386 (Rogue.AntiVirus2009) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AntiVirus 2009 (Rogue.AntiVirus2009) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ieupdates.exe.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

EchoWars
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-13
Gender Gender : Male
OS OS : XP
Points Points : 28023
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Infection? Your assistance greatly appreciated...

Post by Belahzur on Mon May 10, 2010 9:54 pm

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :commands
    [emptytemp]
    [resethosts]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Possible Infection? Your assistance greatly appreciated...

Post by EchoWars on Sun May 16, 2010 1:57 am

Long delay, I know.

Here's the logfile from OTL:

All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Jerry Jansen
->Temp folder emptied: 79841073 bytes
->Temporary Internet Files folder emptied: 374643835 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 91546142 bytes
->Google Chrome cache emptied: 104295679 bytes
->Flash cache emptied: 217049 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 13165158 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 13848884 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23944966 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 94901184 bytes

Total Files Cleaned = 762.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.4.1 log created on 05152010_204937


Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_5c4.dat not found!


Registry entries deleted on Reboot...

EchoWars
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-13
Gender Gender : Male
OS OS : XP
Points Points : 28023
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Infection? Your assistance greatly appreciated...

Post by Belahzur on Sun May 16, 2010 7:40 pm

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Possible Infection? Your assistance greatly appreciated...

Post by EchoWars on Sun May 23, 2010 3:00 am

here's the log file

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7a0e73dd06f5eb4eae67bfae74c6a4d7
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-23 02:22:54
# local_time=2010-05-22 09:22:54 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775125 100 98 0 209936507 0 0
# compatibility_mode=4864 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=53505
# found=0
# cleaned=0
# scan_time=4422

Appears that the system is clean. The problems seem to be a corrupt Windows install (.pdf files cannot be opened & Adobe reader flags an error, & Net framework errors on boot).

EchoWars
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-13
Gender Gender : Male
OS OS : XP
Points Points : 28023
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Infection? Your assistance greatly appreciated...

Post by Belahzur on Sun May 23, 2010 1:58 pm

Hello.

How is the machine running? do you still get those errors?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Possible Infection? Your assistance greatly appreciated...

Post by EchoWars on Mon May 31, 2010 7:09 am

Sorry for the delay. I travel a lot.

Yes...I get errors related to Net Framework on boot, and another related to Abobe PDF, and no PDF documents can be opened. I'm thinking that the issue is not an infection at this point, but rather a corrupted Windows install. If I can get the info, I can post the specific errors, but at this point I'm leaning towards blasting the whole install and grabbing the XP disk.

EchoWars
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-13
Gender Gender : Male
OS OS : XP
Points Points : 28023
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Possible Infection? Your assistance greatly appreciated...

Post by Belahzur on Mon May 31, 2010 11:33 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum