Help Getting Started - having issues

[dmb8886]

Let me start by saying I have to run my computer in Safe Mode. It goes kind of crazy when I run it in normal mode and I have trouble being able to run most programs. I haven't used regular mode in a while and don't remember specifics, but I am hoping to troubleshoot using safe made without networking (had some issues with safe w/networking as well). So I am using a separate computer to download the necessary programs and then I use a USB to transfer the downloaded program files to my infected computer.

So I installed MBAM and tried running quick scan and it just disappeared almost right away. Program closed. I saw some information regarding this issue but didn't quite understand. I have McAfee on my system but the instructions that i thought I was supposed to reference:

http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=162098entry162098

Didn't make much sense to me as I don't see where I would disable "Access Protection". I'm not even sure this is what I should be looking at. Should I continue with the rest of the instructions on the "infected what do I do now" page, so DeFogger, DDS, and GMER?

Thanks in advance!

[dmb8886]

Still need assistance.

But wanted to update the situation. From looking through the forum and being anxious to start doing something, I looked around and it seemed like the directions were to continue on with the following steps in the instructions even if you can't do something.

So I did the following all once again in Safe Mode. I Disabled CD-ROM Emulation Software with DeFogger. Then I ran the DDS script. See attached files. Then I ran the GMER rootkit and it was taking hours and hours and ran overnight, it must have froze my computer with a "virtual memory too low" error. So I wasn't able to save that information and didn't try again since it take literally like a half day for it to scan all the files.

Below is the contents of the DDS.txt, and I have attached the zip file for the attach.txt.

Thanks!

--------------------

.

DDS (Ver_11-03-05.01) - NTFSx86 MINIMAL

Run by Steve H at 18:00:42.15 on Mon 04/11/2011

Internet Explorer: 8.0.6001.18702

AV: McAfee VirusScan *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *Enabled*

.

============== Running Processes ===============

.

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.dell4me.com/myway

mSearch Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

mWinlogon: Shell=explorer.exe rundll32.exe

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6253\SiteAdv.dll

BHO: : {2678e36f-5420-4945-b34f-a1ab2f9a6ff6} - c:\program files\msn gaming zone\meqos83122.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6253\SiteAdv.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup

uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [EPSON Artisan 700(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiena.exe /fu "c:\windows\temp\E_S8D.tmp" /EF "HKCU"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_04\bin\jusched.exe"

mRun: [intelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [EPSON Stylus Photo 820 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB002" /M "Stylus Photo 820"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey

mRun: [siteAdvisor] c:\program files\siteadvisor\6172\SiteAdv.exe

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [DropBoxUtility] "c:\program files\dropbox\dropbox\DropBox.exe" /s

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRunOnce: [innoSetupRegFile.0000000001] "c:\windows\is-4NL2M.exe" /REG

mRunOnce: [innoSetupRegFile.0000000002] "c:\windows\is-62QBE.exe" /REG /REGSVRMODE

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\steveh~1\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dlbcserv.lnk - c:\program files\dell photo printer 720\dlbcserv.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\dell wireless\PRISMCFG.exe

uPolicies-system: EnableProfileQuota = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6253\SiteAdv.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: 75.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

============= SERVICES / DRIVERS ===============

.

.

=============== File Associations ===============

.

.com=csfile

.

=============== Created Last 30 ================

.

2011-04-10 23:47:37 -------- d-----w- c:\docume~1\steveh~1\applic~1\Malwarebytes

2011-04-10 23:47:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-10 23:47:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-04-10 23:46:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-10 23:46:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-10 20:30:55 709456 ----a-w- c:\windows\is-62QBE.exe

.

==================== Find3M ====================

.

.

============= FINISH: 18:03:01.64 ===============

Attach.zip

[Elise]

Hi, and

Please Download Rootkit Unhooker Save it to your desktop.

• Now double-click on RKUnhookerLE.exe to run it.
  
• Click the Report tab, then click Scan.
  
• Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  
• Wait till the scanner has finished and then click File, Save Report.
  
• Save the report somewhere where you can find it. Click Close.
  

Copy the entire contents of the report and paste it in a reply here.

Note - if you get the following warning, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Click on Cancel, then Accept.

[dmb8886]

I got an error message when double clicking on the application saying "Error loading/opening driver" and my only option is OK an then it doesn't open.

[Elise]

Yes, I thought that might happen. Please try this instead.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

• 
  

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

[dmb8886]

Since I'm using Safe mode, and it asked about a windows recover console, should I restart it with "safe mode with networking"?

[Elise]

Yes, use that. If it will not work. use normal safe mode and just opt not to install the recovery console.

[dmb8886]

Started running and got through about 30 some odd steps I thin, then it started deleting some files. Then it deleted about 10 folders and seemed to stop on that step. I waited a while, but nothing happened. Should I close the window? And if so should I re-run it and start again?

[Elise]

Give it a bit more time and if it still hangs, reboot manually. It should run again at startup.

[dmb8886]

Hi Elise,

It didn't run again on startup, so I re-ran the program. Something I noticed if I hovered my mouse over the combofix icon on my system tray it says this:

"Warning! Y ou have exceeded your profile space by 1011665 KB"

It also prompted me to download a newer version of combofix but I said no since I just downloaded it yesterday and there was nothing about that in the instructions you posted. This time it seemed to get stuck at "completed stage 50", so I closed it and rebooted again and again it didn't run on startup. What should I do next? Should I try in safe mode without networking? Thanks!

[dmb8886]

Also to note, when it booted up again that same combofix icon was in my system try with that same warning, only the number was slightly different this time.

[dmb8886]

Wow, so I went to restart again and I got a message saying "Enumerating Profile Space" in a windows with all these files going crazy.

It says "Profile Storage Space" with a message saying "You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage."

Then below that is shows the files in my profile by file name and size. My only option is to click on the "OK" button.

[Elise]

This means you have stored too many personal data.

Try to save pictures/music or other personal data outside your profile (documents and settings folder).

[dmb8886]

It was only like 7-8 GB in My Documents and I have a 71 GB hard drive, does that make sense?

It says Current Profile size is 2,413,737 and that my maximum profile size is 10,240 KB. How is that possible? So I can only have 10MB?

[dmb8886]

I read in some forums to create a file in notepad called undopolicy.reg with the following:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"EnableProfileQuota"=-

"ProfileQuotaMessage"=-

"MaxProfileSize"=-

"IncludeRegInProQuota"=-

"WarnUser"=-

"WarnUserTimeout"=-

Then save and run and it will fix this issue, do you approve to do this?

[Elise]

Is this your own computer?

[dmb8886]

Yes, home computer, my own. Not even sure why I have profiles set up, must have been an accident a while back something I did.

[Elise]

You can run the proposed registry script, but please be very careful when editing the registry and never do so without proper backup.

BACKUP THE REGISTRY

---------------------------

Backup Your Registry with ERUNT

• Please use the following link and scroll down to ERUNT and download it.
  http://aumha.org/freeware/freeware.php
  
• For version with the Installer:
  Use the setup program to install ERUNT on your computer
  
• For the zipped version:
  Unzip all the files into a folder of your choice.
  

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

[dmb8886]

I defer to you, do you think that's the best next step? If so I will do it. Otherwise I'm all ears.

[Elise]

You can safely do that if you don't want to use the Profile quota anymore. XP has not really an easy way to do this. But, if you want to do it "two in one", I can give you a combofix script for it. In that case a separate backup with Erunt is not necessary (its included).

First download combofix as instructed before, then run it, see steps below.

CF-SCRIPT

-------------

We need to execute a CF-script.

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=-
"ProfileQuotaMessage"=-
"MaxProfileSize"=-
"IncludeRegInProQuota"=-
"WarnUser"=-
"WarnUserTimeout"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[dmb8886]

Sorry I ended up running the original registry editor after backing up with ERUNT. It solved that problem, so I was able to restart, however I then re-ran combofix again left for a while and came back and it was stuck on stage 50 again. So I tried for the first time re-starting and running in safe mode without networking, and same thing, stuck on Stage 50.

So after all that, restarted again in safe mode w/networking. I now attempted to do what you wrote above with the CFScript.txt and dragged it into ComboFix.exe (I actually deleted the combofix file I had been using and downloaded a new version just to start fresh). And yet AGAIN its stuck on completed stage 50. So annoying!!

What do I do? I can't seem to get anywhere.

[Elise]

In that case, please run the following scan. Run it from Safe Mode, but try to use your own useraccount.

OTL

-----

Please download OTL from one of the following mirrors:

• • This is THE Mirror
    

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the Quick Scan button.

[*]Two reports will open, copy and paste them in a reply here:

• OTListIt.txt <-- Will be opened
  
• Extra.txt <-- Will be minimized
  

[dmb8886]

Hi Elise, the name of the first text file was OTL.txt instead of OTListlt.txt, hope that doesn't make a difference. Also one thing to note, since I noticed the file below and some others talk about "last 30 days", I got infected like a year or two ago and haven't used my computer for a long time, not sure if that matter but just want to let you know all possible information. Here are the reports:

OTL logfile created on: 4/15/2011 8:47:43 AM - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Steve H\Desktop

Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 365.00 Mb Available Physical Memory | 72.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 95.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 71.10 Gb Total Space | 14.76 Gb Free Space | 20.77% Space Free | Partition Type: NTFS

Drive E: | 495.22 Mb Total Space | 202.93 Mb Free Space | 40.98% Space Free | Partition Type: FAT

Computer Name: STEVE | User Name: Steve H | Logged in as Administrator.

Boot Mode: SafeMode | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/15 09:43:58 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve H\Desktop\OTL.exe

PRC - [2009/01/08 21:30:26 | 000,797,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe

PRC - [2007/06/13 05:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2011/04/15 09:43:58 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve H\Desktop\OTL.exe

MOD - [2006/08/25 10:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

MOD - [2001/07/07 18:35:24 | 000,106,547 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\SunnComm Shared\msscript.OCX

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Viewpoint Manager Service)

SRV - File not found [Disabled | Stopped] -- -- (HidServ)

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)

SRV - [2009/04/01 14:21:30 | 000,365,072 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)

SRV - [2009/03/25 11:05:48 | 000,144,704 | ---- | M] (McAfee, Inc.) [unknown | Stopped] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)

SRV - [2009/03/24 00:03:18 | 000,606,736 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)

SRV - [2009/03/19 11:42:02 | 000,884,360 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)

SRV - [2009/02/06 17:02:14 | 000,109,056 | ---- | M] (ArcSoft Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)

SRV - [2009/01/09 12:31:16 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc)

SRV - [2009/01/09 10:22:10 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)

SRV - [2009/01/09 09:06:52 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)

SRV - [2009/01/08 21:30:26 | 000,797,864 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)

SRV - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)

SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)

SRV - [2006/12/19 19:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Stopped] -- C:\Program Files\Common Files\EPSON\eEBAPI\eEBSvc.exe -- (EpsonBidirectionalService)

SRV - [2004/10/04 14:12:50 | 000,057,344 | ---- | M] (Conexant Systems, Inc.) [Disabled | Stopped] -- C:\WINDOWS\system32\PRISMSVC.exe -- (PRISMSVC)

SRV - [2004/08/04 05:00:00 | 000,093,696 | ---- | M] (Sigma Designs Inc) [Auto | Stopped] -- C:\WINDOWS\system32\sofatnet.exe -- (sofatnet)

SRV - [2004/08/04 05:00:00 | 000,045,056 | ---- | M] (X-Ways Software Technology) [Auto | Stopped] -- C:\WINDOWS\system32\EvdoServer.dll -- (EvdoServer)

SRV - [2004/04/07 12:07:32 | 001,135,728 | ---- | M] (America Online, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS)

========== Driver Services (SafeList) ==========

DRV - [2009/06/18 12:54:10 | 000,006,144 | ---- | M] (Sophos Plc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\C.tmp -- (MEMSWEEP2)

DRV - [2009/03/25 11:06:30 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)

DRV - [2009/03/25 11:06:28 | 000,214,024 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)

DRV - [2009/03/25 11:06:28 | 000,079,880 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)

DRV - [2009/03/25 11:06:28 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)

DRV - [2009/03/25 11:05:54 | 000,034,216 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)

DRV - [2008/10/23 14:08:54 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)

DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)

DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)

DRV - [2004/09/27 00:42:00 | 000,345,184 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PRISMA02.sys -- (DELL_A02)

DRV - [2004/09/17 14:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)

DRV - [2004/06/16 03:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)

DRV - [2004/03/06 04:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)

DRV - [2004/03/06 04:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)

DRV - [2004/03/06 04:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)

DRV - [2003/01/10 16:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)

DRV - [2002/01/10 10:49:47 | 000,038,176 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\SbcpHid.sys -- (SbcpHid)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-2800077679-1126426613-1149524522-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

IE - HKU\S-1-5-21-2800077679-1126426613-1149524522-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

IE - HKU\S-1-5-21-2800077679-1126426613-1149524522-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKU\S-1-5-21-2800077679-1126426613-1149524522-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2800077679-1126426613-1149524522-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

O1 HOSTS File: ([2009/08/02 13:53:46 | 000,318,817 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.123topsearch.com

O1 - Hosts: 127.0.0.1 123topsearch.com

O1 - Hosts: 127.0.0.1 www.132.com

O1 - Hosts: 127.0.0.1 132.com

O1 - Hosts: 127.0.0.1 www.136136.net

O1 - Hosts: 127.0.0.1 136136.net

O1 - Hosts: 127.0.0.1 www.163ns.com

O1 - Hosts: 127.0.0.1 163ns.com

O1 - Hosts: 10935 more lines...

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll ()

O2 - BHO: () - {2678E36F-5420-4945-B34F-A1AB2F9A6FF6} - File not found

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)

O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)

O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll ()

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKU\S-1-5-21-2800077679-1126426613-1149524522-1006\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)

O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)

O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()

O4 - HKLM..\Run: [DropBoxUtility] C:\Program Files\DropBox\DropBox\DropBox.exe (DropShots)

O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )

O4 - HKLM..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE (SEIKO EPSON CORPORATION)

O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)

O4 - HKLM..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe ()

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)

O4 - HKU\S-1-5-21-2800077679-1126426613-1149524522-1006..\Run: [AIM] File not found

O4 - HKU\S-1-5-21-2800077679-1126426613-1149524522-1006..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)

O4 - HKU\S-1-5-21-2800077679-1126426613-1149524522-1006..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)

O4 - HKU\S-1-5-21-2800077679-1126426613-1149524522-1006..\Run: [EPSON Artisan 700(Network)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIENA.EXE (SEIKO EPSON CORPORATION)

O4 - HKU\S-1-5-21-2800077679-1126426613-1149524522-1006..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe (Dell Inc.)

O4 - Startup: C:\Documents and Settings\Steve H\Start Menu\Programs\Startup\PMB Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)

F3 - HKU\.DEFAULT WinNT: Run - (C:\WINDOWS\system32\msflpr.exe) - C:\WINDOWS\system32\msflpr.exe (-)

F3 - HKU\S-1-5-18 WinNT: Run - (C:\WINDOWS\system32\msflpr.exe) - C:\WINDOWS\system32\msflpr.exe (-)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-2800077679-1126426613-1149524522-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-2800077679-1126426613-1149524522-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found

O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra Button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YPager.exe ()

O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YPager.exe ()

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5 Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Java Plug-in 1.6.0_04)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03)

O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Java Plug-in 1.6.0_04)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Java Plug-in 1.6.0_04)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 207.172.3.8 207.172.3.9

O18 - Protocol\Handler\siteadvisor {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll ()

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (rundll32.exe) - File not found

O24 - Desktop WallPaper: C:\Documents and Settings\Steve H\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Steve H\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2011/04/10 16:02:10 | 000,000,093 | RHS- | M] () - E:\autorun.inf -- [ FAT ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/15 08:43:39 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Steve H\Desktop\OTL.exe

[2011/04/14 18:51:50 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2011/04/14 18:51:50 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2011/04/14 18:51:50 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2011/04/14 18:51:50 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2011/04/14 18:51:45 | 000,000,000 | --SD | C] -- C:\ComboFix

[2011/04/14 14:05:02 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT

[2011/04/14 14:05:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT

[2011/04/14 14:04:40 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Steve H\Desktop\erunt-setup.exe

[2011/04/14 13:17:45 | 000,000,000 | ---D | C] -- C:\DvdComposer

[2011/04/14 13:15:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve H\My Documents\My Music

[2011/04/13 15:41:20 | 000,000,000 | ---D | C] -- C:\cmdcons

[2011/04/13 14:04:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2011/04/13 14:03:17 | 000,000,000 | ---D | C] -- C:\Qoobox

[2011/04/10 18:47:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve H\Application Data\Malwarebytes

[2011/04/10 18:47:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2011/04/10 18:47:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2011/04/10 18:47:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2011/04/10 18:46:57 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2011/04/10 18:46:57 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2011/04/10 16:03:49 | 007,734,208 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Steve H\Desktop\mbam-setup.exe

[11 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/15 09:43:58 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve H\Desktop\OTL.exe

[2011/04/15 08:45:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/04/15 08:44:04 | 000,025,957 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF

[2011/04/14 20:00:00 | 004,321,202 | R--- | M] () -- C:\Documents and Settings\Steve H\Desktop\ComboFix.exe

[2011/04/14 15:11:14 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Steve H\Desktop\erunt-setup.exe

[2011/04/14 14:11:50 | 000,000,249 | ---- | M] () -- C:\Documents and Settings\Steve H\Desktop\undopolicy.reg

[2011/04/14 13:16:08 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2011/04/14 13:15:44 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn

[2011/04/14 13:15:44 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for

[2011/04/14 13:11:36 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2011/04/13 15:41:26 | 000,000,327 | RHS- | M] () -- C:\boot.ini

[2011/04/13 15:32:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/04/13 14:41:58 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Steve H\Desktop\RKUnhookerLE.EXE

[2011/04/12 13:30:18 | 000,002,821 | ---- | M] () -- C:\Documents and Settings\Steve H\Desktop\Attach.zip

[2011/04/11 17:57:11 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Steve H\defogger_reenable

[2011/04/10 20:20:24 | 000,301,568 | ---- | M] () -- C:\Documents and Settings\Steve H\Desktop\b8ct3i3r.exe

[2011/04/10 20:19:14 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Steve H\Desktop\dds.scr

[2011/04/10 20:18:08 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Steve H\Desktop\Defogger.exe

[2011/04/05 19:15:22 | 007,734,208 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Steve H\Desktop\mbam-setup.exe

[2011/03/27 16:36:02 | 000,095,232 | ---- | M] () -- C:\Documents and Settings\Steve H\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2011/03/27 15:10:20 | 000,176,128 | ---- | M] () -- C:\Documents and Settings\Steve H\My Documents\db2.mdb

[11 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/14 18:51:50 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2011/04/14 18:51:50 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2011/04/14 18:51:50 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2011/04/14 18:51:50 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2011/04/14 18:51:50 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2011/04/14 18:51:10 | 004,321,202 | R--- | C] () -- C:\Documents and Settings\Steve H\Desktop\ComboFix.exe

[2011/04/14 14:11:50 | 000,000,249 | ---- | C] () -- C:\Documents and Settings\Steve H\Desktop\undopolicy.reg

[2011/04/14 13:15:44 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn

[2011/04/14 13:15:44 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for

[2011/04/13 15:41:26 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2011/04/13 15:41:22 | 000,260,272 | RHS- | C] () -- C:\cmldr

[2011/04/13 13:39:34 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Steve H\Desktop\RKUnhookerLE.EXE

[2011/04/12 13:30:18 | 000,002,821 | ---- | C] () -- C:\Documents and Settings\Steve H\Desktop\Attach.zip

[2011/04/11 17:57:11 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Steve H\defogger_reenable

[2011/04/11 17:53:47 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Steve H\Desktop\dds.scr

[2011/04/11 17:53:47 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Steve H\Desktop\Defogger.exe

[2011/04/11 17:53:46 | 000,301,568 | ---- | C] () -- C:\Documents and Settings\Steve H\Desktop\b8ct3i3r.exe

[2011/03/17 19:05:41 | 000,176,128 | ---- | C] () -- C:\Documents and Settings\Steve H\My Documents\db2.mdb

[2010/03/07 17:02:19 | 000,000,444 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat

[2010/03/07 15:21:39 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat

[2008/11/17 18:29:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI

[2008/10/13 18:37:02 | 000,001,120 | ---- | C] () -- C:\WINDOWS\System32\E_ADDNET.DAT

[2008/10/13 17:21:05 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat

[2008/10/13 17:21:05 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat

[2008/10/13 17:21:05 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat

[2008/10/13 17:21:05 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat

[2008/10/13 17:21:05 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat

[2008/10/13 17:21:05 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat

[2008/10/13 17:21:05 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat

[2008/10/13 17:21:05 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini

[2008/10/13 17:21:04 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat

[2008/10/13 17:21:04 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat

[2008/10/13 17:21:04 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat

[2008/10/13 17:21:04 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat

[2008/10/13 17:21:04 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat

[2008/10/13 17:21:04 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat

[2008/10/13 17:21:04 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat

[2008/10/13 17:21:04 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat

[2008/10/13 17:16:17 | 000,000,077 | ---- | C] () -- C:\WINDOWS\EPART700.ini

[2008/07/09 21:20:52 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Steve H\Local Settings\Application Data\fusioncache.dat

[2008/07/06 18:13:30 | 000,691,545 | ---- | C] () -- C:\WINDOWS\unins000.exe

[2008/07/06 18:13:30 | 000,002,542 | ---- | C] () -- C:\WINDOWS\unins000.dat

[2007/11/20 00:57:22 | 002,482,688 | ---- | C] () -- C:\WINDOWS\System32\ffmpeg.exe

[2007/11/18 02:45:54 | 012,525,568 | ---- | C] () -- C:\WINDOWS\System32\mencoder.exe

[2006/08/05 21:31:44 | 000,000,367 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini

[2006/06/23 07:37:23 | 000,001,753 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

[2006/05/21 22:02:01 | 000,000,145 | ---- | C] () -- C:\WINDOWS\System32\EBPPORT3.DAT

[2006/02/25 20:35:47 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\tvqenc.dll

[2006/02/25 20:35:45 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll

[2005/10/28 18:36:51 | 000,000,036 | ---- | C] () -- C:\WINDOWS\webica.ini

[2005/09/22 20:04:18 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2005/09/17 18:11:39 | 000,000,347 | ---- | C] () -- C:\WINDOWS\dellstat.ini

[2005/09/17 18:11:10 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbcvs.dll

[2005/09/17 18:11:08 | 000,000,373 | ---- | C] () -- C:\WINDOWS\System32\dlbccoin.ini

[2005/09/14 19:09:03 | 000,095,232 | ---- | C] () -- C:\Documents and Settings\Steve H\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2005/09/05 12:31:17 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2005/09/04 12:22:05 | 000,000,056 | RHS- | C] () -- C:\WINDOWS\System32\02A8DA4698.sys

[2005/08/25 21:41:23 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2005/08/25 21:33:25 | 000,000,528 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2005/08/25 21:29:29 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2005/08/25 21:00:40 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe

[2005/08/25 21:00:32 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

[2005/08/25 21:00:06 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\CoPrism.dll

[2005/08/25 21:00:04 | 000,000,375 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2005/08/23 17:05:46 | 000,225,280 | ---- | C] () -- C:\WINDOWS\System32\qtmlClient.dll

[2005/08/09 17:13:59 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\DivXsm.exe

[2005/08/09 17:12:28 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll

[2005/01/28 08:08:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2004/08/10 13:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2004/08/10 13:07:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2004/08/10 13:02:15 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2004/08/10 13:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2004/08/10 12:57:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2004/08/10 12:57:15 | 000,307,600 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2004/08/10 12:51:21 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2004/08/10 12:51:20 | 000,384,596 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2004/08/10 12:51:20 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2004/08/10 12:51:20 | 000,054,280 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2004/08/10 12:51:20 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2004/08/10 12:51:18 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2004/08/10 12:51:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2004/08/10 12:51:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[2004/08/10 12:51:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2004/08/10 12:51:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2004/08/10 12:51:05 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2004/08/10 12:50:56 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin

[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[2002/01/10 10:49:47 | 000,038,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys

========== LOP Check ==========

[2009/02/12 23:46:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON

[2005/08/25 21:40:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Prism

[2009/08/09 13:23:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegCure

[2008/02/18 13:04:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft

[2007/10/29 17:14:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint

[2005/09/01 22:43:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve H\Application Data\.bittorrent

[2005/08/30 21:04:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve H\Application Data\Aim

[2008/10/16 03:24:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve H\Application Data\Epson

[2007/10/05 15:26:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve H\Application Data\ICAClient

[2005/08/30 22:07:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve H\Application Data\Leadertech

[2006/01/29 16:40:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve H\Application Data\Nikon

[2007/03/24 19:46:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve H\Application Data\Viewpoint

[2009/07/15 02:35:25 | 000,000,354 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job

[2009/08/01 01:00:54 | 000,000,356 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job

[2009/08/10 09:20:49 | 000,000,442 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure Program Check.job

[2009/08/10 09:20:49 | 000,000,382 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure Startup.job

[2009/08/09 19:36:36 | 000,000,376 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure.job

[2009/08/10 09:20:49 | 000,000,244 | -H-- | M] () -- C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job

[2009/08/10 09:20:48 | 000,000,288 | -H-- | M] () -- C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

========== Purity Check ==========

< End of report >

EXTRAS.TXT

OTL Extras logfile created on: 4/15/2011 8:47:43 AM - Run 1

OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Steve H\Desktop

Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 365.00 Mb Available Physical Memory | 72.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 95.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 71.10 Gb Total Space | 14.76 Gb Free Space | 20.77% Space Free | Partition Type: NTFS

Drive E: | 495.22 Mb Total Space | 202.93 Mb Free Space | 40.98% Space Free | Partition Type: FAT

Computer Name: STEVE | User Name: Steve H | Logged in as Administrator.

Boot Mode: SafeMode | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 1

"FirewallDisableNotify" = 1

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (America Online, Inc.)

"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (America Online, Inc)

"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (America Online, Inc)

"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (America Online, Inc.)

"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)

"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)

"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0 -- (America Online, Inc.)

"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger -- ()

"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)

"C:\Program Files\BitTorrent\btdownloadgui.exe" = C:\Program Files\BitTorrent\btdownloadgui.exe:*:Enabled:btdownloadgui -- ()

"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- (www.sopcast.com)

"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- (www.sopcast.com)

"D:\Common\EasyInstall\EasyInstall.exe" = D:\Common\EasyInstall\EasyInstall.exe:*:Enabled:EasyInstall

"C:\Program Files\DropBox\DropBox\DropBox.exe" = C:\Program Files\DropBox\DropBox\DropBox.exe:*:Enabled:DropBox -- (DropShots)

"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player

"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data

"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA

"{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo

"{14374619-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Simple Start Special Edition

"{1733360D-6EE0-42F9-9B03-1072D5CD8179}" = ArcSoft Print Creations

"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB}" = iPod for Windows 2006-03-23

"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD LE

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager

"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java 6 Update 4

"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers

"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page

"{3E31400D-274E-4647-916C-2CACC3741799}" = EpsonNet Print

"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold

"{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5

"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support

"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour

"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement

"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book

"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool

"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon

"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5

"{6E179C77-7335-458D-9537-4F4EAC0181ED}" = Photo Click

"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer

"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03

"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore

"{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon

"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX

"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport

"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper

"{809E9D11-335A-4186-8767-CB8C6F3D7810}" = DropBox

"{80FD852F-5AAC-4129-B931-06AAFFA43138}" = iTunes

"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition

"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver

"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player

"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage

"{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{95F875CC-1B85-43E6-B3E0-13EA04F3D995}" = ArcSoft Print Creations - Photo Prints

"{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}" = USB 2.0 Wireless LAN Card Utility

"{A5F68DC8-0278-4AD8-B413-861509B5F25B}" = ArcSoft Panorama Maker 3

"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio

"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience

"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update

"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1

"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint

"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0

"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12

"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update

"{BFD96B89-B769-4CD6-B11E-E79FFD46F067}" = QuickTime

"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album

"{D16A31F9-276D-4968-A753-FFEAC56995D0}" = Epson Print CD

"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center

"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility

"{DABF43D9-1104-4764-927B-5BED1274A3B0}" = Runtime

"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)

"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card

"{FF3999BE-1A7B-4738-88AA-97BF14094A4A}" = PictureProject

"Ace DivX Player" = Ace DivX Player

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"America Online us" = America Online (Choose which version to remove)

"AOL Connectivity Services" = AOL Connectivity Services

"AOL Instant Messenger" = AOL Instant Messenger

"AOLCoach" = AOL Coach Version 1.0(Build:20040229.1 en)

"B9BE9100-37D6-4A79-9504-7F90C0F0ADBE" = Sportsbook USA

"BitTorrent" = BitTorrent 4.0.4

"CD to MP3 Ripper" = CD to MP3 Ripper

"Citrix ICA Web Client" = MetaFrame Presentation Server Web Client for Win32

"Dell Photo Printer 720" = Dell Photo Printer 720

"Dell Photo Printer 720 Logger" = Dell Photo Printer 720 Logger

"EPSON Artisan 700 Series" = EPSON Artisan 700 Series Printer Uninstall

"EPSON Printer and Utilities" = EPSON Printer Software

"EPSON Scanner" = EPSON Scan

"ERUNT_is1" = ERUNT 1.1j

"Google Video Uploader" = Google Video Uploader

"ie8" = Windows Internet Explorer 8

"InstallShield_{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB}" = iPod for Windows 2006-03-23

"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem

"LimeWire" = LimeWire 4.16.6

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"MSC" = McAfee SecurityCenter

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"PictureProject In Touch Downloader" = PictureProject In Touch Downloader 1.0

"PROSet" = Intel® PRO Network Adapters and Drivers

"RealPlayer 6.0" = RealPlayer

"RegCure" = RegCure 1.6.0.0

"Sony MHS Camera Driver" = Sony MHS Camera Driver

"SopCast" = SopCast 2.0.4

"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.0

"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.5.2.20

"StreetPlugin" = Learn2 Player (Uninstall Only)

"WebCyberCoach_wtrb" = WebCyberCoach 3.2 Dell

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"WinMPG VideoConvert 5.9.1" = WinMPG VideoConvert 5.9.1

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"XoftSpySE" = XoftSpySE

"Yahoo! Companion" = Yahoo! Toolbar

"Yahoo! Messenger" = Yahoo! Messenger

"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 4/13/2011 4:32:58 PM | Computer Name = STEVE | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The specified server cannot perform the requested operation.

Error - 4/13/2011 4:32:58 PM | Computer Name = STEVE | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 4/13/2011 4:32:58 PM | Computer Name = STEVE | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The specified server cannot perform the requested operation.

Error - 4/13/2011 4:32:58 PM | Computer Name = STEVE | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 4/13/2011 4:32:58 PM | Computer Name = STEVE | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The specified server cannot perform the requested operation.

Error - 4/13/2011 4:32:58 PM | Computer Name = STEVE | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 4/13/2011 4:32:58 PM | Computer Name = STEVE | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: The specified server cannot perform the requested operation.

Error - 4/13/2011 4:33:04 PM | Computer Name = STEVE | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 4/13/2011 4:33:04 PM | Computer Name = STEVE | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

Error - 4/13/2011 4:33:04 PM | Computer Name = STEVE | Source = crypt32 | ID = 131083

Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

with error: A required certificate is not within its validity period when verifying

against the current system clock or the timestamp in the signed file.

[ System Events ]

Error - 4/15/2011 9:46:21 AM | Computer Name = STEVE | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/15/2011 9:46:45 AM | Computer Name = STEVE | Source = Service Control Manager | ID = 7001

Description = The DHCP Client service depends on the NetBios over Tcpip service

which failed to start because of the following error: %%31

Error - 4/15/2011 9:46:45 AM | Computer Name = STEVE | Source = Service Control Manager | ID = 7001

Description = The DNS Client service depends on the TCP/IP Protocol Driver service

which failed to start because of the following error: %%31

Error - 4/15/2011 9:46:45 AM | Computer Name = STEVE | Source = Service Control Manager | ID = 7001

Description = The TCP/IP NetBIOS Helper service depends on the AFD service which

failed to start because of the following error: %%31

Error - 4/15/2011 9:46:45 AM | Computer Name = STEVE | Source = Service Control Manager | ID = 7001

Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver

service which failed to start because of the following error: %%31

Error - 4/15/2011 9:46:45 AM | Computer Name = STEVE | Source = Service Control Manager | ID = 7001

Description = The Bonjour Service service depends on the TCP/IP Protocol Driver

service which failed to start because of the following error: %%31

Error - 4/15/2011 9:46:45 AM | Computer Name = STEVE | Source = Service Control Manager | ID = 7001

Description = The IPSEC Services service depends on the IPSEC driver service which

failed to start because of the following error: %%31

Error - 4/15/2011 9:46:45 AM | Computer Name = STEVE | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

AFD Fips intelppm IPSec MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

Error - 4/15/2011 9:48:20 AM | Computer Name = STEVE | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service McNASvc with

arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

Error - 4/15/2011 9:48:24 AM | Computer Name = STEVE | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service McNASvc with

arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}

< End of report >

[Elise]

Please click Start > Run, type combofix /killall and press enter. Let me know if combofix completes a run now. Note that some time may pass after Stage 50 (like 20 minutes in some cases).

[dmb8886]

Is there supposed to be a space after combofix in your instructions above?

So:

combofix /killall

or

combofix/killall