Using Recovery Console

devaws · June 24, 2010

Hi,

I wonder if someone might be able to help me (apologies if this is the wrong forum)?

I am running Windows XP Home Service Pack 3.

Last week, I ran a MacAfee scan.

I noticed out of the corner of me eye that it had detected something,

but went off to do something else while the scan completed.

When I came back, MacAfee was no longer running.

I thought this was odd, so ran an MBAM scan.

This detected a dozen or so items (none of which I can remember).

I asked MBAM to quarantine them all.

MBAM asked me to reboot - which I did.

Since the reboot I have been unable to logon to windows (even in safe mode).

My windows wallpaper appears, then nothing happens for about 10 minutes.

I am then presented with windows logon screen.

If I select either "Owner" or "Administrator" I get

"Loading Personal Settings" followed immediately by "Saving Personal Settings"

and I am chucked back to the logon screen.

I assume that either MacAfee or MBAM have quarantined an essential file or corrupted the registry?

I have "Recovery Console" installed and can logon via that.

I don't have a Windows XP CD, but the OEM seems to have set up my D: drive for this purpose.

I have no idea what I am doing in "Recovery Console".

Could someone help me with this please?

Scotty

jwang01 · June 25, 2010

Hello devaws and welcome to the forums

I am jwang01 and I will be assisting you with your issue.

When we get to working on your computer you may want to print out or save my respones in notepad because there may be times were you will not be able to access them here.

Also, please don't attach your logs unless asked, as they can make them hard to read. Just post them as a reply.

Let's run a program and see whats going on here.

Please print these instruction out so that you know what you are doing

File details OTLPEStd.exe

Bytes=97,702,766

MB=93.1

MD5=FC1A07D156DE710955032B1CF7891671

File details OTLPENet.exe

Bytes=126,850,486

MB=120.9

MD5=8A7C5BA1C92552ADDCC5E468D0AA069A

Download OTLPEStd.exe to your desktop
Download OTLPENet.exe to your desktop
Ensure that you have a blank CD in the drive
Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
Double-click on the OTLPE icon.
Select the Windows folder of the infected drive if it asks for a location
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start.
Drag and drop this attached scan.txt into the Custom scans and fixes box
scan.txt
Press Run Scan to start the scan.
When finished, the file will be saved in drive C:\OTL.txt
Copy this file to your USB drive if you do not have internet connection on this system.
Right click the file and select send to : select the USB drive.
Confirm that it has copied to the USB drive by selecting it
You can backup any files that you wish from this OS
Please post the contents of the C:\OTL.txt file in your reply.

devaws · June 25, 2010

Hi Jwang0,

Thanks for helping me - much appreciated.

I can't download anything to my own PC (obviously).

Luckily, I am at work at the moment and will ask a colleague to burn the CD for me and give it a blast when I get home tonight.

Thanks again.

jwang01 · June 25, 2010

Hello,

Ok, sounds good.

devaws · June 25, 2010

Hi,

Boot disk worked like a dream.

Here is the content of OTL.txt following scan:

OTL logfile created on: 6/25/2010 8:43:48 PM - Run

OTLPE by OldTimer - Version 3.1.39.0 Folder = X:\Programs\OTLPE

Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 803.00 Mb Available Physical Memory | 78.00% Memory free

907.00 Mb Paging File | 842.00 Mb Available in Paging File | 93.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 229.31 Gb Total Space | 107.51 Gb Free Space | 46.89% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

Drive H: | 3.56 Gb Total Space | 0.34 Gb Free Space | 9.51% Space Free | Partition Type: FAT32

I: Drive not present or media not loaded

Drive J: | 1.88 Gb Total Space | 1.87 Gb Free Space | 99.15% Space Free | Partition Type: FAT

Drive X: | 280.77 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO

Current User Name: SYSTEM

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (RSVPRasAuto)

SRV - [2010/06/10 01:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)

SRV - [2010/03/19 05:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2009/12/08 10:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)

SRV - [2009/10/27 07:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)

SRV - [2009/09/16 06:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)

SRV - [2009/09/16 05:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)

SRV - [2009/09/16 04:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)

SRV - [2009/07/08 07:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)

SRV - [2009/07/07 15:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)

SRV - [2009/05/22 19:34:34 | 000,851,968 | ---- | M] () [On_Demand] -- C:\Program Files\TVersity\Media Server\MediaServer.exe -- (TVersityMediaServer)

SRV - [2006/12/15 09:51:00 | 000,057,344 | ---- | M] (Tech Mahindra- PUNE) [Auto] -- C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe -- (Wireless Adapter Configurator)

SRV - [2006/01/06 17:25:12 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand] -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)

SRV - [2005/11/24 12:03:22 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)

SRV - [2005/11/24 11:57:44 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)

SRV - [2005/11/24 11:47:30 | 000,069,718 | ---- | M] (Sony Corporation) [On_Demand] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)

SRV - [2004/07/13 16:13:06 | 000,032,867 | ---- | M] (Check Point Software Technologies) [Auto] -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe -- (SR_WatchDog)

SRV - [2004/07/13 16:13:00 | 000,110,690 | ---- | M] (Check Point Software Technologies) [Auto] -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe -- (SR_Service)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand] -- -- (Sunkfiltp)

DRV - File not found [Kernel | System] -- -- (PRAGMAbvgeixfwio)

DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)

DRV - File not found [Kernel | System] -- -- (PCIDump)

DRV - File not found [Kernel | On_Demand] -- -- (MRENDIS5)

DRV - File not found [Kernel | On_Demand] -- -- (MREMPR5)

DRV - [2009/09/16 05:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)

DRV - [2009/09/16 05:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)

DRV - [2009/09/16 05:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)

DRV - [2009/09/16 05:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)

DRV - [2009/09/16 05:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)

DRV - [2009/07/16 08:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)

DRV - [2008/04/13 14:56:49 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)

DRV - [2008/04/13 14:40:58 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\changer.sys -- (Changer)

DRV - [2008/04/13 14:40:26 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System] -- C:\WINDOWS\system32\drivers\lbrtfdc.sys -- (lbrtfdc)

DRV - [2008/04/13 14:36:41 | 000,037,248 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\isapnp.sys -- (isapnp)

DRV - [2007/12/28 10:02:12 | 000,287,232 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\wg111v3.sys -- (RTL8187B)

DRV - [2004/10/07 21:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)

DRV - [2004/10/01 06:24:02 | 002,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)

DRV - [2004/09/12 16:11:30 | 000,049,611 | R--- | M] (Mobile Action Technology Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mardp2k.sys -- (MaRdPnp)

DRV - [2004/07/15 06:42:00 | 002,459,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)

DRV - [2004/07/13 16:13:14 | 000,670,128 | ---- | M] (Check Point Software Technologies) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\vpn.sys -- (VPN-1)

DRV - [2004/07/13 16:13:10 | 002,041,904 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\fw.sys -- (FW1)

DRV - [2004/07/13 16:13:02 | 000,017,456 | ---- | M] (Check Point Software Technologies) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\scap.sys -- (Scap)

DRV - [2004/07/13 16:12:58 | 000,014,924 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\omva.sys -- (OMVA)

DRV - [2003/12/12 02:54:14 | 000,391,424 | ---- | M] (Sensaura Ltd) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\alcxsens.sys -- (ALCXSENS)

DRV - [2003/12/05 22:13:42 | 000,429,440 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)

DRV - [2003/12/05 12:25:54 | 000,011,392 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)

DRV - [2003/11/14 22:38:50 | 000,377,888 | ---- | M] (GlobespanVirata, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PRISMA00.sys -- (PRISM_A00)

DRV - [2003/11/13 21:19:00 | 000,210,304 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)

DRV - [2003/11/13 21:18:00 | 000,679,808 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

DRV - [2003/11/13 21:17:00 | 001,042,816 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)

DRV - [2003/11/10 06:24:24 | 000,039,532 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Sunkfilt.sys -- (SunkFilt)

DRV - [2003/09/18 20:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)

DRV - [2003/09/02 19:51:00 | 000,021,120 | ---- | M] (NVIDIA Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\nv_agp.SYS -- (nv_agp)

DRV - [2003/07/18 12:58:20 | 000,036,992 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\SISAGPX.SYS -- (SISAGP)

DRV - [2003/07/11 18:28:56 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)

DRV - [2003/07/02 07:42:00 | 000,027,904 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\VIAAGP1.SYS -- (viaagp1)

DRV - [2002/10/04 13:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)

DRV - [2002/07/29 17:43:50 | 000,023,808 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)

DRV - [2002/06/21 13:42:50 | 000,008,224 | ---- | M] (MicroStaff Co.,Ltd.) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\MASPINT.SYS -- (MASPINT)

DRV - [2001/11/27 10:19:46 | 000,589,776 | R--- | M] (Alcatel Bell) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\alcaudsl.sys -- (alcaudsl)

DRV - [2001/10/03 05:10:10 | 000,053,920 | ---- | M] (Alcatel Bell) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\alcan5wn.sys -- (alcan5wn) Alcatel SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)

DRV - [2001/08/17 15:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Search,CustomSearch = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\HelpAssistant_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb10.hpwis.com/

IE - HKU\HelpAssistant_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb10.hpwis.com/

IE - HKU\HelpAssistant_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

IE - HKU\HelpAssistant_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Ask.com

IE - HKU\HelpAssistant_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsearch.com/jsp/cfg_redir2....her&gcht=sv

IE - HKU\HelpAssistant_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/

IE - HKU\HelpAssistant_ON_C\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - Reg Error: Key error. File not found

IE - HKU\HelpAssistant_ON_C\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

IE - HKU\HelpAssistant_ON_C\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

IE - HKU\HelpAssistant_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\HelpAssistant_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\LocalService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\NetworkService_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb10.hpwis.com/

IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb10.hpwis.com/

IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Ask.com

IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsearch.com/jsp/cfg_redir2....her&gcht=sv

IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/

IE - HKU\Owner_ON_C\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

IE - HKU\Owner_ON_C\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/06/04 19:03:45 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/04/28 13:22:37 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/06/22 19:33:30 | 000,000,711 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)

O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)

O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O2 - BHO: (SidebarAutoLaunch Class) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (Yahoo! Inc.)

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

O3 - HKU\Administrator_ON_C\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

O3 - HKU\HelpAssistant_ON_C\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

O3 - HKU\HelpAssistant_ON_C\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

O3 - HKU\Owner_ON_C\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

O3 - HKU\Owner_ON_C\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [FlashInstaller] F:\flashstart.exe File not found

O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe (Hewlett-Packard)

O4 - HKLM..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe (Hewlett-Packard)

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)

O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)

O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)

O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.EXE (Hewlett-Packard Company)

O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()

O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE (FUJI PHOTO FILM CO., LTD.)

O4 - HKLM..\Run: [speedTouch USB Diagnostics] C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe (Alcatel Bell)

O4 - HKLM..\Run: [ssAAD.exe] C:\Program Files\Sony\SonicStage\SSAAD.exe ()

O4 - HKLM..\Run: [sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe (Alcor Micro, Corp.)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

O4 - HKLM..\Run: [updateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)

O4 - HKLM..\Run: [VTTimer] File not found

O4 - HKU\Administrator_ON_C..\Run: [RecordNow!] File not found

O4 - HKU\HelpAssistant_ON_C..\Run: [Acme.PCHButton] C:\Program Files\Presario PC Help\Presario\XPHWWRP4\plugin\bin\PCHButton.exe (Motive Communications, Inc.)

O4 - HKU\HelpAssistant_ON_C..\Run: [bootvrfy.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\bootvrfy.exe File not found

O4 - HKU\HelpAssistant_ON_C..\Run: [eyeBeam SIP Client] File not found

O4 - HKU\HelpAssistant_ON_C..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\Owner\LOCALS~1\Temp\win32.exe File not found

O4 - HKU\HelpAssistant_ON_C..\Run: [hsf87sdhfush87fsufhuie3fddf] C:\DOCUME~1\Owner\LOCALS~1\Temp\rtsxyph5.exe File not found

O4 - HKU\HelpAssistant_ON_C..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe File not found

O4 - HKU\HelpAssistant_ON_C..\Run: [RecordNow!] File not found

O4 - HKU\HelpAssistant_ON_C..\Run: [steam] C:\Program Files\Valve\Steam\Steam.exe (Valve Corporation)

O4 - HKU\Owner_ON_C..\Run: [{BC34118D-5F15-5DD4-1CE5-7C9E1D739C08}] C:\Documents and Settings\Owner\Application Data\Qeyrz\akywa.exe (Nixyyxugnuso)

O4 - HKU\Owner_ON_C..\Run: [Acme.PCHButton] C:\Program Files\Presario PC Help\Presario\XPHWWRP4\plugin\bin\PCHButton.exe (Motive Communications, Inc.)

O4 - HKU\Owner_ON_C..\Run: [eyeBeam SIP Client] File not found

O4 - HKU\Owner_ON_C..\Run: [RecordNow!] File not found

O4 - HKU\Owner_ON_C..\Run: [steam] C:\Program Files\Valve\Steam\Steam.exe (Valve Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\HelpAssistant_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\HelpAssistant_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1

O7 - HKU\HelpAssistant_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1

O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra Button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)

O9 - Extra Button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe ()

O9 - Extra 'Tools' menuitem : PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe ()

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {11111111-1111-1111-1111-111191113457} file://c:\ied_s7.cab (Reg Error: Key error.)

O16 - DPF: {11111111-1111-1111-1111-511111193457} file://c:\x.cab (Reg Error: Key error.)

O16 - DPF: {11111111-1111-1111-1111-511111193458} file://c:\x.cab (Reg Error: Key error.)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} http://66.117.37.13/dba2161.exe (Reg Error: Key error.)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\sdra73.exe) - C:\WINDOWS\System32\sdra73.exe File not found

O20 - Winlogon\Notify\ckpNotify: DllName - ckpNotify.dll - C:\WINDOWS\System32\ckpNotify.dll (Check Point Software Technologies)

O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\welcome.htm

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\welcome.htm

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2004/01/01 20:26:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2001/07/27 21:07:38 | 000,000,000 | -HS- | M] () - H:\AUTOEXEC.BAT -- [ FAT32 ]

O32 - AutoRun File - [2002/09/10 18:02:32 | 000,000,045 | -HS- | M] () - H:\Autorun.inf -- [ FAT32 ]

O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]

O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\Info.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

Drivers32: msacm.iac2 - C:\WINDOWS\System32\iac25_32.ax (Intel Corporation)

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)

Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)

Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)

Drivers32: vidc.ffds - C:\WINDOWS\System32\ff_vfw.dll ()

Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()

Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()

Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)

Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

Drivers32: vidc.LEAD - C:\WINDOWS\System32\LCodcCMP.dll (LEAD Technologies, Inc.)

Drivers32: vidc.VP60 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)

Drivers32: vidc.VP61 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)

Drivers32: vidc.VP62 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/06/23 14:47:26 | 000,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)

NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/06/20 09:18:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe

[2010/06/20 09:18:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\My Documents\My eBooks

[2010/06/20 09:18:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\My Documents

[2010/05/30 06:59:07 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

[2010/05/30 06:59:05 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HijackThis.exe

[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/25 14:09:12 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/06/25 14:09:10 | 1073,074,176 | -HS- | M] () -- C:\hiberfil.sys

[2010/06/25 14:09:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/06/22 19:33:36 | 000,237,568 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT

[2010/06/22 19:33:36 | 000,237,568 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT

[2010/06/22 19:33:28 | 000,015,651 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF

[2010/06/22 19:33:28 | 000,008,212 | ---- | M] () -- C:\WINDOWS\mfebcdata

[2010/06/22 18:58:35 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini

[2010/06/22 18:58:34 | 005,505,024 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT

[2010/06/20 17:57:10 | 001,048,576 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2010/06/20 17:57:10 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2010/06/20 11:36:37 | 000,000,188 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT

[2010/06/20 09:33:03 | 001,273,344 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Golf Scores (version 1).xls

[2010/06/20 09:32:18 | 000,000,364 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job

[2010/06/20 07:53:10 | 000,004,452 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml

[2010/06/20 07:52:50 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/06/11 20:04:02 | 000,202,752 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/06/08 18:00:23 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Defogger.exe

[2010/06/07 13:41:52 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Lunchbox Menu 20100323 COLOUR.xls

[2010/06/05 09:08:29 | 000,001,916 | -H-- | M] () -- C:\Documents and Settings\Owner\My Documents\Default.rdp

[2010/05/30 09:08:24 | 000,000,460 | --S- | M] () -- C:\WINDOWS\System32\2656959704.dat

[2010/05/27 09:06:18 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Owner\Desktop\HijackThis.exe

[2010/05/27 09:06:05 | 000,824,681 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RSIT.exe

[2010/05/27 09:05:57 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\kotlipwj.exe

[2010/05/27 09:04:35 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe

[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/22 19:33:28 | 000,008,212 | ---- | C] () -- C:\WINDOWS\mfebcdata

[2010/06/21 18:26:41 | 1073,074,176 | -HS- | C] () -- C:\hiberfil.sys

[2010/06/08 18:00:20 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Defogger.exe

[2010/05/30 06:59:12 | 000,824,681 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RSIT.exe

[2010/05/30 06:59:06 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\kotlipwj.exe

[2010/05/05 17:18:46 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat

[2010/05/05 17:18:45 | 001,048,576 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2010/05/05 17:18:45 | 000,098,304 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT.LOG

[2010/05/05 17:18:45 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2010/04/28 17:30:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\1054i.sys

[2009/01/07 20:11:22 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll

[2009/01/07 20:11:22 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest

[2007/02/28 15:16:14 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll

[2007/02/28 15:16:14 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll

[2007/02/28 15:16:14 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll

[2006/12/27 09:55:41 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2005/12/13 19:18:50 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll

[2005/12/13 19:14:33 | 000,000,075 | ---- | C] () -- C:\Documents and Settings\Owner\LuResult.txt

[2005/05/04 13:48:41 | 000,106,592 | ---- | C] () -- C:\WINDOWS\System32\fwnetcfg.dll

[2005/05/04 13:48:14 | 000,004,133 | ---- | C] () -- C:\WINDOWS\entrust.ini

[2004/10/03 18:58:22 | 000,000,291 | ---- | C] () -- C:\WINDOWS\WSST_Screen_Saver.ini

[2004/10/03 14:42:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\dm.ini

[2004/09/11 09:25:25 | 000,000,325 | ---- | C] () -- C:\WINDOWS\lexstat.ini

[2004/08/19 03:35:17 | 000,000,331 | ---- | C] () -- C:\WINDOWS\doom3.ini

[2004/08/02 10:39:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcfriend.INI

[2004/08/02 06:07:01 | 000,202,752 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2004/08/01 16:17:19 | 000,000,420 | ---- | C] () -- C:\WINDOWS\PCPHOTO.INI

[2004/07/23 10:57:19 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\WNASPI32.DLL

[2004/07/23 10:57:19 | 000,000,296 | ---- | C] () -- C:\WINDOWS\msfsetup.ini

[2004/07/23 08:37:15 | 000,000,848 | ---- | C] () -- C:\WINDOWS\Rtcwplat.INI

[2004/07/19 12:28:29 | 000,005,600 | R--- | C] () -- C:\WINDOWS\System32\stci.dll

[2004/07/19 08:46:16 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll

[2004/07/19 08:46:16 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll

[2004/07/19 08:46:16 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll

[2004/07/19 08:46:16 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll

[2004/07/19 08:46:16 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll

[2004/07/19 08:46:16 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

[2004/01/13 05:20:31 | 000,037,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\isapnp.sys

[2004/01/02 03:15:36 | 000,000,536 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

[2004/01/02 00:39:47 | 000,262,144 | ---- | C] () -- C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT

[2004/01/02 00:39:47 | 000,008,192 | -H-- | C] () -- C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG

[2004/01/02 00:26:18 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll

[2004/01/02 00:25:53 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll

[2004/01/02 00:25:53 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll

[2004/01/02 00:24:37 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat

[2004/01/02 00:22:47 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll

[2004/01/02 00:09:25 | 000,027,262 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS

[2004/01/02 00:09:05 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll

[2004/01/02 00:08:33 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll

[2004/01/02 00:03:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2004/01/01 23:09:37 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2004/01/01 22:28:25 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll

[2004/01/01 22:28:25 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll

[2004/01/01 22:28:04 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll

[2004/01/01 20:58:57 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2004/01/01 20:29:35 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2004/01/01 20:29:06 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Owner\ntuser.ini

[2004/01/01 20:29:05 | 005,505,024 | -H-- | C] () -- C:\Documents and Settings\Owner\NTUSER.DAT

[2004/01/01 20:29:05 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\Owner\NTUSER.DAT.LOG

[2004/01/01 20:28:46 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\LocalService\ntuser.ini

[2004/01/01 20:28:45 | 000,237,568 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT

[2004/01/01 20:28:45 | 000,237,568 | -H-- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT

[2004/01/01 20:28:45 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG

[2004/01/01 20:28:45 | 000,008,192 | -H-- | C] () -- C:\Documents and Settings\LocalService\NTUSER.DAT.LOG

[2004/01/01 20:28:45 | 000,000,020 | -HS- | C] () -- C:\Documents and Settings\NetworkService\ntuser.ini

[2004/01/01 17:23:58 | 000,000,451 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini

[2004/01/01 17:23:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini

[2003/09/22 20:19:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2003/03/06 18:53:16 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\hpnvr82.dll

[1998/10/10 19:07:38 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll

========== LOP Check ==========

[2004/01/02 00:37:10 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\SampleView

[2004/01/02 00:37:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SampleView

[2004/12/23 10:15:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AquaNox

[2010/06/20 11:32:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Azyhfa

[2004/07/23 12:14:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FUJIFILM

[2004/08/02 07:30:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterVideo

[2004/08/16 08:35:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Kazaa Lite

[2004/08/02 08:11:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech

[2005/07/30 10:56:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MobileAction

[2006/11/22 01:52:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Qeyrz

[2004/01/02 00:37:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView

[2009/04/01 15:35:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore

[2010/01/14 21:00:22 | 000,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job

[2010/01/31 21:01:59 | 000,000,332 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2006/10/21 16:03:02 | 000,000,000 | ---- | M] () -- C:\10.1.19.109

[2004/01/01 20:26:12 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT

[2004/07/19 08:43:58 | 000,000,196 | RHS- | M] () -- C:\BOOT.BAK

[2010/05/26 18:20:44 | 000,000,281 | RHS- | M] () -- C:\boot.ini

[2005/12/13 19:19:52 | 000,006,768 | ---- | M] () -- C:\caavsetup.log

[2003/09/23 23:19:00 | 000,245,920 | RHS- | M] () -- C:\cmldr

[2004/01/01 20:26:12 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS

[2004/10/03 10:31:37 | 000,000,237 | ---- | M] () -- C:\debugInstaller.txt

[2001/09/06 01:00:58 | 001,700,352 | -H-- | M] (Microsoft Corporation) -- C:\gdiplus.dll

[2010/06/25 14:09:10 | 1073,074,176 | -HS- | M] () -- C:\hiberfil.sys

[2004/09/30 17:59:04 | 000,000,489 | ---- | M] () -- C:\ICSYSINF.log

[2005/03/23 18:07:46 | 000,000,215 | ---- | M] () -- C:\install.log

[2004/01/01 20:26:12 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

[2004/01/01 20:26:12 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2009/08/31 19:23:35 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM

[2010/05/17 13:49:40 | 000,250,048 | RHS- | M] () -- C:\ntldr

[2010/06/25 14:09:00 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys

[2010/06/03 18:15:45 | 000,047,262 | ---- | M] () -- C:\TDSSKiller.2.2.8.1_03.06.2010_23.15.42_log.txt

[2010/06/03 18:27:28 | 000,047,262 | ---- | M] () -- C:\TDSSKiller.2.2.8.1_03.06.2010_23.27.27_log.txt

[2010/05/05 17:41:51 | 000,047,300 | ---- | M] () -- C:\TDSSKiller.2.2.8.1_05.05.2010_22.41.47_log.txt

[2010/06/05 13:08:34 | 000,047,262 | ---- | M] () -- C:\TDSSKiller.2.2.8.1_05.06.2010_18.08.33_log.txt

[2010/06/05 13:11:19 | 000,047,300 | ---- | M] () -- C:\TDSSKiller.2.2.8.1_05.06.2010_18.11.15_log.txt

[2010/06/05 13:22:40 | 000,046,218 | ---- | M] () -- C:\TDSSKiller.2.2.8.1_05.06.2010_18.22.40_log.txt

[2010/05/25 19:43:17 | 000,047,300 | ---- | M] () -- C:\TDSSKiller.2.2.8.1_26.05.2010_00.43.14_log.txt

< MD5 for: AGP440.SYS >

[2009/08/31 19:17:34 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

[2010/05/17 13:41:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

[2009/08/31 19:17:34 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys

[2010/05/17 13:41:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys

[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >

[2003/09/24 05:46:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys

[2009/08/31 19:17:34 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys

[2010/05/17 13:41:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys

[2003/09/23 22:46:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp1.cab:atapi.sys

[2009/08/31 19:17:34 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys

[2010/05/17 13:41:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys

[2003/09/23 16:20:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtUninstallQ331958$\atapi.sys

[2003/09/23 16:20:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2010/06/05 13:23:38 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

[2010/05/05 17:43:11 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >

[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >

[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll

[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll

[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >

[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll

[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< CREATERESTOREPOINT >

< %systemroot%\system32\*.dll /lockedfiles >

[2008/06/20 13:46:57 | 000,147,968 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dnsapi.dll

[2010/02/25 06:54:36 | 011,070,976 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ieframe.dll

[2010/02/25 02:24:35 | 001,985,536 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iertutil.dll

[2008/04/13 20:12:00 | 000,274,944 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\mstask.dll

[2008/04/13 20:12:02 | 000,067,072 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\ntdsapi.dll

[2008/06/17 15:02:19 | 008,461,312 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\shell32.dll

[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

[2004/01/01 20:17:52 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

[2004/01/01 20:17:52 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav

[2004/01/01 20:17:52 | 000,389,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >

[2010/06/05 13:23:38 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\atapi.sys

[2010/04/29 10:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys

[2010/04/29 10:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys

< %systemroot%\system32\user32.dll /md5 >

[2008/04/13 20:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll

[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\ws2_32.dll /md5 >

[2008/04/13 20:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll

[3 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< End of report >

jwang01 · June 26, 2010

Hello,

Where you recently infected with TDSS that made you run TDSSKiller? Did it fix anything?

Let's run a fix with OTLPE. Let me know if you can login to Windows after this fix. We will need to do more steps after this to fully clean out your computer as it is quite badly infected.

Start OTLPE as you did previously from CD

Copy the attached Fix.txt to a USB fix.txt

Insert your USB drive with fix.txt on it
Start OTLPE
Drag and drop fix.txt into the Custom scans and fixes box
If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done to normal mode if possible

Let me me know if you can boot into windows now and then we will continue cleaning your system.

devaws · June 26, 2010

"Where you recently infected with TDSS that made you run TDSSKiller? Did it fix anything?"

I certainly was. TDSS was unable to kill it.

I have run your fix script in OTLPE and rebooted.

I am now able to login to Windows.

Thank you so much - I really am very grateful for your help.

On Windows startup my DHCP and Themes services don't start (I have to start them manually).

This was happening before my little login problem and I assume is caused by the infections you mention.

Thanks again my friend - you have had a Scotsman dancing round his living room with joy.

jwang01 · June 26, 2010

Hello,

I'm happy to here that your computer is booting again. However I still think there are infections on board that need to be cleaned out. Let's take a look.

Download and run HAMeb_check.exe
Post the contents of the resulting log.

Next

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Custom Scan box paste this in
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

devaws · June 27, 2010

Log from HAMeb_check.exe:

C:\Documents and Settings\Owner\Desktop\HAMeb_check.exe

27/06/2010 at 10:11:18.14

Account active No

Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-1234545408-2806472805-2626087336-1006

%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86ECBEE4]<<

kernel: MBR read successfully

user & kernel MBR OK

copy of MBR has been found in sector 0x01D1C06C0

malicious code @ sector 0x01D1C06C3 !

PE file found in sector at 0x01D1C06D9 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters

ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

"65533:TCP"=65533:TCP:*:Enabled:Services

"52344:TCP"=52344:TCP:*:Enabled:Services

"5403:TCP"=5403:TCP:*:Enabled:Services

"9306:TCP"=9306:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"65533:TCP"=65533:TCP:*:Enabled:Services

"52344:TCP"=52344:TCP:*:Enabled:Services

"5403:TCP"=5403:TCP:*:Enabled:Services

"9306:TCP"=9306:TCP:*:Enabled:Services

~~ EOF ~~

devaws · June 27, 2010

OTL.txt PART 1

OTL logfile created on: 27/06/2010 10:19:27 - Run 4

OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\Owner\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 579.00 Mb Available Physical Memory | 57.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 229.31 Gb Total Space | 107.49 Gb Free Space | 46.88% Space Free | Partition Type: NTFS

Drive D: | 3.56 Gb Total Space | 0.34 Gb Free Space | 9.51% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: PRESARIO

Current User Name: Owner

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)

PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)

PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)

PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)

PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)

PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)

PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe (Tech Mahindra- PUNE)

PRC - C:\Program Files\Yahoo!\browser\ycommon.exe (Yahoo!, Inc.)

PRC - C:\Program Files\Sony\SonicStage\SSAAD.exe ()

PRC - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe (Check Point Software Technologies)

PRC - C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe (Check Point Software Technologies)

PRC - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe (Check Point Software Technologies)

PRC - C:\Program Files\Presario PC Help\Presario\XPHWWRP4\plugin\bin\PCHButton.exe (Motive Communications, Inc.)

PRC - C:\Program Files\Multimedia Card Reader\shwicon2k.exe (Alcor Micro, Corp.)

PRC - C:\WINDOWS\system32\hphmon05.exe (Hewlett-Packard)

PRC - C:\Program Files\Alcatel\SpeedTouch USB\dragdiag.exe (Alcatel Bell)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

MOD - C:\WINDOWS\system32\nview.dll (NVIDIA Corporation)

MOD - C:\WINDOWS\system32\nvwddi.dll (NVIDIA Corporation)

========== Win32 Services (SafeList) ==========

SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)

SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)

SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)

SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)

SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)

SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)

SRV - (McNASvc) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)

SRV - (TVersityMediaServer) -- C:\Program Files\TVersity\Media Server\MediaServer.exe ()

SRV - (Wireless Adapter Configurator) -- C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe (Tech Mahindra- PUNE)

SRV - (SSScsiSV) -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (Sony Corporation)

SRV - (MSCSPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (Sony Corporation)

SRV - (PACSPTISVR) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe (Sony Corporation)

SRV - (SPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (Sony Corporation)

SRV - (SR_WatchDog) -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe (Check Point Software Technologies)

SRV - (SR_Service) -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe (Check Point Software Technologies)

========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)

DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)

DRV - (mfesmfk) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)

DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)

DRV - (mferkdk) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)

DRV - (MPFP) -- C:\WINDOWS\system32\drivers\Mpfp.sys (McAfee, Inc.)

DRV - (USB_RNDIS) -- C:\WINDOWS\system32\drivers\usb8023.sys (Microsoft Corporation)

DRV - (Changer) -- C:\WINDOWS\system32\drivers\changer.sys (Microsoft Corporation)

DRV - (lbrtfdc) -- C:\WINDOWS\system32\drivers\lbrtfdc.sys (Toshiba Corp.)

DRV - (RTL8187B) -- C:\WINDOWS\system32\drivers\wg111v3.sys (Realtek Semiconductor Corporation )

DRV - (AFS2K) -- C:\WINDOWS\system32\drivers\AFS2K.SYS (Oak Technology Inc.)

DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)

DRV - (MaRdPnp) -- C:\WINDOWS\system32\drivers\mardp2k.sys (Mobile Action Technology Inc.)

DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

DRV - (VPN-1) -- C:\WINDOWS\System32\drivers\vpn.sys (Check Point Software Technologies)

DRV - (FW1) -- C:\WINDOWS\system32\drivers\fw.sys (Check Point Software Technologies)

DRV - (Scap) -- C:\WINDOWS\system32\drivers\scap.sys (Check Point Software Technologies)

DRV - (OMVA) -- C:\WINDOWS\system32\drivers\omva.sys (Check Point Software Technologies)

DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\alcxsens.sys (Sensaura Ltd)

DRV - (SiS315) -- C:\WINDOWS\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)

DRV - (SiSkp) -- C:\WINDOWS\system32\drivers\srvkp.sys (Silicon Integrated Systems Corporation)

DRV - (PRISM_A00) -- C:\WINDOWS\system32\drivers\PRISMA00.sys (GlobespanVirata, Inc.)

DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)

DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)

DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)

DRV - (SunkFilt) -- C:\WINDOWS\system32\drivers\Sunkfilt.sys (Alcor Micro Corp.)

DRV - (Pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)

DRV - (nv_agp) -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys (NVIDIA Corporation)

DRV - (SISAGP) -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys (Silicon Integrated Systems Corporation)

DRV - (SISNIC) -- C:\WINDOWS\system32\drivers\sisnic.sys (SiS Corporation)

DRV - (viaagp1) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)

DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )

DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company)

DRV - (MASPINT) -- C:\WINDOWS\system32\drivers\MASPINT.SYS (MicroStaff Co.,Ltd.)

DRV - (alcaudsl) -- C:\WINDOWS\system32\drivers\alcaudsl.sys (Alcatel Bell)

DRV - (alcan5wn) Alcatel SpeedTouch USB ADSL PPP Networking Driver (NDISWAN) -- C:\WINDOWS\system32\drivers\alcan5wn.sys (Alcatel Bell)

DRV - (EL90XBC) -- C:\WINDOWS\system32\drivers\el90xbc5.sys (3Com Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb10.hpwis.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb10.hpwis.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Ask.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsearch.com/jsp/cfg_redir2....her&gcht=sv

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/

IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)

IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/06/05 00:03:45 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/04/28 18:22:37 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/06/27 00:48:29 | 000,000,711 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts