# I'm hijacked



## john m ercolino (Jan 14, 2007)

Caught a bug that I think came through on a java console. The hated xp total security scam. My internet access is totally cut off, and I can't get rid of it. I am now using another computer to edit this post.I keep getting flashing warnings and it has disabled every malware and virus irradication method I have tried please help. I have already downloaded the tools indicated from sticky #1. What now?
here is the copy of the hijack log. 
Thanks John

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:36:18 PM, on 3/2/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17095)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\ejd.exe
C:\Program Files\Acronis\BackupServer\backupserver.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\cisvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Temporary Internet Files\Content.IE5\UYJ2SNKE\HijackThis[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271905715648
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Backup Server Service (AcronisBackupServerService) - Acronis - C:\Program Files\Acronis\BackupServer\backupserver.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Personal Firewall (McMPFSvc) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (file missing)

--
End of file - 7834 bytes


----------



## john m ercolino (Jan 14, 2007)

I am reposting after a bit more than two days without any response. I am sorry, but I think I am following the protocol as you have listed in the sticky.
The situation has now changed from the original posting, I have made some progress in eliminating the virus (trojan), but do not believe it is totally irradicated. My system is working again but is not totally stable, and it prone to just blacking out and then rebooting itself. There is no pattern to this activity, except for when I run a virus or maleware scan. It happens at some point in each scan.
To get to the current state of fuctionality, I booted up x/p in safe mode, and ran malwarebytes anti-malware and that removed 3 infected items. After which none of my apllications would run, lost the "system32\rundll.exe" file and corrected that issue. 
The system functions now but is doing alot of error reporting and alot of self resets. By that it is like someone pulled the plug and cut the power long enough for the system to have to reboot, which it does.
So I have rerun the requested scans and reports to reflect current information and am posting them herewith. I hope that someone can assist me soon, I am trying not to be too impatient. Thanks in advance, and hope to hear from someone soon.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:08:10 PM, on 3/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Acronis\BackupServer\backupserver.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\cisvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271905715648
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Backup Server Service (AcronisBackupServerService) - Acronis - C:\Program Files\Acronis\BackupServer\backupserver.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Personal Firewall (McMPFSvc) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (file missing)

--
End of file - 7192 bytes

DDS (Ver_10-12-12.02) - NTFSx86 
Run by john ercolino at 15:08:33.95 on Fri 03/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2461 [GMT -5:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
svchost.exe
C:\Program Files\Acronis\BackupServer\backupserver.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\cisvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\john ercolino.DBMKS671\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://news.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp pro\wsbho2k0.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimageworkstation\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimageworkstation\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
uPolicies-explorer: RestrictRun = 0 (0x0)
mPolicies-explorer: RestrictRun = 0 (0x0)
IE: {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - {1FBA04EE-3024-11D2-8F1F-0000F87ABD16}	c:\program files\irfanview\ebay\ebay.htm - c:\program files\irfanview\ebay\ebay.htm\inprocserver32 does not exist!
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271905715648
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SecurityProviders: msap?spc?dll, schannel.d?l, digest.dll, msnsspc.dll
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-2 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-12-5 301528]
R2 AcronisAgent;Acronis Remote Agent;c:\program files\common files\acronis\agent\agent.exe [2006-7-20 319488]
R2 AcronisBackupServerService;Acronis Backup Server Service;c:\program files\acronis\backupserver\backupserver.exe [2006-7-21 9025808]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-12-5 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-5 42184]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe" /mccoresvc --> c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 cpuz132;cpuz132;\??\c:\docume~1\johner~1.dbm\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\johner~1.dbm\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2010-2-12 14856]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [2005-4-8 10379]
S3 PortlUSB;PortlUSB;c:\windows\system32\drivers\siriususb.sys --> c:\windows\system32\drivers\SiriusUSB.sys [?]

=============== Created Last 30 ================

==================== Find3M ====================

============= FINISH: 15:09:15.95 ===============

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-03-04 15:39:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Intel___ rev.1.0.
Running: bf0wfwdl.exe; Driver: C:\DOCUME~1\JOHNER~1.DBM\LOCALS~1\Temp\kwroapow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA7A08026]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA7A07E91]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA7A518DE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----


----------



## john m ercolino (Jan 14, 2007)

sorry here is the attach.txt


----------



## Cookiegal (Aug 27, 2003)

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.

*Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing but do allow your anti-virus software to update to be sure you have the latest definitions at all times. It is important that you wait for instructions.*


----------



## john m ercolino (Jan 14, 2007)

Cookiegirl,
Here are the logs you requested. There were errors reported during the combofix process. It also went through a chkdsk process on the reboot. 
The system is still shutting itself down, and then rebooting, for no apparent reason. Also the options screen after the bios startup screen has changed and now has four selections: The x/p professional normal, the x/p setup mode, the windows recovery console, and some windows debugging option that says "do not use". When the system reboots, the default selection is windows x/p setup, and if I am not there to move the cursor immediately to the x/p professional normal, there is no windows startup, and it changes to a dos style screen with just a blinking cursor at the top left frame.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:20:25 PM, on 3/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Acronis\BackupServer\backupserver.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PEACHW\peachw.exe
C:\PEACHW\W32MKDE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271905715648
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Backup Server Service (AcronisBackupServerService) - Acronis - C:\Program Files\Acronis\BackupServer\backupserver.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Personal Firewall (McMPFSvc) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (file missing)

--
End ComboFix 11-03-07.02 - john ercolino 03/07/2011 17:12:18.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2598 [GMT -5:00]
Running from: c:\documents and settings\john ercolino.DBMKS671\Desktop\puppy123.exe
Command switches used :: c:\documents and settings\john ercolino.DBMKS671\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
.
.
No new files created in this timespan
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-03 22:04 . 2011-03-03 22:04	98392	----a-w-	c:\windows\system32\drivers\SBREDrv.sys
2011-03-03 18:37 . 2004-08-12 12:27	33280	----a-w-	c:\windows\system32\rundll32.exe
2011-03-02 19:13 . 2011-03-02 19:13	388096	----a-r-	c:\documents and settings\john ercolino.DBMKS671\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-23 15:04 . 2010-12-05 23:26	40648	----a-w-	c:\windows\avastSS.scr
2011-02-23 15:04 . 2010-12-05 23:26	190016	----a-w-	c:\windows\system32\aswBoot.exe
2011-02-23 14:56 . 2011-03-02 18:24	371544	----a-w-	c:\windows\system32\drivers\aswSnx.sys
2011-02-23 14:56 . 2010-12-05 23:26	301528	----a-w-	c:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2010-12-05 23:26	49240	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2010-12-05 23:26	102232	----a-w-	c:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2010-12-05 23:26	96344	----a-w-	c:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2010-12-05 23:26	25432	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2010-12-05 23:26	30680	----a-w-	c:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2010-12-05 23:26	19544	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2011-02-23 14:35 . 2011-03-07 20:22	5943120	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{4CA30F4A-0CA8-4239-A7B2-2EEC75A6DA6D}\mpengine.dll
2011-02-02 22:11 . 2010-02-20 16:51	222080	-c----w-	c:\windows\system32\MpSigStub.exe
2011-01-21 14:44 . 2004-08-12 12:28	439296	----a-w-	c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-12 12:17	290048	----a-w-	c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-12 12:33	1854976	----a-w-	c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-12 12:20	301568	----a-w-	c:\windows\system32\kerberos.dll
2010-12-20 23:09 . 2011-03-04 00:38	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2011-03-04 00:38	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-12 12:21	730112	----a-w-	c:\windows\system32\lsasrv.dll
2010-12-09 15:15 . 2004-08-12 12:25	718336	----a-w-	c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-12 12:18	33280	----a-w-	c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-12 12:25	2148864	----a-w-	c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59	2027008	----a-w-	c:\windows\system32\ntkrnlpa.exe
.
.
------- Sigcheck -------
.
[7] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\schedsvc.dll
[7] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\schedsvc.dll
[-] 2008-04-14 . 1F305FFA6A5934A5D6A8A32928D6388A . 192512 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\schedsvc.dll
.
((((((((((((((((((((((((((((( [email protected]_21.23.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-07 22:01 . 2011-03-07 22:01	16384 c:\windows\Temp\Perflib_Perfdata_94c.dat
+ 2004-08-12 12:23 . 2008-04-14 09:42	343040 c:\windows\SYSTEM32\msvcrt.dll
- 2004-08-12 12:23 . 2008-04-14 00:12	343040 c:\windows\SYSTEM32\msvcrt.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04	122512	----a-w-	c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2006-07-21 1106528]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2006-07-21 1848155]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-07-21 126976]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msap?spc?dll, digest.dll, msnsspc.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-22 05:05	40368	----a-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 17:52	339968	-c--a-w-	c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 22:54	57344	-c--a-w-	c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16	421888	----a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01	110592	-c--a-w-	c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Acronis\\TrueImageWorkstation\\TrueImage.exe"=
"c:\\Program Files\\Common Files\\Acronis\\Agent\\agent.exe"=
.
R1 aswSnx;aswSnx;c:\windows\SYSTEM32\DRIVERS\aswSnx.sys [3/2/2011 1:24 PM 371544]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [12/5/2010 6:26 PM 301528]
R2 AcronisBackupServerService;Acronis Backup Server Service;c:\program files\Acronis\BackupServer\backupserver.exe [7/21/2006 1:25 AM 9025808]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [12/5/2010 6:26 PM 19544]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 AcronisAgent;Acronis Remote Agent;c:\program files\Common Files\Acronis\Agent\agent.exe [7/20/2006 11:50 PM 319488]
S2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\SYSTEM32\DRIVERS\LGBusEnum.sys [11/23/2009 5:37 PM 19720]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\SYSTEM32\DRIVERS\LGVirHid.sys [2/12/2010 9:34 AM 14856]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\SYSTEM32\DRIVERS\olcamudp.sys [4/8/2005 5:29 PM 10379]
S3 PortlUSB;PortlUSB;c:\windows\system32\DRIVERS\SiriusUSB.sys --> c:\windows\system32\DRIVERS\SiriusUSB.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32	128512	----a-w-	c:\windows\SYSTEM32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-03-07 c:\windows\Tasks\Auslogics Boost Speed Disk Defrag Console Defragmentation.job
- c:\program files\Auslogics\Auslogics Disk Defrag\cdefrag.exe [2010-04-24 13:32]
.
2011-03-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
Trusted Zone: internet
Trusted Zone: mcafee.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-07 17:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1452)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-07 17:24:46
ComboFix-quarantined-files.txt 2011-03-07 22:24
ComboFix2.txt 2011-03-07 21:52
ComboFix3.txt 2011-03-07 21:26
.
Pre-Run: 50,947,649,536 bytes free
Post-Run: 51,012,337,664 bytes free
.
Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - B410C23ECFEE897A7EE2547413C700D5
of file - 6424 bytes


----------



## Cookiegal (Aug 27, 2003)

You've run ComboFix three times so I'll need to see the first log please which you will find here:

C:\qoobox\ComboFix3.txt


----------



## john m ercolino (Jan 14, 2007)

I made some notes during the process about some of the errors. The files affected were "pev.exe" corrupt, "handle.cfxxe", "pev.cfxxe", "grep.cfxxe" and "msccrt.dll". I don't know if this is helpful to you. There was also an error message that stated "The proceedure entry point getsystemdefaultlcid could not be located an the dll. of kernal.dll"


----------



## john m ercolino (Jan 14, 2007)

I ran it three times because as I said, it kept producing errors and when I had to click on or select an action it would either black out or freeze. Here is the log you requested:

ComboFix 11-03-07.02 - john ercolino 03/07/2011 16:05:36.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2587 [GMT -5:00]
Running from: c:\documents and settings\john ercolino.DBMKS671\Desktop\puppy123.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\john ercolino.DBMKS671\g2mdlhlpx.exe
c:\documents and settings\john ercolino.DBMKS671\GoToAssistDownloadHelper.exe
c:\windows\regedit.com
c:\windows\system32\LogFiles
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
.
.
2011-03-07 20:04 . 2011-03-07 20:04	--------	d-----w-	c:\documents and settings\john ercolino.DBMKS671\Local Settings\Application Data\Sunbelt Software
2011-03-07 19:27 . 2011-03-07 19:27	--------	d-----w-	c:\documents and settings\Administrator\PrivacIE
2011-03-07 19:18 . 2011-03-07 19:18	--------	d-----w-	c:\documents and settings\Administrator\IETldCache
2011-03-07 05:04 . 2011-03-07 20:05	--------	d-----w-	c:\program files\ESET
2011-03-04 18:10 . 2011-03-04 18:10	--------	d-sh--w-	c:\documents and settings\john ercolino.DBMKS671\IECompatCache
2011-03-04 18:07 . 2011-03-04 18:07	--------	d-sh--w-	c:\documents and settings\john ercolino.DBMKS671\PrivacIE
2011-03-04 18:06 . 2011-03-04 18:06	--------	d-sh--w-	c:\windows\system32\config\systemprofile\IETldCache
2011-03-04 18:06 . 2011-03-04 18:06	--------	d-sh--w-	c:\documents and settings\john ercolino.DBMKS671\IETldCache
2011-03-04 18:03 . 2011-03-07 20:04	--------	dc-h--w-	c:\windows\ie8
2011-03-04 18:03 . 2010-10-18 11:10	7680	-c----w-	c:\windows\system32\dllcache\iecompat.dll
2011-03-04 00:38 . 2010-12-20 23:09	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 00:38 . 2010-12-20 23:08	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-03-03 22:04 . 2011-03-03 22:04	98392	----a-w-	c:\windows\system32\drivers\SBREDrv.sys
2011-03-03 22:02 . 2011-03-07 20:04	--------	d-----w-	c:\documents and settings\All Users\Application Data\Lavasoft
2011-03-03 19:44 . 2007-03-09 16:25	2321288	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-03 19:10 . 2011-03-07 20:04	--------	d-----w-	c:\program files\Windows Defender
2011-03-03 17:14 . 2011-03-03 17:14	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-03 17:07 . 2011-03-03 17:07	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Ipswitch
2011-03-02 20:07 . 2010-01-11 00:40	118784	----a-w-	c:\windows\system32\MSSTDFMT.DLL
2011-03-02 19:13 . 2011-03-02 19:13	388096	----a-r-	c:\documents and settings\john ercolino.DBMKS671\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-02 18:24 . 2011-02-23 14:56	371544	----a-w-	c:\windows\system32\drivers\aswSnx.sys
2011-03-02 17:38 . 2011-03-07 20:04	--------	d-----w-	c:\program files\FileASSASSIN
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-03 18:37 . 2004-08-12 12:27	33280	----a-w-	c:\windows\system32\rundll32.exe
2011-02-23 15:04 . 2010-12-05 23:26	40648	----a-w-	c:\windows\avastSS.scr
2011-02-23 15:04 . 2010-12-05 23:26	190016	----a-w-	c:\windows\system32\aswBoot.exe
2011-02-23 14:56 . 2010-12-05 23:26	301528	----a-w-	c:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2010-12-05 23:26	49240	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2010-12-05 23:26	102232	----a-w-	c:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2010-12-05 23:26	96344	----a-w-	c:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2010-12-05 23:26	25432	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2010-12-05 23:26	30680	----a-w-	c:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2010-12-05 23:26	19544	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2011-02-02 22:11 . 2010-02-20 16:51	222080	-c----w-	c:\windows\system32\MpSigStub.exe
2011-01-21 14:44 . 2004-08-12 12:28	439296	----a-w-	c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-12 12:17	290048	----a-w-	c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-12 12:33	1854976	----a-w-	c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-12 12:20	301568	----a-w-	c:\windows\system32\kerberos.dll
2010-12-20 17:26 . 2004-08-12 12:21	730112	----a-w-	c:\windows\system32\lsasrv.dll
2010-12-09 15:15 . 2004-08-12 12:25	718336	----a-w-	c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-12 12:18	33280	----a-w-	c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-12 12:25	2148864	----a-w-	c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59	2027008	----a-w-	c:\windows\system32\ntkrnlpa.exe
.
.
------- Sigcheck -------
.
[7] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
[7] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\ServicePackFiles\i386\msvcrt.dll
[-] 2008-04-14 . ED0DBA1C50619473497355A2EE0518BA . 343040 . . [7.0.2600.5512] . . c:\windows\SYSTEM32\msvcrt.dll
[7] 2004-08-04 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
[7] 2004-08-04 . 98EC447E00229AFD88D5161A25D065DA . 343040 . . [7.0.2600.2180] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04	122512	----a-w-	c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2006-07-21 1106528]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2006-07-21 1848155]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-07-21 126976]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msap?spc?dll, digest.dll, msnsspc.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-22 05:05	40368	----a-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 17:52	339968	-c--a-w-	c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 22:54	57344	-c--a-w-	c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16	421888	----a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01	110592	-c--a-w-	c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Acronis\\TrueImageWorkstation\\TrueImage.exe"=
"c:\\Program Files\\Common Files\\Acronis\\Agent\\agent.exe"=
.
R1 aswSnx;aswSnx;c:\windows\SYSTEM32\DRIVERS\aswSnx.sys [3/2/2011 1:24 PM 371544]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [12/5/2010 6:26 PM 301528]
R2 AcronisAgent;Acronis Remote Agent;c:\program files\Common Files\Acronis\Agent\agent.exe [7/20/2006 11:50 PM 319488]
R2 AcronisBackupServerService;Acronis Backup Server Service;c:\program files\Acronis\BackupServer\backupserver.exe [7/21/2006 1:25 AM 9025808]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [12/5/2010 6:26 PM 19544]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\SYSTEM32\DRIVERS\LGBusEnum.sys [11/23/2009 5:37 PM 19720]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\SYSTEM32\DRIVERS\LGVirHid.sys [2/12/2010 9:34 AM 14856]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\SYSTEM32\DRIVERS\olcamudp.sys [4/8/2005 5:29 PM 10379]
S3 PortlUSB;PortlUSB;c:\windows\system32\DRIVERS\SiriusUSB.sys --> c:\windows\system32\DRIVERS\SiriusUSB.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32	128512	----a-w-	c:\windows\SYSTEM32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-03-07 c:\windows\Tasks\Auslogics Boost Speed Disk Defrag Console Defragmentation.job
- c:\program files\Auslogics\Auslogics Disk Defrag\cdefrag.exe [2010-04-24 13:32]
.
2011-03-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://news.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-07 16:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3852)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-03-07 16:26:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-07 21:26
.
Pre-Run: 49,891,258,368 bytes free
Post-Run: 51,114,885,120 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=c:\$win_nt$.~bt\BOOTSECT.DAT
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Professional Setup"
.
Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 3BFF0335685C8B4822CE3DBDC0598D01


----------



## Cookiegal (Aug 27, 2003)

I see you have Acronis True Image. Do you have a backup image you can restore to?


----------



## john m ercolino (Jan 14, 2007)

I tried to restore with acronis, the program said the image was corrupted. I thought I had a safe zone on my hard drives which are mirriored, that had a backup image, but I cant seem to get that to work. The program is telling me it can't see it even though I know it was written to the disk months ago when I installed it.


----------



## john m ercolino (Jan 14, 2007)

I just checked into the Acronis secure zone, which is set aside for my backup image, and backup archives. It's empty. You may offer me idiot of the week award as is just deserved.


----------



## Cookiegal (Aug 27, 2003)

We're going to have to edit the boot.ini file.

Yours currently reads as follows:

[Boot Loader]
Timeout=2
Default=c:\$win_nt$.~bt\BOOTSECT.DAT
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Professional Setup"

Go to Start - Run - type in msconfig and then click on the BOOT.INI tab. You will see that the above text (boot loader) appears in the top portion. Replace that with the following (copy and paste it):

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Then click Apply and OK and it should boot directly to Windows normally.


----------



## john m ercolino (Jan 14, 2007)

I did what you asked. but the bot.ini will not allow me to delete or change anything but the order of the commands?


----------



## john m ercolino (Jan 14, 2007)

Okay, it will not allow me to change or edit anything other than move a line up or down, but it did allow me to select a line as default value which I changed to the windows x/p pro and now it boots up windows correctly.


----------



## Cookiegal (Aug 27, 2003)

Alright but to fix it completely, please do this. You will need to unhid files or you won't see the actual boot.ini file.

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders". Click "Apply" then "OK".

Now go to My Computer and click on your C drive. In there you will see the boot.ini file. Right-click on it and select "open with" and then choose "Notepad". It will open up with the exact same text as what you just changed it to via msconfig. Copy and paste the text I gave you to it here and then click File and Save.

Once you've finished with that, please do this:

Please download *MBRCheck.exe* to your desktop.

Be sure to disable your security programs prior to running the tool. 
Double click on MBRCheck.exe to run it. Please allow any prompts popped by Windows in order to run the tool.
_(Vista and Windows 7 users will have to confirm the UAC prompt)_
A command window will pop open and run. If any unknown MBR Code is found, you will have further options prompted, at this time please press *N* then press *Enter*.
Press *Enter* again to exit the program.
If nothing unusual is found, you will be shown the machine MBR status. Just press *Enter* to exit.
A text file named *MBRCheck_mm.dd.yy_hh.mm.ss* should appear on your deskop. Please post the contents of that file.


----------



## john m ercolino (Jan 14, 2007)

Okay, all went according to instruction with the boot.ini change except when I got to the save part, it said could not save, file is "read Only". So I changed the properties to non read only, made the changes to the text as per your instruction, saved it, and then made it read only again. Acceptable? 
Here is the result of the mbr log:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line: 
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 188):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 aliide.sys
0xBA5AE000 cmdide.sys
0xBA5B0000 toside.sys
0xBA5B2000 viaide.sys
0xBA5B4000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5B6000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xBA4BC000 cpqarray.sys
0xB9F0B000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB9E35000 iaStor.sys
0xB9E1D000 atapi.sys
0xBA4C0000 aha154x.sys
0xBA338000 sparrow.sys
0xBA4C4000 symc810.sys
0xBA0D8000 aic78xx.sys
0xBA4C8000 dac960nt.sys
0xBA0E8000 ql10wnt.sys
0xBA4CC000 amsint.sys
0xBA340000 asc.sys
0xBA4D0000 asc3550.sys
0xBA348000 mraid35x.sys
0xBA350000 i2omp.sys
0xBA4D4000 ini910u.sys
0xBA0F8000 ql1240.sys
0xBA108000 aic78u2.sys
0xBA358000 symc8xx.sys
0xBA360000 sym_hi.sys
0xBA368000 sym_u3.sys
0xBA370000 ABP480N5.SYS
0xBA378000 asc3350p.sys
0xBA5B8000 cd20xrnt.sys
0xBA118000 ultra.sys
0xB9E04000 adpu160m.sys
0xBA380000 dpti2o.sys
0xBA128000 ql1080.sys
0xBA138000 ql1280.sys
0xBA148000 ql12160.sys
0xBA388000 perc2.sys
0xBA5BA000 perc2hib.sys
0xBA390000 hpn.sys
0xBA4D8000 cbidf2k.sys
0xB9DD8000 dac2w2k.sys
0xBA158000 disk.sys
0xBA168000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9DB8000 fltmgr.sys
0xB9DA6000 sr.sys
0xB9D91000 drvmcdb.sys
0xBA398000 PxHelp20.sys
0xB9D7A000 KSecDD.sys
0xB9CED000 Ntfs.sys
0xB9CC0000 NDIS.sys
0xB9C61000 timntr.sys
0xBA178000 viaagp.sys
0xB9C48000 snapman.sys
0xBA188000 sisagp.sys
0xB9C2E000 Mup.sys
0xBA198000 agp440.sys
0xBA1A8000 alim1541.sys
0xBA1B8000 amdagp.sys
0xBA1C8000 agpCPQ.sys
0xB97EA000 \SystemRoot\system32\DRIVERS\tunmp.sys
0xB9455000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8D20000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB8D0C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8CDE000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA440000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8CBA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA448000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8C7A000 \SystemRoot\system32\drivers\smwdm.sys
0xB8C56000 \SystemRoot\system32\drivers\portcls.sys
0xB9445000 \SystemRoot\system32\drivers\drmk.sys
0xB8C33000 \SystemRoot\system32\drivers\ks.sys
0xB8B80000 \SystemRoot\system32\drivers\senfilt.sys
0xB9435000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA450000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8B6C000 \SystemRoot\system32\DRIVERS\parport.sys
0xB9425000 \SystemRoot\system32\DRIVERS\serial.sys
0xB97E6000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB9415000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5E4000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xB9405000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB93F5000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA458000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xBA750000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB93E5000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB97DA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8B55000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB93D5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB93C5000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA460000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8B44000 \SystemRoot\system32\DRIVERS\psched.sys
0xB9AFD000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA468000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB9092000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8B14000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB9AED000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB908A000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5E6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8AB6000 \SystemRoot\system32\DRIVERS\update.sys
0xB9B81000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB9082000 \SystemRoot\system32\DRIVERS\omci.sys
0xB9A6D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA228000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA614000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB8A92000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA636000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xACA73000 \SystemRoot\System32\Drivers\Null.SYS
0xBA638000 \SystemRoot\System32\Drivers\Beep.SYS
0xB7FE2000 \SystemRoot\system32\drivers\ssrtln.sys
0xB7FDA000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB7FD2000 \SystemRoot\System32\drivers\vga.sys
0xBA63A000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA63C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB7FCA000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB7FC2000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB7DE9000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAB2D5000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAAE6E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB7058000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xAAABA000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB7048000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAAA82000 \SystemRoot\system32\DRIVERS\tcpip6.sys
0xBA1E8000 \SystemRoot\system32\drivers\ip6fw.sys
0xAAA5A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA3D0000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xB7DCD000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xAAA38000 \SystemRoot\System32\drivers\afd.sys
0xACB17000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAAA0D000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA99D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xACB07000 \SystemRoot\System32\Drivers\Fips.SYS
0xACAE7000 \SystemRoot\System32\Drivers\LHidUsb.Sys
0xACAD7000 \SystemRoot\System32\Drivers\HIDCLASS.SYS
0xAA8B5000 \SystemRoot\System32\Drivers\aswSP.SYS
0xAA82F000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xACA47000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xAC4F0000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xAC4E8000 \SystemRoot\system32\DRIVERS\LHidFlt2.Sys
0xAC9DB000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAB190000 \SystemRoot\system32\DRIVERS\LMouFlt2.Sys
0xA35E3000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA264F000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA7694000 \SystemRoot\System32\drivers\Dxapi.sys
0xA33BE000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xA99BF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF04A000 \SystemRoot\System32\ati2cqag.dll
0xBF084000 \SystemRoot\System32\atikvmag.dll
0xBF0F0000 \SystemRoot\System32\ati3duag.dll
0xBF313000 \SystemRoot\System32\ativvaxx.dll
0xBF388000 \SystemRoot\System32\ATMFD.DLL
0xA7031000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA6CDC000 \SystemRoot\system32\drivers\drvnddm.sys
0xA337E000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
0xBA70D000 \SystemRoot\system32\dla\tfsndres.sys
0xA1639000 \SystemRoot\system32\dla\tfsnifs.sys
0xA6F98000 \SystemRoot\system32\dla\tfsnopio.sys
0xAC506000 \SystemRoot\system32\dla\tfsnpool.sys
0xA2D60000 \SystemRoot\system32\dla\tfsnboio.sys
0xA6CCC000 \SystemRoot\system32\dla\tfsncofs.sys
0xBA70E000 \SystemRoot\system32\dla\tfsndrct.sys
0xA1620000 \SystemRoot\system32\dla\tfsnudf.sys
0xA1607000 \SystemRoot\system32\dla\tfsnudfa.sys
0xB9B11000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA15F0000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA1423000 \SystemRoot\system32\drivers\wdmaud.sys
0xA2808000 \SystemRoot\system32\drivers\sysaudio.sys
0xA1170000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA1000000 \SystemRoot\system32\DRIVERS\srv.sys
0xA0D17000 \SystemRoot\System32\Drivers\HTTP.sys
0xA0929000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 41):
0 System Idle Process
4 System
744 C:\WINDOWS\SYSTEM32\smss.exe
792 csrss.exe
816 C:\WINDOWS\SYSTEM32\winlogon.exe
860 C:\WINDOWS\SYSTEM32\services.exe
872 C:\WINDOWS\SYSTEM32\lsass.exe
1064 C:\WINDOWS\SYSTEM32\ati2evxx.exe
1080 C:\WINDOWS\SYSTEM32\svchost.exe
1152 svchost.exe
1220 C:\Program Files\Windows Defender\MsMpEng.exe
1280 C:\WINDOWS\SYSTEM32\svchost.exe
1388 svchost.exe
1464 svchost.exe
1596 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1760 C:\WINDOWS\explorer.exe
548 C:\WINDOWS\SYSTEM32\LEXBCES.EXE
580 C:\WINDOWS\SYSTEM32\spoolsv.exe
588 C:\WINDOWS\SYSTEM32\LEXPPS.EXE
780 C:\Program Files\Analog Devices\Core\smax4pnp.exe
896 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
876 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
1192 C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
1324 C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
1352 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
1332 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
1432 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
2072 C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
2180 svchost.exe
2232 agent.exe
2288 C:\Program Files\Acronis\BackupServer\backupserver.exe
2312 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
2356 C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
2400 C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
2416 C:\Program Files\Java\jre6\bin\jqs.exe
2508 C:\WINDOWS\SYSTEM32\svchost.exe
3572 alg.exe
3764 C:\Program Files\Internet Explorer\iexplore.exe
3812 C:\Program Files\Internet Explorer\iexplore.exe
3652 C:\Program Files\Internet Explorer\iexplore.exe
2872 C:\Documents and Settings\john ercolino.DBMKS671\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f11000 (NTFS)

PhysicalDrive0 Model Number: 

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: 829FE44D735D24CF2D8106853DEE9DFE5FEED23F


Done!


----------



## john m ercolino (Jan 14, 2007)

I posted a reply earlier but it didn't show up so I will try again.
The boot ini istruction was followed, but I could not save the changes because the file was "read only". I changed the properties, edited the file with your commands and saved them, then reset the properties to read only again.
The mbrcheck was then run, no problems here is the log:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line: 
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 188):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 aliide.sys
0xBA5AE000 cmdide.sys
0xBA5B0000 toside.sys
0xBA5B2000 viaide.sys
0xBA5B4000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5B6000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xBA4BC000 cpqarray.sys
0xB9F0B000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB9E35000 iaStor.sys
0xB9E1D000 atapi.sys
0xBA4C0000 aha154x.sys
0xBA338000 sparrow.sys
0xBA4C4000 symc810.sys
0xBA0D8000 aic78xx.sys
0xBA4C8000 dac960nt.sys
0xBA0E8000 ql10wnt.sys
0xBA4CC000 amsint.sys
0xBA340000 asc.sys
0xBA4D0000 asc3550.sys
0xBA348000 mraid35x.sys
0xBA350000 i2omp.sys
0xBA4D4000 ini910u.sys
0xBA0F8000 ql1240.sys
0xBA108000 aic78u2.sys
0xBA358000 symc8xx.sys
0xBA360000 sym_hi.sys
0xBA368000 sym_u3.sys
0xBA370000 ABP480N5.SYS
0xBA378000 asc3350p.sys
0xBA5B8000 cd20xrnt.sys
0xBA118000 ultra.sys
0xB9E04000 adpu160m.sys
0xBA380000 dpti2o.sys
0xBA128000 ql1080.sys
0xBA138000 ql1280.sys
0xBA148000 ql12160.sys
0xBA388000 perc2.sys
0xBA5BA000 perc2hib.sys
0xBA390000 hpn.sys
0xBA4D8000 cbidf2k.sys
0xB9DD8000 dac2w2k.sys
0xBA158000 disk.sys
0xBA168000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9DB8000 fltmgr.sys
0xB9DA6000 sr.sys
0xB9D91000 drvmcdb.sys
0xBA398000 PxHelp20.sys
0xB9D7A000 KSecDD.sys
0xB9CED000 Ntfs.sys
0xB9CC0000 NDIS.sys
0xB9C61000 timntr.sys
0xBA178000 viaagp.sys
0xB9C48000 snapman.sys
0xBA188000 sisagp.sys
0xB9C2E000 Mup.sys
0xBA198000 agp440.sys
0xBA1A8000 alim1541.sys
0xBA1B8000 amdagp.sys
0xBA1C8000 agpCPQ.sys
0xB9B15000 \SystemRoot\system32\DRIVERS\tunmp.sys
0xBA298000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8646000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB8632000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8604000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA410000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB85E0000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA418000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB85A0000 \SystemRoot\system32\drivers\smwdm.sys
0xB857C000 \SystemRoot\system32\drivers\portcls.sys
0xBA2A8000 \SystemRoot\system32\drivers\drmk.sys
0xB8559000 \SystemRoot\system32\drivers\ks.sys
0xB84A6000 \SystemRoot\system32\drivers\senfilt.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA420000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8492000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB9B11000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5EA000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA428000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xBA78A000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA308000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9732000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB847B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA318000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8D7B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA430000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB846A000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8D6B000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA438000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB89B8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB843A000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8D5B000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB89B0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5EC000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB83DC000 \SystemRoot\system32\DRIVERS\update.sys
0xB9716000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB89A8000 \SystemRoot\system32\DRIVERS\omci.sys
0xB8CEB000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB9AAD000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA61A000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB9B71000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA644000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAA9D6000 \SystemRoot\System32\Drivers\Null.SYS
0xBA646000 \SystemRoot\System32\Drivers\Beep.SYS
0xB78E8000 \SystemRoot\system32\drivers\ssrtln.sys
0xB78E0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB78D8000 \SystemRoot\System32\drivers\vga.sys
0xBA648000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA64A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB78D0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB78C8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB77DA000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA9D65000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA9D0C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB9ACD000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xA9CE6000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB9ABD000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA9CAE000 \SystemRoot\system32\DRIVERS\tcpip6.sys
0xA9C5E000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAABA0000 \SystemRoot\system32\drivers\ip6fw.sys
0xB78C0000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xB77BE000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA9C3C000 \SystemRoot\System32\drivers\afd.sys
0xAAB90000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA9B71000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9B01000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAAB80000 \SystemRoot\System32\Drivers\Fips.SYS
0xA9AB9000 \SystemRoot\System32\Drivers\aswSP.SYS
0xA9A5B000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xAAA9E000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xBA208000 \SystemRoot\System32\Drivers\LHidUsb.Sys
0xAA4EC000 \SystemRoot\System32\Drivers\HIDCLASS.SYS
0xAA544000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xAA53C000 \SystemRoot\system32\DRIVERS\LHidFlt2.Sys
0xAAB00000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA9C1C000 \SystemRoot\system32\DRIVERS\LMouFlt2.Sys
0xA2E9C000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA2132000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA2DA8000 \SystemRoot\System32\drivers\Dxapi.sys
0xA2D7E000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA762000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF04A000 \SystemRoot\System32\ati2cqag.dll
0xBF084000 \SystemRoot\System32\atikvmag.dll
0xBF0F0000 \SystemRoot\System32\ati3duag.dll
0xBF313000 \SystemRoot\System32\ativvaxx.dll
0xBF388000 \SystemRoot\System32\ATMFD.DLL
0xB9B3D000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xBA1F8000 \SystemRoot\system32\drivers\drvnddm.sys
0xA26D6000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
0xBA72F000 \SystemRoot\system32\dla\tfsndres.sys
0xA111C000 \SystemRoot\system32\dla\tfsnifs.sys
0xB9B21000 \SystemRoot\system32\dla\tfsnopio.sys
0xA87F4000 \SystemRoot\system32\dla\tfsnpool.sys
0xA26CE000 \SystemRoot\system32\dla\tfsnboio.sys
0xBA218000 \SystemRoot\system32\dla\tfsncofs.sys
0xBA734000 \SystemRoot\system32\dla\tfsndrct.sys
0xA1103000 \SystemRoot\system32\dla\tfsnudf.sys
0xA10EA000 \SystemRoot\system32\dla\tfsnudfa.sys
0xA43AC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA10D3000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA0F06000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9477000 \SystemRoot\system32\drivers\sysaudio.sys
0xA0C53000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA0AE3000 \SystemRoot\system32\DRIVERS\srv.sys
0xA070A000 \SystemRoot\System32\Drivers\HTTP.sys
0xA03C2000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 41):
0 System Idle Process
4 System
744 C:\WINDOWS\SYSTEM32\smss.exe
792 csrss.exe
816 C:\WINDOWS\SYSTEM32\winlogon.exe
860 C:\WINDOWS\SYSTEM32\services.exe
880 C:\WINDOWS\SYSTEM32\lsass.exe
1076 C:\WINDOWS\SYSTEM32\ati2evxx.exe
1092 C:\WINDOWS\SYSTEM32\svchost.exe
1160 svchost.exe
1228 C:\Program Files\Windows Defender\MsMpEng.exe
1276 C:\WINDOWS\SYSTEM32\svchost.exe
1356 svchost.exe
1472 svchost.exe
1596 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1772 C:\WINDOWS\explorer.exe
548 C:\WINDOWS\SYSTEM32\LEXBCES.EXE
588 C:\WINDOWS\SYSTEM32\spoolsv.exe
596 C:\WINDOWS\SYSTEM32\LEXPPS.EXE
772 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
780 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
1148 C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
1204 C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
1212 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
1312 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
1384 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
1704 C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
2168 svchost.exe
2204 agent.exe
2260 C:\Program Files\Acronis\BackupServer\backupserver.exe
2284 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
2316 C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
2372 C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
2388 C:\Program Files\Java\jre6\bin\jqs.exe
2480 C:\WINDOWS\SYSTEM32\svchost.exe
3564 alg.exe
2936 C:\Program Files\Outlook Express\msimn.exe
376 C:\Program Files\Internet Explorer\iexplore.exe
1780 C:\Program Files\Internet Explorer\iexplore.exe
3296 C:\WINDOWS\SYSTEM32\wscntfy.exe
4088 C:\Documents and Settings\john ercolino.DBMKS671\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f11000 (NTFS)

PhysicalDrive0 Model Number: 

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: 829FE44D735D24CF2D8106853DEE9DFE5FEED23F
Done!

Additionally on the most recent reboot, the system ran a checkdisk and processed a large number of files. Deltions orphans etc. Very active as far as that proceedure goes, Don't know if you were looking for that or not.


----------



## Cookiegal (Aug 27, 2003)

Yes that's fine what you did with the boot.ini file.

Since chkdsk ran, I'd like to take a look at the log it creates.

To view results log:

Go to *Start *- *Run *and type in *eventvwr.msc*, and hit enter.
When Event Viewer opens, click on "Application", then scroll
down to "Winlogon" and double-click on it to open it up. This is the log
created after running chkdsk. Click on the icon that looks like two pieces of paper to copy it and then paste it here please.


----------



## john m ercolino (Jan 14, 2007)

Event Type:	Information
Event Source:	Winlogon
Event Category:	None
Event ID:	1001
Date: 3/8/2011
Time: 5:03:28 AM
User: N/A
Computer:	DBMKS671
Description:
Checking file system on C:
The type of the file system is NTFS.

The volume is dirty.
Attribute record of type 0x80 and instance tag 0x0 is cross linked
starting at 0xffffdfff for possibly 0x4 clusters.
Attribute record of type 0x80 and instance tag 0x0 is cross linked
starting at 0xffffdfff for possibly 0x4 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x0
in file 0x1504 is already in use.
Deleted corrupt attribute list entry
with type code 128 in file 5380.
Unable to locate attribute with instance tag 0x0 and segment
reference 0xeca000000000b1c. The expected attribute type is 0x80.
Deleting corrupt attribute record (128, "")
from file record segment 2844.
Attribute record of type 0x80 and instance tag 0x0 is cross linked
starting at 0xffffdfff for possibly 0xa clusters.
Attribute record of type 0x80 and instance tag 0x0 is cross linked
starting at 0xffffdfff for possibly 0xa clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x0
in file 0x8ce2 is already in use.
The attribute of type 0x80 and instance tag 0x0 in file 0x8ce2
has allocated length of 0x3e50000 instead of 0x2ed0000.
Deleted corrupt attribute list entry
with type code 128 in file 36066.
Unable to locate attribute with instance tag 0x0 and segment
reference 0x343000000004741. The expected attribute type is 0x80.
Deleting corrupt attribute record (128, "")
from file record segment 18241.
Unable to locate attribute with instance tag 0x0 and segment
reference 0x104000000004924. The expected attribute type is 0x80.
Deleting corrupt attribute record (128, "")
from file record segment 18724.
Unable to locate attribute with instance tag 0x0 and segment
reference 0x9300000000607b. The expected attribute type is 0x80.
Deleting corrupt attribute record (128, "")
from file record segment 24699.
Unable to locate attribute with instance tag 0x0 and segment
reference 0x13d0000000068a1. The expected attribute type is 0x80.
Deleting corrupt attribute record (128, "")
from file record segment 26785.
Unable to locate attribute with instance tag 0x0 and segment
reference 0x2b000000000ea8a. The expected attribute type is 0x80.
Deleting corrupt attribute record (128, "")
from file record segment 60042.
Unable to locate attribute with instance tag 0x0 and segment
reference 0x1ec00000000f751. The expected attribute type is 0x80.
Deleting corrupt attribute record (128, "")
from file record segment 63313.
Unable to locate attribute with instance tag 0x0 and segment
reference 0x8460000000107ea. The expected attribute type is 0x80.
Deleting corrupt attribute record (128, "")
from file record segment 67562.
Unable to locate attribute with instance tag 0x0 and segment
reference 0x3cb000000012073. The expected attribute type is 0x80.
Deleting corrupt attribute record (128, "")
from file record segment 73843.
Unable to locate attribute with instance tag 0x0 and segment
reference 0xb8000000015ed5. The expected attribute type is 0x80.
Deleting corrupt attribute record (128, "")
from file record segment 89813.
Deleting orphan file record segment 2844.
Deleting orphan file record segment 18241.
Deleting orphan file record segment 18724.
Deleting orphan file record segment 24699.
Deleting orphan file record segment 26785.
The object id in index entry in file 0x30a0 is incorrect.
The entry points to file 0x372d.
2f 67 fb e0 39 80 de 11 bc ad 00 11 11 e3 90 18 /g..9...........
2d 37 00 00 00 00 08 00 00 00 00 00 00 00 00 00 -7..............
----------------------------------------------------------------------
2f 67 fb e0 39 80 de 11 bc ad 00 11 11 a3 90 18 /g..9...........
b6 38 00 00 bc e5 06 00 eb 98 05 01 a4 e2 06 00 .8..............
Deleting an index entry from index $O of file 12448.
The object id in file 0x372d does not appear in the object
id index in file 0x30a0.
Inserting an index entry into index $O of file 12448.
Cleaning up minor inconsistencies on the drive.
Cleaning up 21 unused index entries from index $SII of file 0x9.
Cleaning up 21 unused index entries from index $SDH of file 0x9.
Cleaning up 21 unused security descriptors.
Inserting data attribute into file 5380.
Inserting data attribute into file 36066.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

95225284 KB total disk space.
44525156 KB in 76578 files.
29904 KB in 8090 indexes.
0 KB in bad sectors.
410556 KB in use by the system.
65536 KB occupied by the log file.
50259668 KB available on disk.

4096 bytes in each allocation unit.
23806321 total allocation units on disk.
12564917 allocation units available on disk.

Internal Info:
a0 fd 03 00 c7 4a 01 00 48 ad 01 00 00 00 00 00 .....J..H.......
31 21 00 00 02 00 00 00 36 02 00 00 00 00 00 00 1!......6.......
02 72 b0 08 00 00 00 00 98 35 26 20 00 00 00 00 .r.......5& ....
5e fa 27 16 00 00 00 00 00 00 00 00 00 00 00 00 ^.'.............
00 00 00 00 00 00 00 00 ac 47 f9 44 00 00 00 00 .........G.D....
60 89 5e b2 00 00 00 00 78 38 07 00 22 2b 01 00 `.^.....x8.."+..
00 00 00 00 00 90 99 9d 0a 00 00 00 9a 1f 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

Please run chkdsk again. I'd like to see if this still appears:

"The volume is dirty"

As well as the rest of the inconsistencies showing in that log.

To run chkdsk:

Click Start and My Computer. Right-click the hard drive you want to check, and click Properties. Select the Tools tab and click Check Now. Check both boxes. Click Start. You'll get a message that the computer must be rebooted to run a complete check. Click Yes and reboot. Chkdsk will take a while, so run it when you don't need to use the computer for something else.

Then post the new log after running chkdsk like you did before please.


----------



## john m ercolino (Jan 14, 2007)

The checkdisk said the volume is clean and didn't go through it's process. There was no log file created. I tried it twice to be sure.


----------



## john m ercolino (Jan 14, 2007)

Got checkdisk to run through the command promt and reboot, here is the logfile:

Event Type:	Information
Event Source:	Winlogon
Event Category:	None
Event ID:	1001
Date: 3/8/2011
Time: 11:31:20 PM
User: N/A
Computer:	DBMKS671
Description:
Checking file system on C:
The type of the file system is NTFS.

Cleaning up minor inconsistencies on the drive.
Cleaning up 5 unused index entries from index $SII of file 0x9.
Cleaning up 5 unused index entries from index $SDH of file 0x9.
Cleaning up 5 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

95225284 KB total disk space.
44616100 KB in 76562 files.
30440 KB in 8100 indexes.
0 KB in bad sectors.
414652 KB in use by the system.
65536 KB occupied by the log file.
50164092 KB available on disk.

4096 bytes in each allocation unit.
23806321 total allocation units on disk.
12541023 allocation units available on disk.

Internal Info:
a0 fd 03 00 c1 4a 01 00 fb ac 01 00 00 00 00 00 .....J..........
33 21 00 00 02 00 00 00 28 02 00 00 00 00 00 00 3!......(.......
bc ae 8c 08 00 00 00 00 08 6e 5f 20 00 00 00 00 .........n_ ....
a8 fe ca 15 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 58 5d ce 44 00 00 00 00 ........X].D....
c0 73 5f b2 00 00 00 00 90 38 07 00 12 2b 01 00 .s_......8...+..
00 00 00 00 00 90 26 a3 0a 00 00 00 a4 1f 00 00 ......&.........

Windows has finished checking your disk.
Please wait while your computer restarts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## john m ercolino (Jan 14, 2007)

This morning after one of the erratic blackouts and reboots, chkdsk ran itself again.
here is the log

Event Type:	Information
Event Source:	Winlogon
Event Category:	None
Event ID:	1001
Date: 3/9/2011
Time: 6:42:17 AM
User: N/A
Computer:	DBMKS671
Description:
Checking file system on C:
The type of the file system is NTFS.

The volume is dirty.
Cleaning up minor inconsistencies on the drive.
Cleaning up 4 unused index entries from index $SII of file 0x9.
Cleaning up 4 unused index entries from index $SDH of file 0x9.
Cleaning up 4 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.

95225284 KB total disk space.
44643944 KB in 76829 files.
31272 KB in 8125 indexes.
0 KB in bad sectors.
415168 KB in use by the system.
65536 KB occupied by the log file.
50134900 KB available on disk.

4096 bytes in each allocation unit.
23806321 total allocation units on disk.
12533725 allocation units available on disk.

Internal Info:
a0 fd 03 00 e5 4b 01 00 e0 ae 01 00 00 00 00 00 .....K..........
33 21 00 00 02 00 00 00 28 02 00 00 00 00 00 00 3!......(.......
7e 9a 98 08 00 00 00 00 90 59 c5 1e 00 00 00 00 ~........Y......
8c b0 bc 15 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 d2 21 2d 43 00 00 00 00 .........!-C....
80 d7 5e b2 00 00 00 00 78 38 07 00 1d 2c 01 00 ..^.....x8...,..
00 00 00 00 00 a0 d9 a4 0a 00 00 00 bd 1f 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## john m ercolino (Jan 14, 2007)

There is another symtom I have noticed you may be interested in. When I select start and then to close or restart windows, there is a shield icon that says there are updateds ready to be installed above the right corner of the close windows center icon. It's not normally there and it looks like the shield that was the logo in the maleware product. I have not closed windows yet, only restarted.


----------



## Cookiegal (Aug 27, 2003)

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## john m ercolino (Jan 14, 2007)

I will give you results for 48 hours, but the prior 24 hours to the attached report has very many more, I thought it was getting redundant. Many of the errors are closely spaced timewise, 7 in a ten minute span, so I thought I'd get your advice first.
The report:
these are from the application section last 24 hours:

Event Type:	Error
Event Source:	Application Error
Event Category:	(100)
Event ID:	1000
Date: 3/9/2011
Time: 7:06:25 AM
User: N/A
Computer:	DBMKS671
Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 64 72 77 ure drw
0018: 74 73 6e 33 32 2e 65 78 tsn32.ex
0020: 65 20 35 2e 31 2e 32 36 e 5.1.26
0028: 30 30 2e 30 20 69 6e 20 00.0 in 
0030: 64 62 67 68 65 6c 70 2e dbghelp.
0038: 64 6c 6c 20 35 2e 31 2e dll 5.1.
0040: 32 36 30 30 2e 35 35 31 2600.551
0048: 32 20 61 74 20 6f 66 66 2 at off
0050: 73 65 74 20 30 30 30 31 set 0001
0058: 32 39 35 64 295d

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/9/2011
Time: 7:06:19 AM
User: N/A
Computer:	DBMKS671
Description:
Faulting application explorer.exe, version 6.0.2900.5512, faulting module comctl32.dll, version 6.0.2900.6028, fault address 0x0004411f.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 35 35 31 32 20 00.5512 
0030: 69 6e 20 63 6f 6d 63 74 in comct
0038: 6c 33 32 2e 64 6c 6c 20 l32.dll 
0040: 36 2e 30 2e 32 39 30 30 6.0.2900
0048: 2e 36 30 32 38 20 61 74 .6028 at
0050: 20 6f 66 66 73 65 74 20 offset 
0058: 30 30 30 34 34 31 31 66 0004411f
0060: 0d 0a ..

Event Type:	Error
Event Source:	Application Hang
Event Category:	None
Event ID:	1001
Date: 3/8/2011
Time: 12:08:24 PM
User: N/A
Computer:	DBMKS671
Description:
Fault bucket 1180947459.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 31 31 38 30 39 34 37 34 11809474
0010: 35 39 0d 0a 59..

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 3/8/2011
Time: 12:08:09 PM
User: N/A
Computer:	DBMKS671
Description:
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 38 re.exe 8
0020: 2e 30 2e 36 30 30 31 2e .0.6001.
0028: 31 38 37 30 32 20 69 6e 18702 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/8/2011
Time: 10:10:29 AM
User: N/A
Computer:	DBMKS671
Description:
Faulting application peachw.exe, version 2005.0.3.38, faulting module mshtml.dll, version 8.0.6001.18702, fault address 0x000bfcba.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 70 65 61 ure pea
0018: 63 68 77 2e 65 78 65 20 chw.exe 
0020: 32 30 30 35 2e 30 2e 33 2005.0.3
0028: 2e 33 38 20 69 6e 20 6d .38 in m
0030: 73 68 74 6d 6c 2e 64 6c shtml.dl
0038: 6c 20 38 2e 30 2e 36 30 l 8.0.60
0040: 30 31 2e 31 38 37 30 32 01.18702
0048: 20 61 74 20 6f 66 66 73 at offs
0050: 65 74 20 30 30 30 62 66 et 000bf
0058: 63 62 61 0d 0a cba..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1001
Date: 3/8/2011
Time: 5:03:57 AM
User: N/A
Computer:	DBMKS671
Description:
Fault bucket -1950215739.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 2d 31 39 35 30 32 31 35 -1950215
0010: 37 33 39 0d 0a 739..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/8/2011
Time: 5:03:37 AM
User: N/A
Computer:	DBMKS671
Description:
Faulting application smax4pnp.exe, version 5.2.0.5, faulting module dsound.dll, version 5.3.2600.5512, fault address 0x00008e9a.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 6d 61 ure sma
0018: 78 34 70 6e 70 2e 65 78 x4pnp.ex
0020: 65 20 35 2e 32 2e 30 2e e 5.2.0.
0028: 35 20 69 6e 20 64 73 6f 5 in dso
0030: 75 6e 64 2e 64 6c 6c 20 und.dll 
0038: 35 2e 33 2e 32 36 30 30 5.3.2600
0040: 2e 35 35 31 32 20 61 74 .5512 at
0048: 20 6f 66 66 73 65 74 20 offset 
0050: 30 30 30 30 38 65 39 61 00008e9a
0058: 0d 0a ..

Event Type:	Error
Event Source:	Application Hang
Event Category:	None
Event ID:	1001
Date: 3/8/2011
Time: 4:01:39 AM
User: N/A
Computer:	DBMKS671
Description:
Fault bucket 352399579.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 33 35 32 33 39 39 35 37 35239957
0010: 39 0d 0a 9..

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 3/8/2011
Time: 4:01:34 AM
User: N/A
Computer:	DBMKS671
Description:
Hanging application peachw.exe, version 2005.0.3.38, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 70 65 61 63 68 77 peachw
0018: 2e 65 78 65 20 32 30 30 .exe 200
0020: 35 2e 30 2e 33 2e 33 38 5.0.3.38
0028: 20 69 6e 20 68 75 6e 67 in hung
0030: 61 70 70 20 30 2e 30 2e app 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 30 30 30 30 000000

Event Type:	Error
Event Source:	ESENT
Event Category:	Database Corruption 
Event ID:	447
Date: 3/8/2011
Time: 2:27:17 AM
User: N/A
Computer:	DBMKS671
Description:
wuauclt (3780) A bad page link (error -327) has been detected in a B-Tree (ObjectId: 43, PgnoRoot: 129) of database C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb (7159 => 5112, 5111).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1001
Date: 3/7/2011
Time: 6:02:23 PM
User: N/A
Computer:	DBMKS671
Description:
Fault bucket -1950780159.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 2d 31 39 35 30 37 38 30 -1950780
0010: 31 35 39 0d 0a 159..

Event Type:	Warning
Event Source:	Userenv
Event Category:	None
Event ID:	1517
Date: 3/7/2011
Time: 6:00:07 PM
User: NT AUTHORITY\SYSTEM
Computer:	DBMKS671
Description:
Windows saved user DBMKS671\john ercolino registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1001
Date: 3/7/2011
Time: 5:23:46 PM
User: N/A
Computer:	DBMKS671
Description:
Fault bucket 1422085824.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 31 34 32 32 30 38 35 38 14220858
0010: 32 34 0d 0a 24..

These are from the system section:

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7003
Date: 3/9/2011
Time: 3:24:34 PM
User: N/A
Computer:	DBMKS671
Description:
The McAfee Personal Firewall service depends on the following nonexistent service: MfeFire

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7003
Date: 3/9/2011
Time: 3:24:34 PM
User: N/A
Computer:	DBMKS671
Description:
The McAfee Personal Firewall service depends on the following nonexistent service: MfeFire

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7022
Date: 3/9/2011
Time: 3:23:25 PM
User: N/A
Computer:	DBMKS671
Description:
The avast! Antivirus service hung on starting.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Print
Event Category:	None
Event ID:	19
Date: 3/9/2011
Time: 3:23:25 PM
User: NT AUTHORITY\SYSTEM
Computer:	DBMKS671
Description:
Sharing printer failed + 1722, Printer EPSON Stylus C120 Series share name EPSON Stylus C120 Series.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7003
Date: 3/7/2011
Time: 3:29:03 PM
User: N/A
Computer:	DBMKS671
Description:
The McAfee Personal Firewall service depends on the following nonexistent service: MfeFire

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7022
Date: 3/7/2011
Time: 3:29:03 PM
User: N/A
Computer:	DBMKS671
Description:
The avast! Antivirus service hung on starting.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I am sure you can tell but I do not use McAfee anymore only Avast. I used a tool to uninstall McAfee long ago when I made the switch, but it obviously doesn't undo everything.


----------



## john m ercolino (Jan 14, 2007)

Helllo,
I am really in a pickle pot now! Last night around 3 am, the system did an automatic update and restarted itself. On rebooting of windows it gets stuck in an endless loop, flashing the warnings "windows explorer has encountered a problem and needs to close", then asks to send error report, and also the warning: "Dr Watson postmortem debugger has encountered a problem and needs to close", then indicates selection for error reporting, and it stays in that loop infinitely. Everything is disabled at that point, the errors dont report, and the system is busy and does not respond to any mouse clicks. The only thing that can be done is task manager, and i notice multple instances of a dr watson application running at once. 
I tried getting in through safe mode hoping to restore to an earlier time, but the same condition exists in safe mode as well. I am totally lost where to go next. Hope you can give me some help...John


----------



## Cookiegal (Aug 27, 2003)

I'm not completely clear on the status of the comuter. Are you able to boot to Windows but don't have the normal desktop Start menu and can only use Task Manager to run programs?

Or are you not able to boot to Windows at all?

If the first one, open the Task Manager and then click on File and select "New Task (Run...)" and then type the following and click OK.

*explorer.exe*

This should give you the desktop start menu back.

If you're not able to boot to Windows at all you can try booting to Last Known Good Configuration.

Do you know which updates they were? I know I got two on Tuesday and they were KB2481109 and KB2479943 so I assume you got the same ones.


----------



## john m ercolino (Jan 14, 2007)

Sorry if I have confused you.Windows boots up and my desktop can be seen although any icons that would connet to or through internet explorer have the generic blue and white folder label, and there are the two warning banners that I stated in the last post about internet explorer needing to close and dr watson postmortem bugger needing to close. It asks if I want to report the error but nothing happens if I make a selection. Also if I go to the task bar to click the start key the cursor changes to the hourglass and is non functional, The only thing seeming to be normal is task manager. The antivirus and internet connection icons that are usually on the task bar to indicate they are running are not there as well. They same set of circumstances exist if I try to boot in safe mode.


----------



## john m ercolino (Jan 14, 2007)

The updates were KB971961, KB981332, KB2482017, KB2413381, KB234503, KB2344875, KB2481109, KB976662, KB2479943, KB2289187, AND KB2289158

I am able to get into the event viewer from task mananger to get this info. I also want to correct that there are six warning banners sitting ontop of each other open on the desktop that say windows explorer needs to close.

I did also try booting to the last known good configuration last evening and that did not work, results were the same as what is going on now.


----------



## Cookiegal (Aug 27, 2003)

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
In *Additional Scans *section put a check in Disabled MS Config Items and EventViewer logs
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## john m ercolino (Jan 14, 2007)

I think that I have still not made you understand the status of the computer. The desktop can be seen, but nothing there works, Not even the start button, I cannot download anything or do anything thaat cant be accessed through task manager.


----------



## Cookiegal (Aug 27, 2003)

Open Task Manager then click on File and "New Task (Run...) and enter the following to open the Add or Remove programs list.

*appwiz.cpl*

Then uninstall all of the updates that were just installed if you can.

Then, let me know if that solved the problem.

If not, we will do a system restore but it's best to uninstall the updates first as a system restore may corrupt them.


----------



## john m ercolino (Jan 14, 2007)

I am able to get to the add and remove programs list, and could scroll down and find the updates. Each time I tried to remove one of the updates, it would go to the next screen, which is the software update removal wizard, show an arrow next to "inspecting current configuration" and hang there. I could cancel it, but nothing other.


----------



## john m ercolino (Jan 14, 2007)

I'm going to throw this out to you, could be totally wrong and if so i will continue to let you do all the thinking here forward, but I run internet explorer 7 on this machine and last night it downloaded 5 updates for internet explorer 8. Could they have corrupted the program and be the cause of this hanging problem on the startup?


----------



## Cookiegal (Aug 27, 2003)

It's possible but I also noticed that some of those updates were old ones that should have already been installed.

Let's try the system restore then.

In the new task...run dialog box in Task Manager copy and paste the following to open up the system restore utility.

*C:\WINDOWS\system32\Restore\rstrui.exe*

Follow the prompts to do a system restore to just before this happened.


----------



## john m ercolino (Jan 14, 2007)

When I tried to initiate system restore from the task manager, i get the error message "system restore application has encountered an error and needs to close." The task manager shows the application not responding. Now What?


----------



## Cookiegal (Aug 27, 2003)

Are you able to open the registry editor via Task Manager? The command to enter is:

*regedit.exe*


----------



## john m ercolino (Jan 14, 2007)

Yes it is open


----------



## john m ercolino (Jan 14, 2007)

I hope I haven't lost you for the day, I will be in a very bad way if we cant get some functionality to windows and my business accounting program today. Work has ground to a halt and checks and other things that need to be processed for tommorrow cannot presently be done. Sorry if I seem impatient, but I am under duress. I am very appreciative of your time and attention, and grateful that you have taken up my dilemma. Please don't misinterpert my concerns. Sincerley..John

The registry editor is open and waiting your instructions.


----------



## Cookiegal (Aug 27, 2003)

Content removed.


----------



## Cookiegal (Aug 27, 2003)

I just saw your other post. I was not aware this was a company computer. We do not normally work on company computers. Do you not have an IT department who can help you?


----------



## john m ercolino (Jan 14, 2007)

I did as instructed but there is no change in the reboot results. My desktop shows the windows music plays and then the error messages dr watson debugger, and windows explore need to close etc.


----------



## Cookiegal (Aug 27, 2003)

Did you see my last post?


----------



## john m ercolino (Jan 14, 2007)

Sorry about the confusion this is not a company computer there is no IT dept. I am an individual, self employed and do some business from home on my personal pc. That is what I was referring to.


----------



## Cookiegal (Aug 27, 2003)

Can you run your accounting program through the Task Manager?


----------



## john m ercolino (Jan 14, 2007)

No, I tried that and it gives me the same error as everything else, peachtree encounted a problem and has to close, then it freezes.


----------



## Cookiegal (Aug 27, 2003)

Download Process Explorer from the following link and save it to your desktop.

http://live.sysinternals.com/procexp.exe

Right-click on the Procexp.exe file and select "Rename" and rename it to iexplore.exe. Then double-click the file to launch it.

Let me know what processes are running under explorer.exe please.


----------



## john m ercolino (Jan 14, 2007)

I can run my accounting off another machine that it is installed on, but I need to copy and transfer a copy of the most recent backup file from peachtree that is on the hard drive, and I can't figure out how to do that. I tried copying to the cd drive through a command prompt but it didn't work, any suggestions?


----------



## john m ercolino (Jan 14, 2007)

I have been communicating with you from another computer today, since this problem after the update reboot, I cannot get on the internet or do anything without going through the task manager.


----------



## Cookiegal (Aug 27, 2003)

john m ercolino said:


> I can run my accounting off another machine that it is installed on, but I need to copy and transfer a copy of the most recent backup file from peachtree that is on the hard drive, and I can't figure out how to do that. I tried copying to the cd drive through a command prompt but it didn't work, any suggestions?


I'm sorry but I'm not familiar with that software or how it works.


----------



## Cookiegal (Aug 27, 2003)

Can you download Process Explorer on the computer you're using and transfer it to the other one?


----------



## Cookiegal (Aug 27, 2003)

john m ercolino said:


> I'm going to throw this out to you, could be totally wrong and if so i will continue to let you do all the thinking here forward, but I run internet explorer 7 on this machine and last night it downloaded 5 updates for internet explorer 8. Could they have corrupted the program and be the cause of this hanging problem on the startup?


Just to comment on this, your logs submitted at the beginning of this thread indicate that IE8 was installed on March 4th, 2011. This is the restore point that was created before it was installed.

RP311: 3/4/2011 1:03:45 PM - Installed Windows Internet Explorer 8.


----------



## john m ercolino (Jan 14, 2007)

Okay, the ie8 was installed on march 4 but when this whole fiasco developed part of the fix that occured before us working together was a restore to a date previous to that. That is why it is still running ie7. When the virus first occured, everything was locked up and non usable, A scan from KSS, and A scan From Malwarebytes, Removed whatever had the system frozen and unusable, and I hoped and upgrade to ie8 would erradicate whatever was left, and resolve the instability. It did not so i restored back to an earlier date, maybe somewhere around Feb 28.

To the next part, yes I can download to the computer I am working from now, but how would I transfer it to the infected machine. Knowing that would also solve my problem with the accounting for now, I do not know how to transfer the backup file from one machine to the other.


----------



## Cookiegal (Aug 27, 2003)

Do you have a flash drive that you could use to make the transfer?


----------



## john m ercolino (Jan 14, 2007)

I do not have a flash drive, but I do have an IPOD if that will do. I could also just go out and get a flash drive if thats all i need to do


----------



## Cookiegal (Aug 27, 2003)

It should also work with a CD but you said you tried that?


----------



## Cookiegal (Aug 27, 2003)

Where is the peachtree backup located? (the entire path to it).


----------



## john m ercolino (Jan 14, 2007)

Okay I have a flash drive, copied the program you told me to download onto it but how do I get it onto the disable machine?


----------



## Cookiegal (Aug 27, 2003)

I take it you can't access "My Computer" where the drive letters are shown?


----------



## john m ercolino (Jan 14, 2007)

Yes, that is correct I cannot get to my computer and see the drive letters. The program is on the flash drive renamed but I dont know how to make it run.


----------



## Cookiegal (Aug 27, 2003)

I've moved this back over to the XP forum where hopefully others can jump in and assist.

If you know the drive letter it would be assigned you can type that as the command in Task Manager to open it up.

For instance if it's D then type:

*D:\*

See if that will open it. Then try to copy the program or drag it to the desktop.


----------



## john m ercolino (Jan 14, 2007)

Okay, I got that to work and the process explorer is open on my desktop.
Under the explorer.exe entry (the whole section is highlighted blue) is:
drwtsn32.exe
drwtsn32.exe
taskmgr.exe
regedit.exe
iexplore.exe.exe


----------



## Cookiegal (Aug 27, 2003)

You're able to run it?

What processes are listed under explorer.exe?


----------



## Cookiegal (Aug 27, 2003)

If you can tell me the path to the peachtree backup you should be able to do the reverse of this to get the backup to the other computer.


----------



## john m ercolino (Jan 14, 2007)

see previous post


----------



## john m ercolino (Jan 14, 2007)

I am pretty sure it is C:\peachw\amenew\american angus meats-3-11-8?
i would need to access it somehow to be letter perfect


----------



## Cookiegal (Aug 27, 2003)

OK nothing helpful there.

I have to go out but will be back shortly.

In the meantime, please provide the path to the peachtree backup

You should be able to open the folder with Task Manager and send it to the flash drive.


----------



## john m ercolino (Jan 14, 2007)

Okay, thank you. Be safe, and talk to you soon.


----------



## Cookiegal (Aug 27, 2003)

Try this command to open the first folder:

C:\peachw

If that works then you should be able to open the subfolders. When you get to the backups, right-click the file and select "send to" and select the drive letter that corresponds to the flash drive and it should get copied over.

If that's not the correct folder, it could be *c:\program files\peachtree*


----------



## john m ercolino (Jan 14, 2007)

Hello,
I was able to copy the back up files with the command promp from the harddrive to the flashdrive. Thanks, I am very relieved to be able to work that application again. 

Now, I hope you have some trick up your sleeve to get the windows up and running again.

By the way, your last instruction about opening the C:\peachw directory did not work. I'm letting you know this so you can better understand the state the computer is in. I can use commands in the run section of the task manager, but many of them just create a error, or state "cannot find specified device".

I hope you have some ideas how to rectify this. 

PPS. I will be on the road tommorrow until at least 3-4 pm. so I hope we catch each other after that.


----------



## Cookiegal (Aug 27, 2003)

OK, I'm glad you were able to use the program you needed. 

I think the best recommendation I could make, given the amount of corruption and what you use the computer for, would be to make sure you have everything you need backed up and do a full wipe and and reformat. That will make sure all traces of the infection are gone and the system is working as it should. You should also change all passwords using a clean computer as a precaution.


----------



## john m ercolino (Jan 14, 2007)

Will that mean I have to reload all the programs again? or just windows? In it's current state I don't know if it will back up anything? Can you suggest a proceedure?


----------



## john m ercolino (Jan 14, 2007)

Here is a revelation, I logged off my user name and back on as a guest and the system is useable. I cabt do a restore because I don't have administator authourity, but the system is working. I did a malewarebyte scan, shows no infection


----------



## Cookiegal (Aug 27, 2003)

Yes, it would invovle reloading Windows, drivers for all of the hardware and all other programs. You would lose all documents, photos, etc. unless they are backed up to an external drive. It's better to have an external drive for backups as flash drives are not meant for long-term storage. They are really only meant for transfers from one computer to another.

You could also try just a repair install which shouldn't affect any programs already installed BUT they do warn to back things up just in case as something could go wrong. This may not eradicate any malware that may still be present though so if you go that route we should still check the system for malware.

If you want to try that first, here are the instructions:

http://michaelstevenstech.com/XPrepairinstall.htm

This is really out of my realm so I would suggest that you start a new thread for assistance with the repair install or total reformat whichever you choose.


----------



## Cookiegal (Aug 27, 2003)

I hadn't seen your last post before posting my last message.

That could mean that your user account is corrupt.

Are you able to log in as the Administrator? You would have to boot to safe mode to see the Administrator account. If you can then you could create a new account with administrator privileges.


----------



## john m ercolino (Jan 14, 2007)

Here I am, I am actually using the infected machine. I just logged on and saw your post about making a new account in safe mode. What I did might have been in the same vein. I logged on in safe mode which was behaving exactly like my regular windows, error messages about explorer and the dr watson post mortem debugger. With the aide of the task manager there I got into that add and remove programs, found all the updates from 3-10-11 and removed them. I then rebooted and rebooted again to the last known good settings and here I am. 
I also just upgraded to IE-8 so if any other updates arrive there will not be a conflict. I know there is still a problem here so I am hoping you can feel comfortable addressing this again. I am ready I hope to post you new logs if you are so inclined...John


----------



## Cookiegal (Aug 27, 2003)

So what is the status now? Is everything working as it should from your account?


----------



## john m ercolino (Jan 14, 2007)

It is working, and there aren't any issues at the moment. I updated the windows and ie8 so that I could monitor, and all but one of 9 updates installed okay. Don't know what to do about the other one. I cleaned up as much stuff as I could and I am ready to start the virus hunt.
I did a online scan from eset. The scan kept abporting and the system would go black and then reboot just as before, but maybe I have figured this out. Much of the blackouts and reboots have been during scans and or efforts to either detect or irradicate my maleware. You may think I am nots or just giggle but I think the maleware knows when a scan or tool is heading it's way and turns the power off so that it can't be irradicated. I base this on the fact that I changed the configuration on the eset scanner after two trys, to scan only and not disinfect and it generated a threat listed as "win32\adwarexp\antispyware.ab", This is the original maleware I had suffered from and although I may have been able to disable part of it to get my windows working again, I did not get it all out and am still infected by it. 
I am in the process of running the eset scanner again in safe mode to see if that wipes it or at least quarantines it without pulling the plug on the power. I'm sure your chuckling at my deductive reasoning qand maybe you have a much more rational answer to this but I can only deduce by the facts. What ever this is, it knows when it's going to be wiped and shuts the system down enough to reboot and not be touched.
Stop laughing now and tell me what your thoughts are...John


----------



## john m ercolino (Jan 14, 2007)

Okay last post for today. I ran the eset scanner in safe mode and it ran the full scan. It indicated it found and deleted one threat which was the Win32\adwarexp antispyware.ab, It did not black the system out from there. I watched the scan and saw that the threat was found while it was scanning the system\ volume information\ restore secton, so when it was done I shut down system restore to delete all former restore points, and then restarted it to create a new restore point. The previous points did not help anyway, all I ever got were errors that the restore could not be implementted and the files have not been changed. So that is where I am now, and hope you can review whether the system looks good or not. The only concern I have at this moment is a little shield logo on the "off button" of the shut down drop down menu that looks suspiciously like the logo from the malware/antispyware that has a caption below it that says "you have files waiting to be downloaded". I am not pressing that unless you say it's normal and this machine is clean..John


----------



## Cookiegal (Aug 27, 2003)

Alright, do not allow that download. This one disguises itself as an MS update.

Please remove the version of ComboFix that you currently have by dragging it to the recycle bin and grab the latest one. Be sure to disable your security programs before running the scan.

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.


----------



## john m ercolino (Jan 14, 2007)

Okay so I downloaded the new combofix from blinkingcomputer site. Rename it puppy.exe. Turn off anti virus close all windows and run the program. I get a warning that Windows\microsoft.net\framework\sbs.system.configuration.install.dll is corrupt and unreadable, please run checkdisk. But the combofix is starting and running anyhow, so i don't touch anything as per the instructions. After stage 18-20 I get a window that PEV.cfxxe encountered a problem and has to close, send error report y/n. I tried not touching it but the combo fix stopped running until I clicked to send the error report and closed the reporting window. This occured two times during the run. Combofix ran to stage 50, and then shows "System file is infected!! Attempting to restore"c:\windows|system32|imm32.dll", Sucessfully restored 
Yes the smiley is on the combofix screen after the restored line. There the program sits just a blinking cursor in a blue field no error report, no drive/computer activity, nothing more for the last thirty minutes. Additionally there was a warning yellow triangle on the task bar that opened a bubble that said " CF5896.cfxxe-corrupt file. 
So what to do now?
PS. Combo fix never changed my clock settings or even metioned anything about it during the run as is indicated in the instructions.


----------



## Cookiegal (Aug 27, 2003)

It could be Avast is still interfering.

What is the current status? Is it still hung?


----------



## john m ercolino (Jan 14, 2007)

It stayed hung for about an hour, then there was a warning banner that some service I didn't get the name of need to terminate, it went black and rebooted. On the reboot it ran checkdisk, said the volume was dirty, and made some corrections. It booted windows, and has been up and stable since then but I have not used it either. Thje avast was defineitely disabled, prior to the run.


----------



## john m ercolino (Jan 14, 2007)

Here are the entries from the event viewer/ application / from that time.

Event Type:	Information
Event Source:	Winlogon
Event Category:	None
Event ID:	1001
Date: 3/12/2011
Time: 11:24:28 AM
User: N/A
Computer:	DBMKS671
Description:
Checking file system on C:
The type of the file system is NTFS.

The volume is dirty.
The first attribute offset 0x38 in file 0x5c29 is incorrect.
Deleting corrupt file record segment 23593.
Deleting orphan file record segment 23594.
Index entry sbs_mscorsec.dll of index $I30 in file 0x27e8 points to unused file 0x5c29.
Deleting index entry sbs_mscorsec.dll in index $I30 of file 10216.
Index entry SBS_MS~2.DLL of index $I30 in file 0x27e8 points to unused file 0x5c29.
Deleting index entry SBS_MS~2.DLL in index $I30 of file 10216.
Index entry sbs_system.configuration.install.dll of index $I30 in file 0x27e8 points to unused file 0x5c2a.
Deleting index entry sbs_system.configuration.install.dll in index $I30 of file 10216.
Index entry SBS_SY~1.DLL of index $I30 in file 0x27e8 points to unused file 0x5c2a.
Deleting index entry SBS_SY~1.DLL in index $I30 of file 10216.
Cleaning up minor inconsistencies on the drive.
Cleaning up 873 unused index entries from index $SII of file 0x9.
Cleaning up 873 unused index entries from index $SDH of file 0x9.
Cleaning up 873 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

95225284 KB total disk space.
36049172 KB in 66710 files.
28680 KB in 7967 indexes.
0 KB in bad sectors.
416756 KB in use by the system.
65536 KB occupied by the log file.
58730676 KB available on disk.

4096 bytes in each allocation unit.
23806321 total allocation units on disk.
14682669 allocation units available on disk.

Internal Info:
a0 fd 03 00 c0 23 01 00 0f 82 01 00 00 00 00 00 .....#..........
15 21 00 00 02 00 00 00 b8 05 00 00 00 00 00 00 .!..............
60 15 32 08 00 00 00 00 16 0e d3 1c 00 00 00 00 `.2.............
6e 39 7d 1c 00 00 00 00 00 00 00 00 00 00 00 00 n9}.............
00 00 00 00 00 00 00 00 d8 4d c9 47 00 00 00 00 .........M.G....
80 d7 5e b2 00 00 00 00 78 38 07 00 96 04 01 00 ..^.....x8......
00 00 00 00 00 50 44 98 08 00 00 00 1f 1f 00 00 .....PD.........

Windows has finished checking your disk.
Please wait while your computer restarts.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/12/2011
Time: 10:27:46 AM
User: N/A
Computer:	DBMKS671
Description:
Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe, version 0.0.0.0, fault address 0x00041355.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 70 65 76 ure pev
0018: 2e 63 66 78 78 65 20 30 .cfxxe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 70 65 76 2e 63 66 n pev.cf
0030: 78 78 65 20 30 2e 30 2e xxe 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 34 31 33 35 35 0d 0a 041355..

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/12/2011
Time: 10:25:34 AM
User: N/A
Computer:	DBMKS671
Description:
Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe, version 0.0.0.0, fault address 0x000ce040.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 70 65 76 ure pev
0018: 2e 63 66 78 78 65 20 30 .cfxxe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 70 65 76 2e 63 66 n pev.cf
0030: 78 78 65 20 30 2e 30 2e xxe 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 63 65 30 34 30 0d 0a 0ce040..

Event Type:	Information
Event Source:	Winlogon
Event Category:	None
Event ID:	1002
Date: 3/12/2011
Time: 10:21:40 AM
User: N/A
Computer:	DBMKS671
Description:
The shell stopped unexpectedly and Explorer.exe was restarted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 3/12/2011
Time: 10:17:54 AM
User: N/A
Computer:	DBMKS671
Description:
Hanging application ComboFix[1].exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 43 6f 6d 62 6f 46 ComboF
0018: 69 78 5b 31 5d 2e 65 78 ix[1].ex
0020: 65 20 30 2e 30 2e 30 2e e 0.0.0.
0028: 30 20 69 6e 20 68 75 6e 0 in hun
0030: 67 61 70 70 20 30 2e 30 gapp 0.0
0038: 2e 30 2e 30 20 61 74 20 .0.0 at 
0040: 6f 66 66 73 65 74 20 30 offset 0
0048: 30 30 30 30 30 30 30 0000000

Event Type:	Information
Event Source:	SecurityCenter
Event Category:	None
Event ID:	1800
Date: 3/12/2011
Time: 12:52:57 AM
User: N/A
Computer:	DBMKS671
Description:
The Windows Security Center Service has started.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

Did ComboFix create a log?

Please go to the following link and run TDSSKiller:

http://support.kaspersky.com/viruses/solutions?qid=208280684

Allow it cure anything if prompted.

Please post the log back here.


----------



## john m ercolino (Jan 14, 2007)

No there was never any log made by the combo fix


----------



## john m ercolino (Jan 14, 2007)

So as soon as I went to the Kapersky page and clicked to download, the system blacks out and reboots. For no reason, it has been stable for two hours now.... It knows..


----------



## Cookiegal (Aug 27, 2003)

Download and run the following tool to help allow other programs to run. _(Courtesy of BleepingComputer.com)_
There are 4 different versions. If one of them won't run then download and try to run the other one. Do not reboot after running this program.

Vista and Win7 users need to right click and choose *Run as Admin* 
*You only need to get one of them to run, not all of them.*

rkill.exe
rkill.com
rkill.scr
rkill.pif

Then see if you can run TDSSKiller.


----------



## john m ercolino (Jan 14, 2007)

Ran the tdss from the flashdrive prior to getting your last post. It says there were no infections. here is the logfile:

2011/03/12 14:24:43.0406 3176	TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/12 14:24:43.0531 3176	================================================================================
2011/03/12 14:24:43.0531 3176	SystemInfo:
2011/03/12 14:24:43.0531 3176	
2011/03/12 14:24:43.0531 3176	OS Version: 5.1.2600 ServicePack: 3.0
2011/03/12 14:24:43.0531 3176	Product type: Workstation
2011/03/12 14:24:43.0531 3176	ComputerName: DBMKS671
2011/03/12 14:24:43.0531 3176	UserName: john ercolino
2011/03/12 14:24:43.0531 3176	Windows directory: C:\WINDOWS
2011/03/12 14:24:43.0531 3176	System windows directory: C:\WINDOWS
2011/03/12 14:24:43.0531 3176	Processor architecture: Intel x86
2011/03/12 14:24:43.0531 3176	Number of processors: 2
2011/03/12 14:24:43.0531 3176	Page size: 0x1000
2011/03/12 14:24:43.0531 3176	Boot type: Normal boot
2011/03/12 14:24:43.0531 3176	================================================================================
2011/03/12 14:24:43.0781 3176	Initialize success
2011/03/12 14:24:57.0187 3616	================================================================================
2011/03/12 14:24:57.0187 3616	Scan started
2011/03/12 14:24:57.0187 3616	Mode: Manual; 
2011/03/12 14:24:57.0187 3616	================================================================================
2011/03/12 14:24:57.0375 3616	Aavmker4 (83631291adf2887cffc786d034d3fa15) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/03/12 14:24:57.0437 3616	abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/03/12 14:24:57.0453 3616	ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/12 14:24:57.0484 3616	ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/12 14:24:57.0515 3616	adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/03/12 14:24:57.0531 3616	aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/12 14:24:57.0593 3616	AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/12 14:24:57.0656 3616	agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/03/12 14:24:57.0671 3616	agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/03/12 14:24:57.0687 3616	Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/03/12 14:24:57.0718 3616	aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/03/12 14:24:57.0734 3616	aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/03/12 14:24:57.0765 3616	AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/03/12 14:24:57.0781 3616	alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/03/12 14:24:57.0796 3616	amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/03/12 14:24:57.0812 3616	amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/03/12 14:24:57.0843 3616	asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/03/12 14:24:57.0859 3616	asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/03/12 14:24:57.0875 3616	asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/03/12 14:24:57.0921 3616	aswFsBlk (1c2e6bb4fe8621b1b863855b02bc33eb) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/03/12 14:24:57.0937 3616	aswMon2 (452d0ecd14fa02f9b061f42c8a30dd49) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/03/12 14:24:57.0953 3616	aswRdr (b6a9373619d851be80fb5f1b5eed0d4e) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/03/12 14:24:57.0984 3616	aswSnx (9be41c1ae8bc481eb662d85c98d979c2) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/03/12 14:24:58.0015 3616	aswSP (4b1a54ba2bc5873a774df6b70ab8b0b3) C:\WINDOWS\system32\drivers\aswSP.sys
2011/03/12 14:24:58.0031 3616	aswTdi (c7f1cea32766184911293f4e1ee653f5) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/03/12 14:24:58.0062 3616	AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/12 14:24:58.0078 3616	atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/12 14:24:58.0156 3616	ati2mtag (f0d0b0cdec0be32d775f404cac2604bf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/03/12 14:24:58.0187 3616	Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/12 14:24:58.0203 3616	audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/12 14:24:58.0234 3616	b57w2k (4826fcf97c47b361a2e2f68cd487a19e) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/03/12 14:24:58.0265 3616	Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/12 14:24:58.0406 3616	cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/03/12 14:24:58.0421 3616	cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/12 14:24:58.0453 3616	cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/03/12 14:24:58.0468 3616	Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/12 14:24:58.0484 3616	Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/12 14:24:58.0515 3616	Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/12 14:24:58.0546 3616	CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/03/12 14:24:58.0609 3616	Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/03/12 14:24:58.0640 3616	cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
2011/03/12 14:24:58.0765 3616	dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/03/12 14:24:58.0796 3616	dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/03/12 14:24:58.0828 3616	Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/12 14:24:58.0875 3616	dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/12 14:24:58.0921 3616	dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/12 14:24:58.0937 3616	dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/12 14:24:58.0968 3616	DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/12 14:24:59.0000 3616	dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/03/12 14:24:59.0015 3616	drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/12 14:24:59.0046 3616	drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/03/12 14:24:59.0062 3616	drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/03/12 14:24:59.0093 3616	E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/03/12 14:24:59.0125 3616	Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/12 14:24:59.0156 3616	Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/12 14:24:59.0171 3616	Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/12 14:24:59.0187 3616	Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/12 14:24:59.0218 3616	FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/12 14:24:59.0250 3616	Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/12 14:24:59.0265 3616	Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/12 14:24:59.0296 3616	GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/03/12 14:24:59.0312 3616	Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/12 14:24:59.0343 3616	grmnusb (d956358054e99e6ffac69cd87e893a89) C:\WINDOWS\system32\drivers\grmnusb.sys
2011/03/12 14:24:59.0359 3616	HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/12 14:24:59.0390 3616	hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/03/12 14:24:59.0421 3616	HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/12 14:24:59.0453 3616	i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/03/12 14:24:59.0468 3616	i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/03/12 14:24:59.0484 3616	i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/12 14:24:59.0546 3616	iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\drivers\iaStor.sys
2011/03/12 14:24:59.0593 3616	Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/12 14:24:59.0640 3616	ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/03/12 14:24:59.0656 3616	IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/12 14:24:59.0687 3616	intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/12 14:24:59.0703 3616	Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/12 14:24:59.0734 3616	IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/12 14:24:59.0750 3616	IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/12 14:24:59.0765 3616	IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/12 14:24:59.0796 3616	IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/12 14:24:59.0812 3616	IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/12 14:24:59.0828 3616	isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/12 14:24:59.0859 3616	Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/12 14:24:59.0890 3616	kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/12 14:24:59.0921 3616	kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/12 14:24:59.0937 3616	KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/12 14:25:00.0000 3616	LGBusEnum (170e7093a77ad586f3a012a3db651d94) C:\WINDOWS\system32\drivers\LGBusEnum.sys
2011/03/12 14:25:00.0015 3616	LGVirHid (d2dd04d1c8df65eecd1f2c7fb947d43e) C:\WINDOWS\system32\drivers\LGVirHid.sys
2011/03/12 14:25:00.0046 3616	LHidFlt2 (b97d05e656818572b6b04ba682d3aa8f) C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys
2011/03/12 14:25:00.0062 3616	LHidUsb (826aacb98a2ca5c51e982c748a60d645) C:\WINDOWS\system32\Drivers\LHidUsb.Sys
2011/03/12 14:25:00.0093 3616	LMouFlt2 (b666f835c18974f392a387c6e863072f) C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
2011/03/12 14:25:00.0125 3616	mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/12 14:25:00.0156 3616	Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/12 14:25:00.0187 3616	Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/12 14:25:00.0203 3616	mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/12 14:25:00.0234 3616	MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/12 14:25:00.0250 3616	mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/03/12 14:25:00.0265 3616	MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/12 14:25:00.0312 3616	MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/12 14:25:00.0343 3616	Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/12 14:25:00.0359 3616	MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/12 14:25:00.0390 3616	MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/12 14:25:00.0406 3616	MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/12 14:25:00.0421 3616	mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/12 14:25:00.0437 3616	Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/12 14:25:00.0468 3616	NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/12 14:25:00.0484 3616	NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/12 14:25:00.0515 3616	Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/12 14:25:00.0531 3616	NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/12 14:25:00.0546 3616	NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/12 14:25:00.0593 3616	NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/12 14:25:00.0625 3616	NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/12 14:25:00.0671 3616	Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/12 14:25:00.0703 3616	Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/12 14:25:00.0734 3616	Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/12 14:25:00.0812 3616	nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/12 14:25:00.0875 3616	NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/12 14:25:00.0890 3616	NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/12 14:25:00.0921 3616	OlCamudp (23f6b9e6d3a6f27571885d27f292fd91) C:\WINDOWS\system32\Drivers\olcamudp.sys
2011/03/12 14:25:00.0953 3616	omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/03/12 14:25:00.0968 3616	Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/12 14:25:00.0984 3616	PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/12 14:25:01.0015 3616	ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/12 14:25:01.0031 3616	PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/12 14:25:01.0062 3616	PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/12 14:25:01.0078 3616	Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/12 14:25:01.0171 3616	perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/03/12 14:25:01.0203 3616	perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/03/12 14:25:01.0265 3616	PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/12 14:25:01.0296 3616	PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/12 14:25:01.0312 3616	Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/12 14:25:01.0328 3616	PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/12 14:25:01.0359 3616	ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/03/12 14:25:01.0375 3616	Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/03/12 14:25:01.0390 3616	ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/03/12 14:25:01.0406 3616	ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/03/12 14:25:01.0437 3616	ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/03/12 14:25:01.0453 3616	RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/12 14:25:01.0484 3616	Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/12 14:25:01.0500 3616	RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/12 14:25:01.0515 3616	Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/12 14:25:01.0562 3616	Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/12 14:25:01.0578 3616	RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/12 14:25:01.0609 3616	rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/12 14:25:01.0640 3616	RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/12 14:25:01.0671 3616	redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/12 14:25:01.0765 3616	Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/12 14:25:01.0812 3616	senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/03/12 14:25:01.0843 3616	serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/12 14:25:01.0875 3616	Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/12 14:25:01.0906 3616	Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/12 14:25:01.0968 3616	sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/03/12 14:25:02.0000 3616	smwdm (86c4d93b7b7818d066c52fdb03c6c921) C:\WINDOWS\system32\drivers\smwdm.sys
2011/03/12 14:25:02.0031 3616	snapman (5052dbafc8f4e4507e6ad0d467dd3529) C:\WINDOWS\system32\DRIVERS\snapman.sys
2011/03/12 14:25:02.0046 3616	Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/03/12 14:25:02.0078 3616	splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/12 14:25:02.0109 3616	sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/12 14:25:02.0140 3616	Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/12 14:25:02.0171 3616	sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/03/12 14:25:02.0187 3616	ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/03/12 14:25:02.0218 3616	swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/12 14:25:02.0234 3616	swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/12 14:25:02.0265 3616	symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/03/12 14:25:02.0281 3616	symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/03/12 14:25:02.0312 3616	sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/03/12 14:25:02.0343 3616	sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/03/12 14:25:02.0359 3616	sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/12 14:25:02.0390 3616	Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/12 14:25:02.0437 3616	Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
2011/03/12 14:25:02.0468 3616	TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/12 14:25:02.0484 3616	TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/12 14:25:02.0500 3616	TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/12 14:25:02.0531 3616	tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/03/12 14:25:02.0546 3616	tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/03/12 14:25:02.0562 3616	tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/03/12 14:25:02.0593 3616	tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
2011/03/12 14:25:02.0609 3616	tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/03/12 14:25:02.0625 3616	tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/03/12 14:25:02.0640 3616	tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/03/12 14:25:02.0656 3616	tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/03/12 14:25:02.0687 3616	tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/03/12 14:25:02.0703 3616	tifsfilter (fd03a8ff9d4573246bd8e6d5371969e4) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
2011/03/12 14:25:02.0734 3616	timounter (8061ee6fe61a27d6024da5e2d06a0418) C:\WINDOWS\system32\DRIVERS\timntr.sys
2011/03/12 14:25:02.0765 3616	TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/03/12 14:25:02.0796 3616	tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
2011/03/12 14:25:02.0828 3616	Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/12 14:25:02.0843 3616	ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/03/12 14:25:02.0875 3616	Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/12 14:25:02.0906 3616	usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/12 14:25:02.0937 3616	usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/12 14:25:02.0953 3616	usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/12 14:25:02.0984 3616	usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/12 14:25:03.0000 3616	usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/12 14:25:03.0031 3616	USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/12 14:25:03.0046 3616	usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/12 14:25:03.0062 3616	VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/12 14:25:03.0093 3616	viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/03/12 14:25:03.0109 3616	ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/03/12 14:25:03.0140 3616	VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/12 14:25:03.0171 3616	Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/12 14:25:03.0218 3616	wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/12 14:25:03.0281 3616	WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/03/12 14:25:03.0328 3616	WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/12 14:25:03.0343 3616	WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/12 14:25:03.0531 3616	================================================================================
2011/03/12 14:25:03.0531 3616	Scan finished
2011/03/12 14:25:03.0531 3616	================================================================================

Do you still want me to download the item per your last instuction?


----------



## Cookiegal (Aug 27, 2003)

Yes, download and run RKill and then see if you can do this:

Download *OTS.exe * to your Desktop. 

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Double-click on *OTS.exe* to start the program.
In *Additional Scans *section put a check in Disabled MS Config Items and EventViewer logs
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## Cookiegal (Aug 27, 2003)

Also, please do this:

Please download *MBRCheck.exe* to your desktop.

Be sure to disable your security programs prior to running the tool. 
Double click on MBRCheck.exe to run it. Please allow any prompts popped by Windows in order to run the tool.
_(Vista and Windows 7 users will have to confirm the UAC prompt)_
A command window will pop open and run. If any unknown MBR Code is found, you will have further options prompted, at this time please press *N* then press *Enter*.
Press *Enter* again to exit the program.
If nothing unusual is found, you will be shown the machine MBR status. Just press *Enter* to exit.
A text file named *MBRCheck_mm.dd.yy_hh.mm.ss* should appear on your deskop. Please post the contents of that file.


----------



## john m ercolino (Jan 14, 2007)

I need to go out for a while be back in about an hour.
here are the logs:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line: 
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 189):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 aliide.sys
0xBA5AE000 cmdide.sys
0xBA5B0000 toside.sys
0xBA5B2000 viaide.sys
0xBA5B4000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5B6000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xBA4BC000 cpqarray.sys
0xB9F0B000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB9E35000 iaStor.sys
0xB9E1D000 atapi.sys
0xBA4C0000 aha154x.sys
0xBA338000 sparrow.sys
0xBA4C4000 symc810.sys
0xBA0D8000 aic78xx.sys
0xBA4C8000 dac960nt.sys
0xBA0E8000 ql10wnt.sys
0xBA4CC000 amsint.sys
0xBA340000 asc.sys
0xBA4D0000 asc3550.sys
0xBA348000 mraid35x.sys
0xBA350000 i2omp.sys
0xBA4D4000 ini910u.sys
0xBA0F8000 ql1240.sys
0xBA108000 aic78u2.sys
0xBA358000 symc8xx.sys
0xBA360000 sym_hi.sys
0xBA368000 sym_u3.sys
0xBA370000 ABP480N5.SYS
0xBA378000 asc3350p.sys
0xBA5B8000 cd20xrnt.sys
0xBA118000 ultra.sys
0xB9E04000 adpu160m.sys
0xBA380000 dpti2o.sys
0xBA128000 ql1080.sys
0xBA138000 ql1280.sys
0xBA148000 ql12160.sys
0xBA388000 perc2.sys
0xBA5BA000 perc2hib.sys
0xBA390000 hpn.sys
0xBA4D8000 cbidf2k.sys
0xB9DD8000 dac2w2k.sys
0xBA158000 disk.sys
0xBA168000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9DB8000 fltmgr.sys
0xB9DA6000 sr.sys
0xB9D91000 drvmcdb.sys
0xBA398000 PxHelp20.sys
0xB9D7A000 KSecDD.sys
0xB9CED000 Ntfs.sys
0xB9CC0000 NDIS.sys
0xB9C61000 timntr.sys
0xBA178000 viaagp.sys
0xB9C48000 snapman.sys
0xBA188000 sisagp.sys
0xB9C2E000 Mup.sys
0xBA198000 agp440.sys
0xBA1A8000 alim1541.sys
0xBA1B8000 amdagp.sys
0xBA1C8000 agpCPQ.sys
0xB9B0D000 \SystemRoot\system32\DRIVERS\tunmp.sys
0xBA298000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8FA5000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB8F91000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8F63000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA400000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8F3F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA408000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8EFF000 \SystemRoot\system32\drivers\smwdm.sys
0xB8EDB000 \SystemRoot\system32\drivers\portcls.sys
0xBA2A8000 \SystemRoot\system32\drivers\drmk.sys
0xB8EB8000 \SystemRoot\system32\drivers\ks.sys
0xB8E05000 \SystemRoot\system32\drivers\senfilt.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA410000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8DF1000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB97DB000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB950A000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5E0000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xB94FA000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB94EA000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA418000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xBA747000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB94DA000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB97CF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8DDA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB94CA000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB94BA000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA420000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8DC9000 \SystemRoot\system32\DRIVERS\psched.sys
0xB94AA000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA428000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA430000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8D99000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB949A000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA438000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5E2000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8D3B000 \SystemRoot\system32\DRIVERS\update.sys
0xB9B85000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB93E4000 \SystemRoot\system32\DRIVERS\omci.sys
0xBA2D8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB9ABD000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA612000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB9B29000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA634000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xACED9000 \SystemRoot\System32\Drivers\Null.SYS
0xBA636000 \SystemRoot\System32\Drivers\Beep.SYS
0xAD1F0000 \SystemRoot\system32\drivers\ssrtln.sys
0xAD1E8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAD1E0000 \SystemRoot\System32\drivers\vga.sys
0xBA638000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA63A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xAD1D8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xAD1D0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9B1D000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAB897000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAB83E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAD57F000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xACB3E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAB818000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAB7E0000 \SystemRoot\system32\DRIVERS\tcpip6.sys
0xAB7B8000 \SystemRoot\system32\DRIVERS\netbt.sys
0xACB2E000 \SystemRoot\system32\drivers\ip6fw.sys
0xAD1C8000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xB82A1000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xAB6A6000 \SystemRoot\System32\drivers\afd.sys
0xACB1E000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAB67B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAB60B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xACB0E000 \SystemRoot\System32\Drivers\Fips.SYS
0xAB5C3000 \SystemRoot\System32\Drivers\aswSP.SYS
0xAB53D000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xAD1B8000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xB80D8000 \SystemRoot\System32\Drivers\LHidUsb.Sys
0xAC45C000 \SystemRoot\System32\Drivers\HIDCLASS.SYS
0xAC8D6000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB821A000 \SystemRoot\system32\DRIVERS\LHidFlt2.Sys
0xADECF000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAC3FC000 \SystemRoot\system32\DRIVERS\LMouFlt2.Sys
0xA56CA000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA55F4000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA6161000 \SystemRoot\System32\drivers\Dxapi.sys
0xB93C4000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6A3000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF04A000 \SystemRoot\System32\ati2cqag.dll
0xBF084000 \SystemRoot\System32\atikvmag.dll
0xBF0F0000 \SystemRoot\System32\ati3duag.dll
0xBF313000 \SystemRoot\System32\ativvaxx.dll
0xBF388000 \SystemRoot\System32\ATMFD.DLL
0xB908C000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA6408000 \SystemRoot\system32\drivers\drvnddm.sys
0xBA468000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
0xAB0CD000 \SystemRoot\system32\dla\tfsndres.sys
0xA45DE000 \SystemRoot\system32\dla\tfsnifs.sys
0xB9B4D000 \SystemRoot\system32\dla\tfsnopio.sys
0xBA656000 \SystemRoot\system32\dla\tfsnpool.sys
0xBA470000 \SystemRoot\system32\dla\tfsnboio.sys
0xA6023000 \SystemRoot\system32\dla\tfsncofs.sys
0xAB0CC000 \SystemRoot\system32\dla\tfsndrct.sys
0xA45C5000 \SystemRoot\system32\dla\tfsnudf.sys
0xA45AC000 \SystemRoot\system32\dla\tfsnudfa.sys
0xA6E27000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA456D000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xBA238000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA4260000 \SystemRoot\system32\drivers\wdmaud.sys
0xAD5BF000 \SystemRoot\system32\drivers\sysaudio.sys
0xA404D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA3EDD000 \SystemRoot\system32\DRIVERS\srv.sys
0xA3BCC000 \SystemRoot\System32\Drivers\HTTP.sys
0xA3791000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 43):
0 System Idle Process
4 System
784 C:\WINDOWS\SYSTEM32\smss.exe
832 csrss.exe
856 C:\WINDOWS\SYSTEM32\winlogon.exe
900 C:\WINDOWS\SYSTEM32\services.exe
912 C:\WINDOWS\SYSTEM32\lsass.exe
1112 C:\WINDOWS\SYSTEM32\ati2evxx.exe
1128 C:\WINDOWS\SYSTEM32\svchost.exe
1200 svchost.exe
1268 C:\Program Files\Windows Defender\MsMpEng.exe
1336 C:\WINDOWS\SYSTEM32\svchost.exe
1432 svchost.exe
1512 svchost.exe
1632 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1812 C:\WINDOWS\explorer.exe
1972 C:\Program Files\Analog Devices\Core\smax4pnp.exe
1980 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
1988 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
324 C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
348 C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
364 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
376 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
400 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
640 C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
1652 C:\WINDOWS\SYSTEM32\LEXBCES.EXE
1536 C:\WINDOWS\SYSTEM32\spoolsv.exe
1700 C:\WINDOWS\SYSTEM32\LEXPPS.EXE
2236 svchost.exe
2272 agent.exe
2328 C:\Program Files\Acronis\BackupServer\backupserver.exe
2352 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
2428 C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
2452 C:\Program Files\Java\jre6\bin\jqs.exe
2496 C:\WINDOWS\SYSTEM32\svchost.exe
3576 alg.exe
2372 C:\WINDOWS\SYSTEM32\wuauclt.exe
3852 C:\WINDOWS\notepad.exe
3728 C:\Program Files\Internet Explorer\iexplore.exe
3024 C:\Program Files\Internet Explorer\iexplore.exe
1280 C:\WINDOWS\SYSTEM32\wscntfy.exe
2172 C:\Program Files\Windows Defender\MSASCui.exe
2252 C:\Documents and Settings\john ercolino.DBMKS671\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f11000 (NTFS)

PhysicalDrive0 Model Number: ‰·

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: 829FE44D735D24CF2D8106853DEE9DFE5FEED23F
Done!


```
OTS logfile created on: 3/12/2011 2:46:36 PM - Run 1
OTS by OldTimer - Version 3.1.42.0     Folder = C:\Documents and Settings\john ercolino.DBMKS671\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 85.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 3092 3092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 90.81 Gb Total Space | 55.92 Gb Free Space | 61.57% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 3.73 Gb Total Space | 3.02 Gb Free Space | 81.05% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: DBMKS671
Current User Name: john ercolino
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\OTS.exe -> [2011/03/12 14:44:26 | 000,645,632 | ---- | M] (OldTimer Tools)
avastui.exe -> C:\Program Files\Alwil Software\Avast5\AvastUI.exe -> [2011/02/23 10:04:20 | 003,451,496 | ---- | M] (AVAST Software)
avastsvc.exe -> C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -> [2011/02/23 10:04:19 | 000,042,184 | ---- | M] (AVAST Software)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
msmpeng.exe -> C:\Program Files\Windows Defender\MsMpEng.exe -> [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation)
trueimagemonitor.exe -> C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe -> [2006/07/21 08:03:00 | 001,106,528 | ---- | M] (Acronis)
backupserver.exe -> C:\Program Files\Acronis\BackupServer\backupserver.exe -> [2006/07/21 01:25:20 | 009,025,808 | ---- | M] (Acronis)
agent.exe -> C:\Program Files\Common Files\Acronis\Agent\agent.exe -> [2006/07/20 23:50:16 | 000,319,488 | ---- | M] (Acronis)
timountermonitor.exe -> C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe -> [2006/07/20 23:15:32 | 001,848,155 | ---- | M] (Acronis)
schedhlp.exe -> C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe -> [2006/07/20 23:13:48 | 000,126,976 | ---- | M] (Acronis)
schedul2.exe -> C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -> [2006/07/20 23:13:42 | 000,204,800 | ---- | M] (Acronis)
iaanotif.exe -> C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe -> [2005/10/12 11:30:42 | 000,139,264 | ---- | M] (Intel Corporation)
iaantmon.exe -> C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe -> [2004/03/23 13:15:40 | 000,073,852 | ---- | M] (Intel Corporation)
em_exec.exe -> C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE -> [2003/11/14 09:50:00 | 000,037,888 | ---- | M] (Logitech Inc.)
 
[Modules - Safe List]
ots.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\OTS.exe -> [2011/03/12 14:44:26 | 000,645,632 | ---- | M] (OldTimer Tools)
comctl32.dll -> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll -> [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation)
lgmsghk.dll -> C:\Program Files\Common Files\Logitech\Scrolling\LGMSGHK.DLL -> [2003/11/14 09:50:00 | 000,024,064 | ---- | M] (Logitech Inc.)
lgwndhk.dll -> C:\Program Files\Logitech\MouseWare\system\LgWndHk.dll -> [2003/11/14 09:50:00 | 000,006,144 | ---- | M] (Logitech Inc.)
 
[Win32 Services - Safe List]
(McMPFSvc) McAfee Personal Firewall [Auto | Stopped] ->  -> File not found
(avast! Antivirus) avast! Antivirus [Auto | Running] -> C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -> [2011/02/23 10:04:19 | 000,042,184 | ---- | M] (AVAST Software)
(EPSON_PM_RPCV4_01) EPSON V3 Service4(01) [Auto | Stopped] -> C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -> [2007/01/11 04:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION)
(WinDefend) Windows Defender [Auto | Running] -> C:\Program Files\Windows Defender\MsMpEng.exe -> [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation)
(AcronisBackupServerService) Acronis Backup Server Service [Auto | Running] -> C:\Program Files\Acronis\BackupServer\backupserver.exe -> [2006/07/21 01:25:20 | 009,025,808 | ---- | M] (Acronis)
(AcronisAgent) Acronis Remote Agent [Auto | Running] -> C:\Program Files\Common Files\Acronis\Agent\agent.exe -> [2006/07/20 23:50:16 | 000,319,488 | ---- | M] (Acronis)
(AcrSch2Svc) Acronis Scheduler2 Service [Auto | Running] -> C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -> [2006/07/20 23:13:42 | 000,204,800 | ---- | M] (Acronis)
(IAANTMon) IAA Event Monitor [Auto | Running] -> C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe -> [2004/03/23 13:15:40 | 000,073,852 | ---- | M] (Intel Corporation)
 
[Driver Services - Safe List]
(aswSnx) aswSnx [File_System | System | Running] -> C:\WINDOWS\System32\drivers\aswSnx.sys -> [2011/02/23 09:56:55 | 000,371,544 | ---- | M] (AVAST Software)
(aswSP) aswSP [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\aswSP.sys -> [2011/02/23 09:56:45 | 000,301,528 | ---- | M] (AVAST Software)
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\aswTdi.sys -> [2011/02/23 09:55:49 | 000,049,240 | ---- | M] (AVAST Software)
(aswMon2) avast! Standard Shield Support [File_System | Auto | Running] -> C:\WINDOWS\System32\drivers\aswmon2.sys -> [2011/02/23 09:55:47 | 000,102,232 | ---- | M] (AVAST Software)
(aswRdr) aswRdr [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\aswRdr.sys -> [2011/02/23 09:55:10 | 000,025,432 | ---- | M] (AVAST Software)
(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\aavmker4.sys -> [2011/02/23 09:54:57 | 000,030,680 | ---- | M] (AVAST Software)
(aswFsBlk) aswFsBlk [File_System | Auto | Running] -> C:\WINDOWS\System32\drivers\aswFsBlk.sys -> [2011/02/23 09:54:55 | 000,019,544 | ---- | M] (AVAST Software)
(timounter) Acronis True Image Backup Archive Explorer [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\timntr.sys -> [2010/07/06 23:26:12 | 000,388,000 | ---- | M] (Acronis)
(tifsfilter) Acronis True Image FS Filter [File_System | Auto | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\tifsfilt.sys -> [2010/07/06 23:26:12 | 000,032,288 | ---- | M] (Acronis)
(snapman) Acronis Snapshots Manager [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\snapman.sys -> [2010/07/06 23:26:09 | 000,099,776 | ---- | M] (Acronis)
(Tcpip6) Microsoft IPv6 Protocol Driver [Kernel | System | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\tcpip6.sys -> [2010/02/11 07:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation)
(cpudrv) cpudrv [Kernel | On_Demand | Stopped] -> C:\Program Files\SystemRequirementsLab\cpudrv.sys -> [2009/12/18 09:58:52 | 000,011,336 | ---- | M] ()
(LGVirHid) Logitech Gamepanel Virtual HID Device Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\SYSTEM32\DRIVERS\LGVirHid.sys -> [2009/11/23 17:37:18 | 000,014,856 | ---- | M] (Logitech Inc.)
(LGBusEnum) Logitech GamePanel Virtual Bus Enumerator Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\SYSTEM32\DRIVERS\LGBusEnum.sys -> [2009/11/23 17:37:08 | 000,019,720 | ---- | M] (Logitech Inc.)
(senfilt) senfilt [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys -> [2004/09/17 11:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.)
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -> [2004/08/25 10:28:46 | 000,787,456 | ---- | M] (ATI Technologies Inc.)
(b57w2k) Broadcom NetXtreme 57xx Gigabit Controller [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\b57xp32.sys -> [2004/05/29 18:41:54 | 000,186,112 | ---- | M] (Broadcom Corporation)
(LMouFlt2) Logitech Mouse Class Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\LMouFlt2.Sys -> [2003/11/07 04:50:00 | 000,070,798 | ---- | M] (Logitech, Inc.)
(LHidUsb) Logitech USB Receiver device driver [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\LHidUsb.sys -> [2003/11/07 04:50:00 | 000,037,884 | ---- | M] (Logitech, Inc.)
(LHidFlt2) Logitech HID/USB Mouse Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\LHidFlt2.Sys -> [2003/11/07 04:50:00 | 000,025,502 | ---- | M] (Logitech, Inc.)
(omci) OMCI WDM Device Driver [Kernel | System | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -> [2002/11/08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation)
(OlCamudp) OLYMPUS Digital Camera [Kernel | On_Demand | Stopped] -> C:\WINDOWS\SYSTEM32\DRIVERS\olcamudp.sys -> [2000/02/08 03:55:12 | 000,010,379 | R--- | M] (OLYMPUS Optical Co.,Ltd.)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"SearchDefaultBranded" -> 1 -> 
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultName" -> Google -> 
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultURL" -> http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://news.yahoo.com/ -> 
HKEY_CURRENT_USER\: SearchURL\\"" -> http://www.google.com/keyword/%s -> 
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
< FireFox Extensions [User Folders] > -> 
< HOSTS File > ([2011/03/07 16:47:23 | 000,000,027 | ---- | M] - 1 lines) -> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts -> 
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2011/01/21 15:43:07 | 000,061,888 | ---- | M] (Adobe Systems Incorporated)
{601ED020-FB6C-11D3-87D8-0050DA59922B} [HKLM] -> C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll [WsftpBrowserHelper Class] -> [2004/08/18 14:35:14 | 000,118,830 | ---- | M] (Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421)
{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} [HKLM] -> C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll [avast! WebRep] -> [2011/02/23 10:04:16 | 000,814,160 | ---- | M] ()
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} [HKLM] -> C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [EpsonToolBandKicker Class] -> [2005/02/22 13:50:34 | 000,368,640 | ---- | M] (SEIKO EPSON CORPORATION)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}" [HKLM] -> C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll [avast! WebRep] -> [2011/02/23 10:04:16 | 000,814,160 | ---- | M] ()
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" [HKLM] -> C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [EPSON Web-To-Page] -> [2005/02/22 13:50:34 | 000,368,640 | ---- | M] (SEIKO EPSON CORPORATION)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" [HKLM] -> C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [EPSON Web-To-Page] -> [2005/02/22 13:50:34 | 000,368,640 | ---- | M] (SEIKO EPSON CORPORATION)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"Acronis Scheduler2 Service" -> C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe ["C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"] -> [2006/07/20 23:13:48 | 000,126,976 | ---- | M] (Acronis)
"AcronisTimounterMonitor" -> C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe [C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe] -> [2006/07/20 23:15:32 | 001,848,155 | ---- | M] (Acronis)
"avast" -> C:\Program Files\Alwil Software\Avast5\avastUI.exe ["C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui] -> [2011/02/23 10:04:20 | 003,451,496 | ---- | M] (AVAST Software)
"IAAnotif" -> C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe [C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe] -> [2005/10/12 11:30:42 | 000,139,264 | ---- | M] (Intel Corporation)
"KernelFaultCheck" ->  [%systemroot%\system32\dumprep 0 -k] -> File not found
"Logitech Utility" -> C:\WINDOWS\LOGI_MWX.EXE [Logi_MwX.Exe] -> [2003/11/07 04:50:00 | 000,019,968 | ---- | M] (Logitech Inc.)
"TrueImageMonitor.exe" -> C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe [C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe] -> [2006/07/21 08:03:00 | 001,106,528 | ---- | M] (Acronis)
"UpdateManager" -> C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe ["C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r] -> [2004/01/07 02:01:00 | 000,110,592 | ---- | M] (Sonic Solutions)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
< john ercolino.DBMKS671 Startup Folder > -> C:\Documents and Settings\john ercolino.DBMKS671\Start Menu\Programs\Startup -> 
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoCDBurning" ->  [0] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
\\"HonorAutoRunSetting" ->  [1] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] ->  [Reg Error: Value error.] -> File not found
CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] ->  [Reg Error: Key error.] -> File not found
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] ->  [Reg Error: Key error.] -> File not found
CmdMapping\\"{EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}" [HKLM] -> C:\Program Files\IrfanView\Ebay\Ebay.htm [eBay - Homepage] -> [2005/04/12 04:07:46 | 000,000,378 | ---- | M] ()
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] ->  [Reg Error: Key error.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 2 domain(s) found. -> 
internet .[about] -> Trusted sites -> 
mcafee.com .[https] -> Trusted sites -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{17492023-C23A-453E-A040-C7C580BBF700} [HKLM] -> http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab [Windows Genuine Advantage Validation Tool] -> 
{31435657-9980-0010-8000-00AA00389B71} [HKLM] -> http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab [Reg Error: Key error.] -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C} [HKLM] -> http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271905715648 [WUWebControl Class] -> 
{7530BFB8-7293-4D34-9923-61A11451AFC5} [HKLM] -> http://download.eset.com/special/eos/OnlineScanner.cab [Reg Error: Key error.] -> 
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab [Reg Error: Key error.] -> 
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Reg Error: Key error.] -> 
{CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} [HKLM] -> http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab [SysInfo Class] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.1.1 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{3CCB81F0-A67F-4087-A902-72B4F8A34FE6}\\DhcpNameServer -> 192.168.1.1   (Broadcom NetXtreme 57xx Gigabit Controller) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" [HKLM] -> C:\Program Files\Windows Defender\MpShHook.dll [Microsoft AntiMalware ShellExecuteHook] -> [2006/11/03 19:20:00 | 000,083,224 | ---- | M] (Microsoft Corporation)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"C:\Program Files\Acronis\TrueImageWorkstation\TrueImage.exe" -> C:\Program Files\Acronis\TrueImageWorkstation\TrueImage.exe [C:\Program Files\Acronis\TrueImageWorkstation\TrueImage.exe:*:Enabled:TrueImage] -> [2006/07/21 08:08:06 | 011,936,517 | ---- | M] (Acronis)
"C:\Program Files\Common Files\Acronis\Agent\agent.exe" -> C:\Program Files\Common Files\Acronis\Agent\agent.exe [C:\Program Files\Common Files\Acronis\Agent\agent.exe:*:Enabled:Acronis Remote Agent] -> [2006/07/20 23:50:16 | 000,319,488 | ---- | M] (Acronis)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  -> 
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2004/08/11 18:15:00 | 000,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = comfile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
 
[Registry - Additional Scans - Safe List]
< Disabled MSConfig State [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state -> 
"bootini" -> 2 -> 
"services" -> 0 -> 
"startup" -> 0 -> 
"system.ini" -> 0 -> 
"win.ini" -> 0 -> 
< EventViewer Logs - Last 10 Errors > -> Event Information -> Description
Application [ Error ] 3/11/2011 10:07:04 PM Computer Name = DBMKS671 | Source = Application Error | ID = 1000 -> Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
Application [ Error ] 3/11/2011 10:10:34 PM Computer Name = DBMKS671 | Source = Application Error | ID = 1000 -> Description = Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe, version 0.0.0.0, fault address 0x000ce040.
Application [ Error ] 3/11/2011 10:48:09 PM Computer Name = DBMKS671 | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
Application [ Error ] 3/11/2011 11:16:09 PM Computer Name = DBMKS671 | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
Application [ Error ] 3/11/2011 11:16:28 PM Computer Name = DBMKS671 | Source = Application Error | ID = 1000 -> Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x715ba067.
Application [ Error ] 3/12/2011 1:21:34 AM Computer Name = DBMKS671 | Source = Application Error | ID = 1000 -> Description = Faulting application onlinecmdlinescanner.exe, version 0.0.0.0, faulting module esets_apiw_a.dll, version 3.0.15.0, fault address 0x00004440.
Application [ Error ] 3/12/2011 1:23:19 AM Computer Name = DBMKS671 | Source = Application Error | ID = 1001 -> Description = Fault bucket -2075597031.
Application [ Error ] 3/12/2011 11:17:54 AM Computer Name = DBMKS671 | Source = Application Hang | ID = 1002 -> Description = Hanging application ComboFix[1].exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 3/12/2011 11:25:34 AM Computer Name = DBMKS671 | Source = Application Error | ID = 1000 -> Description = Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe, version 0.0.0.0, fault address 0x000ce040.
Application [ Error ] 3/12/2011 11:27:46 AM Computer Name = DBMKS671 | Source = Application Error | ID = 1000 -> Description = Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe, version 0.0.0.0, fault address 0x00041355.
System [ Error ] 3/12/2011 1:01:46 AM Computer Name = DBMKS671 | Source = Service Control Manager | ID = 7026 -> Description = The following boot-start or system-start driver(s) failed to load:   Aavmker4  aswSnx  aswSP  aswTdi  Fips  intelppm
System [ Error ] 3/12/2011 1:23:43 AM Computer Name = DBMKS671 | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
System [ Error ] 3/12/2011 1:24:43 AM Computer Name = DBMKS671 | Source = Service Control Manager | ID = 7003 -> Description = The McAfee Personal Firewall service depends on the following nonexistent service: MfeFire
System [ Error ] 3/12/2011 1:44:46 AM Computer Name = DBMKS671 | Source = Service Control Manager | ID = 7003 -> Description = The McAfee Personal Firewall service depends on the following nonexistent service: MfeFire
System [ Error ] 3/12/2011 1:52:57 AM Computer Name = DBMKS671 | Source = Service Control Manager | ID = 7003 -> Description = The McAfee Personal Firewall service depends on the following nonexistent service: MfeFire
System [ Error ] 3/12/2011 2:16:40 AM Computer Name = DBMKS671 | Source = MRxSmb | ID = 8003 -> Description = The master browser has received a server announcement from the computer AMYZAHRALABA-PC  that believes that it is the master browser for the domain on transport NetBT_Tcpip_{3CCB81F0-A67.  The master browser is stopping or an election is being forced.
System [ Error ] 3/12/2011 3:18:58 AM Computer Name = DBMKS671 | Source = Ntfs | ID = 262199 -> Description = The file system structure on the disk is corrupt and unusable.  Please run the chkdsk utility on the volume C:.
System [ Error ] 3/12/2011 4:00:38 AM Computer Name = DBMKS671 | Source = Windows Update Agent | ID = 20 -> Description = Installation Failure: Windows failed to install the following update with error 0x8007f064: Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2482017).
System [ Error ] 3/12/2011 4:00:38 AM Computer Name = DBMKS671 | Source = Windows Update Agent | ID = 20 -> Description = Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Malicious Software Removal Tool - March 2011 (KB890830).
System [ Error ] 3/12/2011 9:26:16 AM Computer Name = DBMKS671 | Source = MRxSmb | ID = 8003 -> Description = The master browser has received a server announcement from the computer AMYZAHRALABA-PC  that believes that it is the master browser for the domain on transport NetBT_Tcpip_{3CCB81F0-A67.  The master browser is stopping or an election is being forced.
 
[Files/Folders - Created Within 30 Days]
 OTS.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\OTS.exe -> [2011/03/12 14:44:25 | 000,645,632 | ---- | C] (OldTimer Tools)
 tdsskiller -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\tdsskiller -> [2011/03/12 14:16:43 | 000,000,000 | ---D | C]
 puppy -> C:\puppy -> [2011/03/12 10:20:08 | 000,000,000 | --SD | C]
 F-Secure -> C:\Documents and Settings\All Users\Application Data\F-Secure -> [2011/03/11 22:15:18 | 000,000,000 | ---D | C]
 lhmstscx.dll -> C:\WINDOWS\System32\dllcache\lhmstscx.dll -> [2011/03/11 21:43:19 | 002,067,456 | ---- | C] (Microsoft Corporation)
 ie8 -> C:\WINDOWS\ie8 -> [2011/03/11 20:46:48 | 000,000,000 | -H-D | C]
 TDSSKiller.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\TDSSKiller.exe -> [2011/03/10 12:27:50 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO)
 RECYCLER -> C:\RECYCLER -> [2011/03/07 18:20:42 | 000,000,000 | -HSD | C]
 WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe -> [2011/03/07 17:02:20 | 004,608,744 | ---- | C] (Microsoft Corporation)
 cmdcons -> C:\cmdcons -> [2011/03/07 16:04:11 | 000,000,000 | RHSD | C]
 SWXCACLS.exe -> C:\WINDOWS\SWXCACLS.exe -> [2011/03/07 16:02:28 | 000,212,480 | ---- | C] (SteelWerX)
 SWREG.exe -> C:\WINDOWS\SWREG.exe -> [2011/03/07 16:02:28 | 000,161,792 | ---- | C] (SteelWerX)
 SWSC.exe -> C:\WINDOWS\SWSC.exe -> [2011/03/07 16:02:28 | 000,136,704 | ---- | C] (SteelWerX)
 NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2011/03/07 16:02:28 | 000,031,232 | ---- | C] (NirSoft)
 ERDNT -> C:\WINDOWS\ERDNT -> [2011/03/07 16:02:20 | 000,000,000 | ---D | C]
 avast! Free Antivirus -> C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus -> [2011/03/07 15:05:28 | 000,000,000 | ---D | C]
 Apple -> C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple -> [2011/03/07 15:05:18 | 000,000,000 | ---D | C]
 Malwarebytes' Anti-Malware -> C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware -> [2011/03/07 15:04:56 | 000,000,000 | ---D | C]
 Qoobox -> C:\Qoobox -> [2011/03/07 15:04:55 | 000,000,000 | ---D | C]
 Sunbelt Software -> C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\Sunbelt Software -> [2011/03/07 15:04:54 | 000,000,000 | ---D | C]
 HiJackThis -> C:\Documents and Settings\john ercolino.DBMKS671\Start Menu\Programs\HiJackThis -> [2011/03/07 15:04:45 | 000,000,000 | ---D | C]
 FileASSASSIN -> C:\Documents and Settings\All Users\Start Menu\Programs\FileASSASSIN -> [2011/03/07 15:04:42 | 000,000,000 | ---D | C]
 IECompatCache -> C:\Documents and Settings\john ercolino.DBMKS671\IECompatCache -> [2011/03/04 13:10:26 | 000,000,000 | -HSD | C]
 PrivacIE -> C:\Documents and Settings\john ercolino.DBMKS671\PrivacIE -> [2011/03/04 13:07:36 | 000,000,000 | -HSD | C]
 IETldCache -> C:\Documents and Settings\john ercolino.DBMKS671\IETldCache -> [2011/03/04 13:06:54 | 000,000,000 | -HSD | C]
 ie8updates -> C:\WINDOWS\ie8updates -> [2011/03/04 13:04:42 | 000,000,000 | ---D | C]
 mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2011/03/03 19:38:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation)
 mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2011/03/03 19:38:39 | 000,020,952 | ---- | C] (Malwarebytes Corporation)
 SBREDrv.sys -> C:\WINDOWS\System32\drivers\SBREDrv.sys -> [2011/03/03 17:04:44 | 000,098,392 | ---- | C] (Sunbelt Software)
 Lavasoft -> C:\Documents and Settings\All Users\Application Data\Lavasoft -> [2011/03/03 17:02:53 | 000,000,000 | ---D | C]
 Windows Defender -> C:\Program Files\Windows Defender -> [2011/03/03 14:10:57 | 000,000,000 | ---D | C]
 MSSTDFMT.DLL -> C:\WINDOWS\System32\MSSTDFMT.DLL -> [2011/03/02 15:07:28 | 000,118,784 | ---- | C] (Microsoft Corporation)
 aswSnx.sys -> C:\WINDOWS\System32\drivers\aswSnx.sys -> [2011/03/02 13:24:22 | 000,371,544 | ---- | C] (AVAST Software)
 FileASSASSIN -> C:\Program Files\FileASSASSIN -> [2011/03/02 12:38:18 | 000,000,000 | ---D | C]
 ENGINE PHOTOS -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\ENGINE PHOTOS -> [2011/02/21 13:43:56 | 000,000,000 | ---D | C]
 ATIDEMGR.dll -> C:\WINDOWS\System32\ATIDEMGR.dll -> [1980/01/01 01:00:00 | 000,151,552 | ---- | C] ( )
 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
 
[Files/Folders - Modified Within 30 Days]
 OTS.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\OTS.exe -> [2011/03/12 14:44:26 | 000,645,632 | ---- | M] (OldTimer Tools)
 MP Scheduled Scan.job -> C:\WINDOWS\tasks\MP Scheduled Scan.job -> [2011/03/12 14:26:17 | 000,000,330 | -H-- | M] ()
 wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2011/03/12 14:23:29 | 000,002,206 | ---- | M] ()
 BOOTSTAT.DAT -> C:\WINDOWS\BOOTSTAT.DAT -> [2011/03/12 14:23:06 | 000,002,048 | --S- | M] ()
 hiberfil.sys -> C:\hiberfil.sys -> [2011/03/12 14:22:46 | 3219,288,064 | -HS- | M] ()
 puppy.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\puppy.exe -> [2011/03/12 10:19:07 | 004,286,091 | R--- | M] ()
 Auslogics Boost Speed Disk Defrag Console Defragmentation.job -> C:\WINDOWS\tasks\Auslogics Boost Speed Disk Defrag Console Defragmentation.job -> [2011/03/12 04:29:00 | 000,000,616 | ---- | M] ()
 WordPerfect.lnk -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\WordPerfect.lnk -> [2011/03/12 00:41:20 | 000,002,429 | ---- | M] ()
 imsins.BAK -> C:\WINDOWS\imsins.BAK -> [2011/03/11 21:44:45 | 000,001,374 | ---- | M] ()
 Launch Internet Explorer Browser.lnk -> C:\Documents and Settings\john ercolino.DBMKS671\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> [2011/03/11 20:49:32 | 000,000,815 | ---- | M] ()
 PAW120.ini -> C:\WINDOWS\PAW120.ini -> [2011/03/11 20:37:07 | 000,003,210 | ---- | M] ()
 avast! Free Antivirus.lnk -> C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk -> [2011/03/10 18:00:11 | 000,001,700 | ---- | M] ()
 config.nt -> C:\WINDOWS\System32\config.nt -> [2011/03/10 18:00:10 | 000,000,051 | ---- | M] ()
 TDSSKiller.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\TDSSKiller.exe -> [2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO)
 iis6.BAK -> C:\WINDOWS\iis6.BAK -> [2011/03/10 03:02:16 | 002,004,303 | ---- | M] ()
 th_French300.jpg -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\th_French300.jpg -> [2011/03/09 14:56:53 | 000,072,987 | ---- | M] ()
 boot.ini -> C:\boot.ini -> [2011/03/08 03:38:18 | 000,000,327 | ---- | M] ()
 boot.123 -> C:\boot.123 -> [2011/03/08 03:36:55 | 000,000,401 | RHS- | M] ()
 HiJackThis.lnk -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\HiJackThis.lnk -> [2011/03/07 18:20:08 | 000,002,481 | ---- | M] ()
 WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe -> [2011/03/07 17:02:23 | 004,608,744 | ---- | M] (Microsoft Corporation)
 hosts -> C:\WINDOWS\System32\drivers\ETC\hosts -> [2011/03/07 16:47:23 | 000,000,027 | ---- | M] ()
 AppleSoftwareUpdate.job -> C:\WINDOWS\tasks\AppleSoftwareUpdate.job -> [2011/03/05 22:53:01 | 000,000,284 | ---- | M] ()
 Bank of America  Online Banking  SiteKey  Verify SiteKey.url -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\Bank of America  Online Banking  SiteKey  Verify SiteKey.url -> [2011/03/05 08:17:24 | 000,000,284 | ---- | M] ()
 Girl_or_Car.pps -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\Girl_or_Car.pps -> [2011/03/04 11:26:07 | 002,809,856 | ---- | M] ()
 Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2011/03/03 19:38:43 | 000,000,784 | ---- | M] ()
 SBREDrv.sys -> C:\WINDOWS\System32\drivers\SBREDrv.sys -> [2011/03/03 17:04:44 | 000,098,392 | ---- | M] (Sunbelt Software)
 rundll32.exe -> C:\WINDOWS\System32\dllcache\rundll32.exe -> [2011/03/03 13:37:02 | 000,033,280 | ---- | M] (Microsoft Corporation)
 1051646004 -> C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\1051646004 -> [2011/03/03 12:08:52 | 000,017,916 | -HS- | M] ()
 1051646004 -> C:\Documents and Settings\All Users\Application Data\1051646004 -> [2011/03/03 12:08:52 | 000,017,916 | -HS- | M] ()
 wininit.ini -> C:\WINDOWS\wininit.ini -> [2011/03/02 15:10:48 | 000,000,177 | ---- | M] ()
 Default.rdp -> C:\Documents and Settings\john ercolino.DBMKS671\My Documents\Default.rdp -> [2011/03/02 13:47:21 | 000,000,000 | -H-- | M] ()
 FileASSASSIN.lnk -> C:\Documents and Settings\All Users\Desktop\FileASSASSIN.lnk -> [2011/03/02 12:38:18 | 000,000,730 | ---- | M] ()
 Buff_-_4_PDF.pdf -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\Buff_-_4_PDF.pdf -> [2011/02/25 16:00:30 | 005,755,538 | ---- | M] ()
 avastSS.scr -> C:\WINDOWS\avastSS.scr -> [2011/02/23 10:04:21 | 000,040,648 | ---- | M] (AVAST Software)
 aswBoot.exe -> C:\WINDOWS\System32\aswBoot.exe -> [2011/02/23 10:04:17 | 000,190,016 | ---- | M] (AVAST Software)
 aswSnx.sys -> C:\WINDOWS\System32\drivers\aswSnx.sys -> [2011/02/23 09:56:55 | 000,371,544 | ---- | M] (AVAST Software)
 aswSP.sys -> C:\WINDOWS\System32\drivers\aswSP.sys -> [2011/02/23 09:56:45 | 000,301,528 | ---- | M] (AVAST Software)
 aswTdi.sys -> C:\WINDOWS\System32\drivers\aswTdi.sys -> [2011/02/23 09:55:49 | 000,049,240 | ---- | M] (AVAST Software)
 aswmon2.sys -> C:\WINDOWS\System32\drivers\aswmon2.sys -> [2011/02/23 09:55:47 | 000,102,232 | ---- | M] (AVAST Software)
 aswmon.sys -> C:\WINDOWS\System32\drivers\aswmon.sys -> [2011/02/23 09:55:44 | 000,096,344 | ---- | M] (AVAST Software)
 aswRdr.sys -> C:\WINDOWS\System32\drivers\aswRdr.sys -> [2011/02/23 09:55:10 | 000,025,432 | ---- | M] (AVAST Software)
 aavmker4.sys -> C:\WINDOWS\System32\drivers\aavmker4.sys -> [2011/02/23 09:54:57 | 000,030,680 | ---- | M] (AVAST Software)
 aswFsBlk.sys -> C:\WINDOWS\System32\drivers\aswFsBlk.sys -> [2011/02/23 09:54:55 | 000,019,544 | ---- | M] (AVAST Software)
 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
 
[Files - No Company Name]
 puppy.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\puppy.exe -> [2011/03/12 10:19:07 | 004,286,091 | R--- | C] ()
 hiberfil.sys -> C:\hiberfil.sys -> [2011/03/12 00:24:26 | 3219,288,064 | -HS- | C] ()
 th_French300.jpg -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\th_French300.jpg -> [2011/03/09 14:56:53 | 000,072,987 | ---- | C] ()
 boot.ini -> C:\boot.ini -> [2011/03/08 03:37:15 | 000,000,327 | ---- | C] ()
 PEV.exe -> C:\WINDOWS\PEV.exe -> [2011/03/07 16:02:28 | 000,256,512 | ---- | C] ()
 sed.exe -> C:\WINDOWS\sed.exe -> [2011/03/07 16:02:28 | 000,098,816 | ---- | C] ()
 MBR.exe -> C:\WINDOWS\MBR.exe -> [2011/03/07 16:02:28 | 000,089,088 | ---- | C] ()
 grep.exe -> C:\WINDOWS\grep.exe -> [2011/03/07 16:02:28 | 000,080,412 | ---- | C] ()
 zip.exe -> C:\WINDOWS\zip.exe -> [2011/03/07 16:02:28 | 000,068,096 | ---- | C] ()
 Girl_or_Car.pps -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\Girl_or_Car.pps -> [2011/03/04 11:26:07 | 002,809,856 | ---- | C] ()
 Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2011/03/03 19:38:43 | 000,000,784 | ---- | C] ()
 MP Scheduled Scan.job -> C:\WINDOWS\tasks\MP Scheduled Scan.job -> [2011/03/03 14:14:02 | 000,000,330 | -H-- | C] ()
 Windows Defender.lnk -> C:\Documents and Settings\All Users\Start Menu\Programs\Windows Defender.lnk -> [2011/03/03 14:10:59 | 000,000,955 | ---- | C] ()
 config.nt -> C:\WINDOWS\System32\config.nt -> [2011/03/03 10:05:39 | 000,000,051 | ---- | C] ()
 wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2011/03/02 14:17:59 | 000,002,206 | ---- | C] ()
 HiJackThis.lnk -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\HiJackThis.lnk -> [2011/03/02 14:13:20 | 000,002,481 | ---- | C] ()
 Default.rdp -> C:\Documents and Settings\john ercolino.DBMKS671\My Documents\Default.rdp -> [2011/03/02 13:47:21 | 000,000,000 | -H-- | C] ()
 FileASSASSIN.lnk -> C:\Documents and Settings\All Users\Desktop\FileASSASSIN.lnk -> [2011/03/02 12:38:18 | 000,000,730 | ---- | C] ()
 1051646004 -> C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\1051646004 -> [2011/03/02 11:19:11 | 000,017,916 | -HS- | C] ()
 1051646004 -> C:\Documents and Settings\All Users\Application Data\1051646004 -> [2011/03/02 11:19:11 | 000,017,916 | -HS- | C] ()
 Buff_-_4_PDF.pdf -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\Buff_-_4_PDF.pdf -> [2011/02/25 16:00:30 | 005,755,538 | ---- | C] ()
 3D Text Factory.INI -> C:\WINDOWS\3D Text Factory.INI -> [2010/06/24 14:05:36 | 000,000,045 | ---- | C] ()
 wwwbatch.ini -> C:\WINDOWS\wwwbatch.ini -> [2010/04/21 18:47:37 | 000,000,163 | ---- | C] ()
 fusioncache.dat -> C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\fusioncache.dat -> [2010/01/07 11:25:33 | 000,000,145 | ---- | C] ()
 OGACheckControl.dll -> C:\WINDOWS\System32\OGACheckControl.dll -> [2009/08/03 15:07:42 | 000,403,816 | ---- | C] ()
 OGAEXEC.exe -> C:\WINDOWS\System32\OGAEXEC.exe -> [2009/08/03 15:07:42 | 000,230,768 | ---- | C] ()
 Textart.INI -> C:\WINDOWS\Textart.INI -> [2008/12/19 05:30:50 | 000,000,000 | ---- | C] ()
 CSTBox.INI -> C:\WINDOWS\CSTBox.INI -> [2008/12/09 19:41:02 | 000,045,843 | ---- | C] ()
 PS_setup.ini -> C:\WINDOWS\PS_setup.ini -> [2008/12/09 19:16:11 | 000,000,021 | ---- | C] ()
 EPPICPrinterDB.dat -> C:\WINDOWS\System32\EPPICPrinterDB.dat -> [2008/02/05 14:44:36 | 000,073,220 | ---- | C] ()
 EPPICPattern131.dat -> C:\WINDOWS\System32\EPPICPattern131.dat -> [2008/02/05 14:44:36 | 000,031,053 | ---- | C] ()
 EPPICPattern1.dat -> C:\WINDOWS\System32\EPPICPattern1.dat -> [2008/02/05 14:44:36 | 000,029,114 | ---- | C] ()
 EPPICPattern121.dat -> C:\WINDOWS\System32\EPPICPattern121.dat -> [2008/02/05 14:44:36 | 000,027,417 | ---- | C] ()
 EPPICPattern3.dat -> C:\WINDOWS\System32\EPPICPattern3.dat -> [2008/02/05 14:44:36 | 000,021,021 | ---- | C] ()
 EPPICPattern5.dat -> C:\WINDOWS\System32\EPPICPattern5.dat -> [2008/02/05 14:44:36 | 000,015,670 | ---- | C] ()
 EPPICPattern2.dat -> C:\WINDOWS\System32\EPPICPattern2.dat -> [2008/02/05 14:44:36 | 000,013,280 | ---- | C] ()
 EPPICPattern4.dat -> C:\WINDOWS\System32\EPPICPattern4.dat -> [2008/02/05 14:44:36 | 000,010,673 | ---- | C] ()
 EPPICPattern6.dat -> C:\WINDOWS\System32\EPPICPattern6.dat -> [2008/02/05 14:44:36 | 000,004,943 | ---- | C] ()
 EPPICPresetData_PT.dat -> C:\WINDOWS\System32\EPPICPresetData_PT.dat -> [2008/02/05 14:44:36 | 000,001,140 | ---- | C] ()
 EPPICPresetData_BP.dat -> C:\WINDOWS\System32\EPPICPresetData_BP.dat -> [2008/02/05 14:44:36 | 000,001,140 | ---- | C] ()
 EPPICPresetData_ES.dat -> C:\WINDOWS\System32\EPPICPresetData_ES.dat -> [2008/02/05 14:44:36 | 000,001,137 | ---- | C] ()
 EPPICPresetData_FR.dat -> C:\WINDOWS\System32\EPPICPresetData_FR.dat -> [2008/02/05 14:44:36 | 000,001,130 | ---- | C] ()
 EPPICPresetData_CF.dat -> C:\WINDOWS\System32\EPPICPresetData_CF.dat -> [2008/02/05 14:44:36 | 000,001,130 | ---- | C] ()
 EPPICPresetData_EN.dat -> C:\WINDOWS\System32\EPPICPresetData_EN.dat -> [2008/02/05 14:44:36 | 000,001,104 | ---- | C] ()
 PICSDK.ini -> C:\WINDOWS\System32\PICSDK.ini -> [2008/02/05 14:44:36 | 000,000,097 | ---- | C] ()
 EPSC120.ini -> C:\WINDOWS\EPSC120.ini -> [2008/02/05 14:44:13 | 000,000,077 | ---- | C] ()
 ativpsrm.bin -> C:\WINDOWS\ativpsrm.bin -> [2007/11/14 08:32:29 | 000,000,000 | ---- | C] ()
 ati2sgag.exe -> C:\WINDOWS\System32\ati2sgag.exe -> [2007/11/14 08:27:44 | 000,593,920 | ---- | C] ()
 ativvaxx.dat -> C:\WINDOWS\System32\ativvaxx.dat -> [2007/09/28 21:36:05 | 003,107,788 | ---- | C] ()
 ativva5x.dat -> C:\WINDOWS\System32\ativva5x.dat -> [2007/09/28 21:36:05 | 003,107,788 | ---- | C] ()
 ativva6x.dat -> C:\WINDOWS\System32\ativva6x.dat -> [2007/09/28 21:36:05 | 000,972,072 | ---- | C] ()
 atiicdxx.dat -> C:\WINDOWS\System32\atiicdxx.dat -> [2007/08/14 16:11:53 | 000,156,671 | ---- | C] ()
 QTSBandwidthCache -> C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache -> [2006/12/20 14:07:33 | 000,000,584 | ---- | C] ()
 DfrgUIEx.INI -> C:\WINDOWS\DfrgUIEx.INI -> [2006/03/10 10:47:32 | 000,000,026 | ---- | C] ()
 LCDMedia.INI -> C:\WINDOWS\LCDMedia.INI -> [2006/02/02 08:11:05 | 000,000,000 | ---- | C] ()
 KGyGaAvL.sys -> C:\WINDOWS\System32\KGyGaAvL.sys -> [2005/07/21 06:00:24 | 000,000,848 | -HS- | C] ()
 UNWISE.EXE -> C:\WINDOWS\UNWISE.EXE -> [2005/07/04 19:13:36 | 000,149,504 | ---- | C] ()
 checkip.dat -> C:\WINDOWS\checkip.dat -> [2005/06/06 20:13:08 | 000,002,500 | ---- | C] ()
 ipconfig.dat -> C:\WINDOWS\ipconfig.dat -> [2005/06/06 20:09:37 | 000,003,382 | ---- | C] ()
 LEXSTAT.INI -> C:\WINDOWS\LEXSTAT.INI -> [2005/05/16 12:27:24 | 000,000,486 | ---- | C] ()
 instlsp.exe -> C:\WINDOWS\System32\instlsp.exe -> [2005/05/06 05:42:10 | 000,032,768 | ---- | C] ()
 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2005/04/23 16:03:09 | 000,006,144 | ---- | C] ()
 cdPlayer.ini -> C:\WINDOWS\cdPlayer.ini -> [2005/04/15 06:39:34 | 000,002,206 | ---- | C] ()
 PFP120JPR.{PB -> C:\Documents and Settings\john ercolino.DBMKS671\Application Data\PFP120JPR.{PB -> [2005/04/12 10:28:00 | 000,061,678 | ---- | C] ()
 PFP120JCM.{PB -> C:\Documents and Settings\john ercolino.DBMKS671\Application Data\PFP120JCM.{PB -> [2005/04/12 10:28:00 | 000,012,358 | ---- | C] ()
 BTI.INI -> C:\WINDOWS\BTI.INI -> [2005/04/10 11:52:38 | 000,000,784 | ---- | C] ()
 smscfg.ini -> C:\WINDOWS\smscfg.ini -> [2005/04/01 17:15:09 | 000,000,061 | ---- | C] ()
 wininit.ini -> C:\WINDOWS\wininit.ini -> [2005/04/01 17:13:23 | 000,000,177 | ---- | C] ()
 BOOTSTAT.DAT -> C:\WINDOWS\BOOTSTAT.DAT -> [2005/04/01 16:57:46 | 000,002,048 | --S- | C] ()
 PERFH009.DAT -> C:\WINDOWS\System32\PERFH009.DAT -> [2005/04/01 16:56:18 | 000,457,866 | ---- | C] ()
 PERFC009.DAT -> C:\WINDOWS\System32\PERFC009.DAT -> [2005/04/01 16:56:18 | 000,077,344 | ---- | C] ()
 OEMINFO.INI -> C:\WINDOWS\System32\OEMINFO.INI -> [2005/04/01 16:43:26 | 000,000,367 | ---- | C] ()
 px.ini -> C:\WINDOWS\System32\px.ini -> [2005/01/28 09:08:34 | 000,000,000 | ---- | C] ()
 oembios.bin -> C:\WINDOWS\System32\oembios.bin -> [2004/08/12 07:36:06 | 013,107,200 | ---- | C] ()
 oembios.dat -> C:\WINDOWS\System32\oembios.dat -> [2004/08/12 07:36:06 | 000,004,627 | ---- | C] ()
 secupd.dat -> C:\WINDOWS\System32\secupd.dat -> [2004/08/12 07:28:00 | 000,004,569 | ---- | C] ()
 perfi009.dat -> C:\WINDOWS\System32\perfi009.dat -> [2004/08/12 07:26:08 | 000,272,128 | ---- | C] ()
 perfd009.dat -> C:\WINDOWS\System32\perfd009.dat -> [2004/08/12 07:26:06 | 000,028,626 | ---- | C] ()
 mlang.dat -> C:\WINDOWS\System32\mlang.dat -> [2004/08/12 07:22:08 | 000,673,088 | ---- | C] ()
 mib.bin -> C:\WINDOWS\System32\mib.bin -> [2004/08/12 07:22:02 | 000,046,258 | ---- | C] ()
 dssec.dat -> C:\WINDOWS\System32\dssec.dat -> [2004/08/12 07:18:56 | 000,218,003 | ---- | C] ()
 dcache.bin -> C:\WINDOWS\System32\dcache.bin -> [2004/08/12 07:18:32 | 000,001,804 | ---- | C] ()
 ORUN32.INI -> C:\WINDOWS\ORUN32.INI -> [2004/08/11 18:25:56 | 000,000,791 | ---- | C] ()
 FNTCACHE.DAT -> C:\WINDOWS\System32\FNTCACHE.DAT -> [2004/08/11 18:20:10 | 000,255,864 | ---- | C] ()
 ODBCINST.INI -> C:\WINDOWS\ODBCINST.INI -> [2004/08/11 18:14:38 | 000,004,161 | ---- | C] ()
 emptyregdb.dat -> C:\WINDOWS\System32\emptyregdb.dat -> [2004/08/11 18:12:16 | 000,023,428 | ---- | C] ()
 NOISE.DAT -> C:\WINDOWS\System32\NOISE.DAT -> [2004/08/04 06:00:00 | 000,000,741 | ---- | C] ()
 SETPWRCG.EXE -> C:\WINDOWS\SETPWRCG.EXE -> [2004/07/19 17:01:02 | 000,045,056 | ---- | C] ()
 PAW120.ini -> C:\WINDOWS\PAW120.ini -> [2003/02/18 08:28:30 | 000,003,210 | ---- | C] ()
 W32MKRC.DLL -> C:\WINDOWS\System32\W32MKRC.DLL -> [2000/02/08 01:05:36 | 000,110,080 | R--- | C] ()
 W32MKDE.EXE -> C:\WINDOWS\System32\W32MKDE.EXE -> [2000/02/08 01:05:34 | 000,320,512 | R--- | C] ()
 NWLOCALE.DLL -> C:\WINDOWS\System32\NWLOCALE.DLL -> [2000/02/08 01:05:34 | 000,038,576 | ---- | C] ()
 ati2evxx.exe -> C:\WINDOWS\System32\ati2evxx.exe -> [1980/01/01 01:00:00 | 000,389,120 | ---- | C] ()
 ati2evxx.dll -> C:\WINDOWS\System32\ati2evxx.dll -> [1980/01/01 01:00:00 | 000,086,016 | ---- | C] ()
 
[Alternate Data Streams]
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:07BF512B
< End of report >
```


----------



## john m ercolino (Jan 14, 2007)

I need to go out for a while be back in about an hour.
here are the logs:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line: 
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 189):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 aliide.sys
0xBA5AE000 cmdide.sys
0xBA5B0000 toside.sys
0xBA5B2000 viaide.sys
0xBA5B4000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5B6000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xBA4BC000 cpqarray.sys
0xB9F0B000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB9E35000 iaStor.sys
0xB9E1D000 atapi.sys
0xBA4C0000 aha154x.sys
0xBA338000 sparrow.sys
0xBA4C4000 symc810.sys
0xBA0D8000 aic78xx.sys
0xBA4C8000 dac960nt.sys
0xBA0E8000 ql10wnt.sys
0xBA4CC000 amsint.sys
0xBA340000 asc.sys
0xBA4D0000 asc3550.sys
0xBA348000 mraid35x.sys
0xBA350000 i2omp.sys
0xBA4D4000 ini910u.sys
0xBA0F8000 ql1240.sys
0xBA108000 aic78u2.sys
0xBA358000 symc8xx.sys
0xBA360000 sym_hi.sys
0xBA368000 sym_u3.sys
0xBA370000 ABP480N5.SYS
0xBA378000 asc3350p.sys
0xBA5B8000 cd20xrnt.sys
0xBA118000 ultra.sys
0xB9E04000 adpu160m.sys
0xBA380000 dpti2o.sys
0xBA128000 ql1080.sys
0xBA138000 ql1280.sys
0xBA148000 ql12160.sys
0xBA388000 perc2.sys
0xBA5BA000 perc2hib.sys
0xBA390000 hpn.sys
0xBA4D8000 cbidf2k.sys
0xB9DD8000 dac2w2k.sys
0xBA158000 disk.sys
0xBA168000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9DB8000 fltmgr.sys
0xB9DA6000 sr.sys
0xB9D91000 drvmcdb.sys
0xBA398000 PxHelp20.sys
0xB9D7A000 KSecDD.sys
0xB9CED000 Ntfs.sys
0xB9CC0000 NDIS.sys
0xB9C61000 timntr.sys
0xBA178000 viaagp.sys
0xB9C48000 snapman.sys
0xBA188000 sisagp.sys
0xB9C2E000 Mup.sys
0xBA198000 agp440.sys
0xBA1A8000 alim1541.sys
0xBA1B8000 amdagp.sys
0xBA1C8000 agpCPQ.sys
0xB9B0D000 \SystemRoot\system32\DRIVERS\tunmp.sys
0xBA298000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB8FA5000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB8F91000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8F63000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA400000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8F3F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA408000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8EFF000 \SystemRoot\system32\drivers\smwdm.sys
0xB8EDB000 \SystemRoot\system32\drivers\portcls.sys
0xBA2A8000 \SystemRoot\system32\drivers\drmk.sys
0xB8EB8000 \SystemRoot\system32\drivers\ks.sys
0xB8E05000 \SystemRoot\system32\drivers\senfilt.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA410000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8DF1000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB97DB000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB950A000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5E0000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xB94FA000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB94EA000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA418000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xBA747000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB94DA000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB97CF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8DDA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB94CA000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB94BA000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA420000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8DC9000 \SystemRoot\system32\DRIVERS\psched.sys
0xB94AA000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA428000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA430000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB8D99000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB949A000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA438000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5E2000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8D3B000 \SystemRoot\system32\DRIVERS\update.sys
0xB9B85000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB93E4000 \SystemRoot\system32\DRIVERS\omci.sys
0xBA2D8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB9ABD000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA612000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB9B29000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA634000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xACED9000 \SystemRoot\System32\Drivers\Null.SYS
0xBA636000 \SystemRoot\System32\Drivers\Beep.SYS
0xAD1F0000 \SystemRoot\system32\drivers\ssrtln.sys
0xAD1E8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xAD1E0000 \SystemRoot\System32\drivers\vga.sys
0xBA638000 \SystemRoot\System32\Drivers\mnmdd.SYS
 0xBA63A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xAD1D8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xAD1D0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9B1D000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAB897000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAB83E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAD57F000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xACB3E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAB818000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAB7E0000 \SystemRoot\system32\DRIVERS\tcpip6.sys
0xAB7B8000 \SystemRoot\system32\DRIVERS\netbt.sys
0xACB2E000 \SystemRoot\system32\drivers\ip6fw.sys
0xAD1C8000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xB82A1000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xAB6A6000 \SystemRoot\System32\drivers\afd.sys
0xACB1E000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAB67B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAB60B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xACB0E000 \SystemRoot\System32\Drivers\Fips.SYS
0xAB5C3000 \SystemRoot\System32\Drivers\aswSP.SYS
0xAB53D000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xAD1B8000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xB80D8000 \SystemRoot\System32\Drivers\LHidUsb.Sys
0xAC45C000 \SystemRoot\System32\Drivers\HIDCLASS.SYS
0xAC8D6000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB821A000 \SystemRoot\system32\DRIVERS\LHidFlt2.Sys
0xADECF000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAC3FC000 \SystemRoot\system32\DRIVERS\LMouFlt2.Sys
0xA56CA000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA55F4000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA6161000 \SystemRoot\System32\drivers\Dxapi.sys
0xB93C4000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6A3000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF04A000 \SystemRoot\System32\ati2cqag.dll
0xBF084000 \SystemRoot\System32\atikvmag.dll
0xBF0F0000 \SystemRoot\System32\ati3duag.dll
0xBF313000 \SystemRoot\System32\ativvaxx.dll
0xBF388000 \SystemRoot\System32\ATMFD.DLL
0xB908C000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA6408000 \SystemRoot\system32\drivers\drvnddm.sys
0xBA468000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
0xAB0CD000 \SystemRoot\system32\dla\tfsndres.sys
0xA45DE000 \SystemRoot\system32\dla\tfsnifs.sys
0xB9B4D000 \SystemRoot\system32\dla\tfsnopio.sys
0xBA656000 \SystemRoot\system32\dla\tfsnpool.sys
0xBA470000 \SystemRoot\system32\dla\tfsnboio.sys
0xA6023000 \SystemRoot\system32\dla\tfsncofs.sys
0xAB0CC000 \SystemRoot\system32\dla\tfsndrct.sys
0xA45C5000 \SystemRoot\system32\dla\tfsnudf.sys
0xA45AC000 \SystemRoot\system32\dla\tfsnudfa.sys
0xA6E27000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA456D000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xBA238000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA4260000 \SystemRoot\system32\drivers\wdmaud.sys
0xAD5BF000 \SystemRoot\system32\drivers\sysaudio.sys
0xA404D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA3EDD000 \SystemRoot\system32\DRIVERS\srv.sys
0xA3BCC000 \SystemRoot\System32\Drivers\HTTP.sys
0xA3791000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 43):
0 System Idle Process
4 System
784 C:\WINDOWS\SYSTEM32\smss.exe
832 csrss.exe
856 C:\WINDOWS\SYSTEM32\winlogon.exe
900 C:\WINDOWS\SYSTEM32\services.exe
912 C:\WINDOWS\SYSTEM32\lsass.exe
1112 C:\WINDOWS\SYSTEM32\ati2evxx.exe
1128 C:\WINDOWS\SYSTEM32\svchost.exe
1200 svchost.exe
1268 C:\Program Files\Windows Defender\MsMpEng.exe
1336 C:\WINDOWS\SYSTEM32\svchost.exe
1432 svchost.exe
1512 svchost.exe
1632 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1812 C:\WINDOWS\explorer.exe
1972 C:\Program Files\Analog Devices\Core\smax4pnp.exe
1980 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
1988 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
324 C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
348 C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
364 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
376 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
400 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
640 C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
1652 C:\WINDOWS\SYSTEM32\LEXBCES.EXE
1536 C:\WINDOWS\SYSTEM32\spoolsv.exe
1700 C:\WINDOWS\SYSTEM32\LEXPPS.EXE
2236 svchost.exe
2272 agent.exe
2328 C:\Program Files\Acronis\BackupServer\backupserver.exe
2352 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
2428 C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
2452 C:\Program Files\Java\jre6\bin\jqs.exe
2496 C:\WINDOWS\SYSTEM32\svchost.exe
3576 alg.exe
2372 C:\WINDOWS\SYSTEM32\wuauclt.exe
3852 C:\WINDOWS\notepad.exe
3728 C:\Program Files\Internet Explorer\iexplore.exe
3024 C:\Program Files\Internet Explorer\iexplore.exe
1280 C:\WINDOWS\SYSTEM32\wscntfy.exe
2172 C:\Program Files\Windows Defender\MSASCui.exe
2252 C:\Documents and Settings\john ercolino.DBMKS671\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f11000 (NTFS)

PhysicalDrive0 Model Number: ·

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: 829FE44D735D24CF2D8106853DEE9DFE5FEED23F
Done!


```
OTS logfile created on: 3/12/2011 2:46:36 PM - Run 1
OTS by OldTimer - Version 3.1.42.0     Folder = C:\Documents and Settings\john ercolino.DBMKS671\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 85.00% Memory free
6.00 Gb Paging File | 6.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): C:\pagefile.sys 3092 3092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 90.81 Gb Total Space | 55.92 Gb Free Space | 61.57% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 3.73 Gb Total Space | 3.02 Gb Free Space | 81.05% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: DBMKS671
Current User Name: john ercolino
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\OTS.exe -> [2011/03/12 14:44:26 | 000,645,632 | ---- | M] (OldTimer Tools)
avastui.exe -> C:\Program Files\Alwil Software\Avast5\AvastUI.exe -> [2011/02/23 10:04:20 | 003,451,496 | ---- | M] (AVAST Software)
avastsvc.exe -> C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -> [2011/02/23 10:04:19 | 000,042,184 | ---- | M] (AVAST Software)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
msmpeng.exe -> C:\Program Files\Windows Defender\MsMpEng.exe -> [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation)
trueimagemonitor.exe -> C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe -> [2006/07/21 08:03:00 | 001,106,528 | ---- | M] (Acronis)
backupserver.exe -> C:\Program Files\Acronis\BackupServer\backupserver.exe -> [2006/07/21 01:25:20 | 009,025,808 | ---- | M] (Acronis)
agent.exe -> C:\Program Files\Common Files\Acronis\Agent\agent.exe -> [2006/07/20 23:50:16 | 000,319,488 | ---- | M] (Acronis)
timountermonitor.exe -> C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe -> [2006/07/20 23:15:32 | 001,848,155 | ---- | M] (Acronis)
schedhlp.exe -> C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe -> [2006/07/20 23:13:48 | 000,126,976 | ---- | M] (Acronis)
schedul2.exe -> C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -> [2006/07/20 23:13:42 | 000,204,800 | ---- | M] (Acronis)
iaanotif.exe -> C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe -> [2005/10/12 11:30:42 | 000,139,264 | ---- | M] (Intel Corporation)
iaantmon.exe -> C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe -> [2004/03/23 13:15:40 | 000,073,852 | ---- | M] (Intel Corporation)
em_exec.exe -> C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE -> [2003/11/14 09:50:00 | 000,037,888 | ---- | M] (Logitech Inc.)
 
[Modules - Safe List]
ots.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\OTS.exe -> [2011/03/12 14:44:26 | 000,645,632 | ---- | M] (OldTimer Tools)
comctl32.dll -> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll -> [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation)
lgmsghk.dll -> C:\Program Files\Common Files\Logitech\Scrolling\LGMSGHK.DLL -> [2003/11/14 09:50:00 | 000,024,064 | ---- | M] (Logitech Inc.)
lgwndhk.dll -> C:\Program Files\Logitech\MouseWare\system\LgWndHk.dll -> [2003/11/14 09:50:00 | 000,006,144 | ---- | M] (Logitech Inc.)
 
[Win32 Services - Safe List]
(McMPFSvc) McAfee Personal Firewall [Auto | Stopped] ->  -> File not found
(avast! Antivirus) avast! Antivirus [Auto | Running] -> C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -> [2011/02/23 10:04:19 | 000,042,184 | ---- | M] (AVAST Software)
(EPSON_PM_RPCV4_01) EPSON V3 Service4(01) [Auto | Stopped] -> C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -> [2007/01/11 04:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION)
(WinDefend) Windows Defender [Auto | Running] -> C:\Program Files\Windows Defender\MsMpEng.exe -> [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation)
(AcronisBackupServerService) Acronis Backup Server Service [Auto | Running] -> C:\Program Files\Acronis\BackupServer\backupserver.exe -> [2006/07/21 01:25:20 | 009,025,808 | ---- | M] (Acronis)
(AcronisAgent) Acronis Remote Agent [Auto | Running] -> C:\Program Files\Common Files\Acronis\Agent\agent.exe -> [2006/07/20 23:50:16 | 000,319,488 | ---- | M] (Acronis)
(AcrSch2Svc) Acronis Scheduler2 Service [Auto | Running] -> C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -> [2006/07/20 23:13:42 | 000,204,800 | ---- | M] (Acronis)
(IAANTMon) IAA Event Monitor [Auto | Running] -> C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe -> [2004/03/23 13:15:40 | 000,073,852 | ---- | M] (Intel Corporation)
 
[Driver Services - Safe List]
(aswSnx) aswSnx [File_System | System | Running] -> C:\WINDOWS\System32\drivers\aswSnx.sys -> [2011/02/23 09:56:55 | 000,371,544 | ---- | M] (AVAST Software)
(aswSP) aswSP [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\aswSP.sys -> [2011/02/23 09:56:45 | 000,301,528 | ---- | M] (AVAST Software)
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\aswTdi.sys -> [2011/02/23 09:55:49 | 000,049,240 | ---- | M] (AVAST Software)
(aswMon2) avast! Standard Shield Support [File_System | Auto | Running] -> C:\WINDOWS\System32\drivers\aswmon2.sys -> [2011/02/23 09:55:47 | 000,102,232 | ---- | M] (AVAST Software)
(aswRdr) aswRdr [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\aswRdr.sys -> [2011/02/23 09:55:10 | 000,025,432 | ---- | M] (AVAST Software)
(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> C:\WINDOWS\System32\drivers\aavmker4.sys -> [2011/02/23 09:54:57 | 000,030,680 | ---- | M] (AVAST Software)
(aswFsBlk) aswFsBlk [File_System | Auto | Running] -> C:\WINDOWS\System32\drivers\aswFsBlk.sys -> [2011/02/23 09:54:55 | 000,019,544 | ---- | M] (AVAST Software)
(timounter) Acronis True Image Backup Archive Explorer [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\timntr.sys -> [2010/07/06 23:26:12 | 000,388,000 | ---- | M] (Acronis)
(tifsfilter) Acronis True Image FS Filter [File_System | Auto | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\tifsfilt.sys -> [2010/07/06 23:26:12 | 000,032,288 | ---- | M] (Acronis)
(snapman) Acronis Snapshots Manager [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\snapman.sys -> [2010/07/06 23:26:09 | 000,099,776 | ---- | M] (Acronis)
(Tcpip6) Microsoft IPv6 Protocol Driver [Kernel | System | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\tcpip6.sys -> [2010/02/11 07:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation)
(cpudrv) cpudrv [Kernel | On_Demand | Stopped] -> C:\Program Files\SystemRequirementsLab\cpudrv.sys -> [2009/12/18 09:58:52 | 000,011,336 | ---- | M] ()
(LGVirHid) Logitech Gamepanel Virtual HID Device Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\SYSTEM32\DRIVERS\LGVirHid.sys -> [2009/11/23 17:37:18 | 000,014,856 | ---- | M] (Logitech Inc.)
(LGBusEnum) Logitech GamePanel Virtual Bus Enumerator Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\SYSTEM32\DRIVERS\LGBusEnum.sys -> [2009/11/23 17:37:08 | 000,019,720 | ---- | M] (Logitech Inc.)
(senfilt) senfilt [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\senfilt.sys -> [2004/09/17 11:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.)
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -> [2004/08/25 10:28:46 | 000,787,456 | ---- | M] (ATI Technologies Inc.)
(b57w2k) Broadcom NetXtreme 57xx Gigabit Controller [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\b57xp32.sys -> [2004/05/29 18:41:54 | 000,186,112 | ---- | M] (Broadcom Corporation)
(LMouFlt2) Logitech Mouse Class Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\LMouFlt2.Sys -> [2003/11/07 04:50:00 | 000,070,798 | ---- | M] (Logitech, Inc.)
(LHidUsb) Logitech USB Receiver device driver [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\LHidUsb.sys -> [2003/11/07 04:50:00 | 000,037,884 | ---- | M] (Logitech, Inc.)
(LHidFlt2) Logitech HID/USB Mouse Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\LHidFlt2.Sys -> [2003/11/07 04:50:00 | 000,025,502 | ---- | M] (Logitech, Inc.)
(omci) OMCI WDM Device Driver [Kernel | System | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -> [2002/11/08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation)
(OlCamudp) OLYMPUS Digital Camera [Kernel | On_Demand | Stopped] -> C:\WINDOWS\SYSTEM32\DRIVERS\olcamudp.sys -> [2000/02/08 03:55:12 | 000,010,379 | R--- | M] (OLYMPUS Optical Co.,Ltd.)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\"SearchDefaultBranded" -> 1 -> 
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultName" -> Google -> 
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultURL" -> http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 -> 
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://news.yahoo.com/ -> 
HKEY_CURRENT_USER\: SearchURL\\"" -> http://www.google.com/keyword/%s -> 
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
< FireFox Extensions [User Folders] > -> 
< HOSTS File > ([2011/03/07 16:47:23 | 000,000,027 | ---- | M] - 1 lines) -> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts -> 
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2011/01/21 15:43:07 | 000,061,888 | ---- | M] (Adobe Systems Incorporated)
{601ED020-FB6C-11D3-87D8-0050DA59922B} [HKLM] -> C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll [WsftpBrowserHelper Class] -> [2004/08/18 14:35:14 | 000,118,830 | ---- | M] (Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421)
{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} [HKLM] -> C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll [avast! WebRep] -> [2011/02/23 10:04:16 | 000,814,160 | ---- | M] ()
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} [HKLM] -> C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [EpsonToolBandKicker Class] -> [2005/02/22 13:50:34 | 000,368,640 | ---- | M] (SEIKO EPSON CORPORATION)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}" [HKLM] -> C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll [avast! WebRep] -> [2011/02/23 10:04:16 | 000,814,160 | ---- | M] ()
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" [HKLM] -> C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [EPSON Web-To-Page] -> [2005/02/22 13:50:34 | 000,368,640 | ---- | M] (SEIKO EPSON CORPORATION)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" [HKLM] -> C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [EPSON Web-To-Page] -> [2005/02/22 13:50:34 | 000,368,640 | ---- | M] (SEIKO EPSON CORPORATION)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"Acronis Scheduler2 Service" -> C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe ["C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"] -> [2006/07/20 23:13:48 | 000,126,976 | ---- | M] (Acronis)
"AcronisTimounterMonitor" -> C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe [C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe] -> [2006/07/20 23:15:32 | 001,848,155 | ---- | M] (Acronis)
"avast" -> C:\Program Files\Alwil Software\Avast5\avastUI.exe ["C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui] -> [2011/02/23 10:04:20 | 003,451,496 | ---- | M] (AVAST Software)
"IAAnotif" -> C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe [C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe] -> [2005/10/12 11:30:42 | 000,139,264 | ---- | M] (Intel Corporation)
"KernelFaultCheck" ->  [%systemroot%\system32\dumprep 0 -k] -> File not found
"Logitech Utility" -> C:\WINDOWS\LOGI_MWX.EXE [Logi_MwX.Exe] -> [2003/11/07 04:50:00 | 000,019,968 | ---- | M] (Logitech Inc.)
"TrueImageMonitor.exe" -> C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe [C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe] -> [2006/07/21 08:03:00 | 001,106,528 | ---- | M] (Acronis)
"UpdateManager" -> C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe ["C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r] -> [2004/01/07 02:01:00 | 000,110,592 | ---- | M] (Sonic Solutions)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
< john ercolino.DBMKS671 Startup Folder > -> C:\Documents and Settings\john ercolino.DBMKS671\Start Menu\Programs\Startup -> 
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoCDBurning" ->  [0] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
\\"HonorAutoRunSetting" ->  [1] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] ->  [Reg Error: Value error.] -> File not found
CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] ->  [Reg Error: Key error.] -> File not found
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] ->  [Reg Error: Key error.] -> File not found
CmdMapping\\"{EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}" [HKLM] -> C:\Program Files\IrfanView\Ebay\Ebay.htm [eBay - Homepage] -> [2005/04/12 04:07:46 | 000,000,378 | ---- | M] ()
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] ->  [Reg Error: Key error.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 2 domain(s) found. -> 
internet .[about] -> Trusted sites -> 
mcafee.com .[https] -> Trusted sites -> 
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{17492023-C23A-453E-A040-C7C580BBF700} [HKLM] -> http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab [Windows Genuine Advantage Validation Tool] -> 
{31435657-9980-0010-8000-00AA00389B71} [HKLM] -> http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab [Reg Error: Key error.] -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C} [HKLM] -> http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271905715648 [WUWebControl Class] -> 
{7530BFB8-7293-4D34-9923-61A11451AFC5} [HKLM] -> http://download.eset.com/special/eos/OnlineScanner.cab [Reg Error: Key error.] -> 
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab [Reg Error: Key error.] -> 
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Reg Error: Key error.] -> 
{CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} [HKLM] -> http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab [SysInfo Class] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.1.1 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{3CCB81F0-A67F-4087-A902-72B4F8A34FE6}\\DhcpNameServer -> 192.168.1.1   (Broadcom NetXtreme 57xx Gigabit Controller) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" [HKLM] -> C:\Program Files\Windows Defender\MpShHook.dll [Microsoft AntiMalware ShellExecuteHook] -> [2006/11/03 19:20:00 | 000,083,224 | ---- | M] (Microsoft Corporation)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"C:\Program Files\Acronis\TrueImageWorkstation\TrueImage.exe" -> C:\Program Files\Acronis\TrueImageWorkstation\TrueImage.exe [C:\Program Files\Acronis\TrueImageWorkstation\TrueImage.exe:*:Enabled:TrueImage] -> [2006/07/21 08:08:06 | 011,936,517 | ---- | M] (Acronis)
"C:\Program Files\Common Files\Acronis\Agent\agent.exe" -> C:\Program Files\Common Files\Acronis\Agent\agent.exe [C:\Program Files\Common Files\Acronis\Agent\agent.exe:*:Enabled:Acronis Remote Agent] -> [2006/07/20 23:50:16 | 000,319,488 | ---- | M] (Acronis)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  -> 
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2004/08/11 18:15:00 | 000,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = comfile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
 
[Registry - Additional Scans - Safe List]
< Disabled MSConfig State [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state -> 
"bootini" -> 2 -> 
"services" -> 0 -> 
"startup" -> 0 -> 
"system.ini" -> 0 -> 
"win.ini" -> 0 -> 
< EventViewer Logs - Last 10 Errors > -> Event Information -> Description
Application [ Error ] 3/11/2011 10:07:04 PM Computer Name = DBMKS671 | Source = Application Error | ID = 1000 -> Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.
Application [ Error ] 3/11/2011 10:10:34 PM Computer Name = DBMKS671 | Source = Application Error | ID = 1000 -> Description = Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe, version 0.0.0.0, fault address 0x000ce040.
Application [ Error ] 3/11/2011 10:48:09 PM Computer Name = DBMKS671 | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
Application [ Error ] 3/11/2011 11:16:09 PM Computer Name = DBMKS671 | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
Application [ Error ] 3/11/2011 11:16:28 PM Computer Name = DBMKS671 | Source = Application Error | ID = 1000 -> Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x715ba067.
Application [ Error ] 3/12/2011 1:21:34 AM Computer Name = DBMKS671 | Source = Application Error | ID = 1000 -> Description = Faulting application onlinecmdlinescanner.exe, version 0.0.0.0, faulting module esets_apiw_a.dll, version 3.0.15.0, fault address 0x00004440.
Application [ Error ] 3/12/2011 1:23:19 AM Computer Name = DBMKS671 | Source = Application Error | ID = 1001 -> Description = Fault bucket -2075597031.
Application [ Error ] 3/12/2011 11:17:54 AM Computer Name = DBMKS671 | Source = Application Hang | ID = 1002 -> Description = Hanging application ComboFix[1].exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 3/12/2011 11:25:34 AM Computer Name = DBMKS671 | Source = Application Error | ID = 1000 -> Description = Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe, version 0.0.0.0, fault address 0x000ce040.
Application [ Error ] 3/12/2011 11:27:46 AM Computer Name = DBMKS671 | Source = Application Error | ID = 1000 -> Description = Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe, version 0.0.0.0, fault address 0x00041355.
System [ Error ] 3/12/2011 1:01:46 AM Computer Name = DBMKS671 | Source = Service Control Manager | ID = 7026 -> Description = The following boot-start or system-start driver(s) failed to load:   Aavmker4  aswSnx  aswSP  aswTdi  Fips  intelppm
System [ Error ] 3/12/2011 1:23:43 AM Computer Name = DBMKS671 | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
System [ Error ] 3/12/2011 1:24:43 AM Computer Name = DBMKS671 | Source = Service Control Manager | ID = 7003 -> Description = The McAfee Personal Firewall service depends on the following nonexistent service: MfeFire
System [ Error ] 3/12/2011 1:44:46 AM Computer Name = DBMKS671 | Source = Service Control Manager | ID = 7003 -> Description = The McAfee Personal Firewall service depends on the following nonexistent service: MfeFire
System [ Error ] 3/12/2011 1:52:57 AM Computer Name = DBMKS671 | Source = Service Control Manager | ID = 7003 -> Description = The McAfee Personal Firewall service depends on the following nonexistent service: MfeFire
System [ Error ] 3/12/2011 2:16:40 AM Computer Name = DBMKS671 | Source = MRxSmb | ID = 8003 -> Description = The master browser has received a server announcement from the computer AMYZAHRALABA-PC  that believes that it is the master browser for the domain on transport NetBT_Tcpip_{3CCB81F0-A67.  The master browser is stopping or an election is being forced.
System [ Error ] 3/12/2011 3:18:58 AM Computer Name = DBMKS671 | Source = Ntfs | ID = 262199 -> Description = The file system structure on the disk is corrupt and unusable.  Please run the chkdsk utility on the volume C:.
System [ Error ] 3/12/2011 4:00:38 AM Computer Name = DBMKS671 | Source = Windows Update Agent | ID = 20 -> Description = Installation Failure: Windows failed to install the following update with error 0x8007f064: Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2482017).
System [ Error ] 3/12/2011 4:00:38 AM Computer Name = DBMKS671 | Source = Windows Update Agent | ID = 20 -> Description = Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Malicious Software Removal Tool - March 2011 (KB890830).
System [ Error ] 3/12/2011 9:26:16 AM Computer Name = DBMKS671 | Source = MRxSmb | ID = 8003 -> Description = The master browser has received a server announcement from the computer AMYZAHRALABA-PC  that believes that it is the master browser for the domain on transport NetBT_Tcpip_{3CCB81F0-A67.  The master browser is stopping or an election is being forced.
 
[Files/Folders - Created Within 30 Days]
 OTS.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\OTS.exe -> [2011/03/12 14:44:25 | 000,645,632 | ---- | C] (OldTimer Tools)
 tdsskiller -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\tdsskiller -> [2011/03/12 14:16:43 | 000,000,000 | ---D | C]
 puppy -> C:\puppy -> [2011/03/12 10:20:08 | 000,000,000 | --SD | C]
 F-Secure -> C:\Documents and Settings\All Users\Application Data\F-Secure -> [2011/03/11 22:15:18 | 000,000,000 | ---D | C]
 lhmstscx.dll -> C:\WINDOWS\System32\dllcache\lhmstscx.dll -> [2011/03/11 21:43:19 | 002,067,456 | ---- | C] (Microsoft Corporation)
 ie8 -> C:\WINDOWS\ie8 -> [2011/03/11 20:46:48 | 000,000,000 | -H-D | C]
 TDSSKiller.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\TDSSKiller.exe -> [2011/03/10 12:27:50 | 001,377,112 | ---- | C] (Kaspersky Lab ZAO)
 RECYCLER -> C:\RECYCLER -> [2011/03/07 18:20:42 | 000,000,000 | -HSD | C]
 WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe -> [2011/03/07 17:02:20 | 004,608,744 | ---- | C] (Microsoft Corporation)
 cmdcons -> C:\cmdcons -> [2011/03/07 16:04:11 | 000,000,000 | RHSD | C]
 SWXCACLS.exe -> C:\WINDOWS\SWXCACLS.exe -> [2011/03/07 16:02:28 | 000,212,480 | ---- | C] (SteelWerX)
 SWREG.exe -> C:\WINDOWS\SWREG.exe -> [2011/03/07 16:02:28 | 000,161,792 | ---- | C] (SteelWerX)
 SWSC.exe -> C:\WINDOWS\SWSC.exe -> [2011/03/07 16:02:28 | 000,136,704 | ---- | C] (SteelWerX)
 NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2011/03/07 16:02:28 | 000,031,232 | ---- | C] (NirSoft)
 ERDNT -> C:\WINDOWS\ERDNT -> [2011/03/07 16:02:20 | 000,000,000 | ---D | C]
 avast! Free Antivirus -> C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus -> [2011/03/07 15:05:28 | 000,000,000 | ---D | C]
 Apple -> C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple -> [2011/03/07 15:05:18 | 000,000,000 | ---D | C]
 Malwarebytes' Anti-Malware -> C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware -> [2011/03/07 15:04:56 | 000,000,000 | ---D | C]
 Qoobox -> C:\Qoobox -> [2011/03/07 15:04:55 | 000,000,000 | ---D | C]
 Sunbelt Software -> C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\Sunbelt Software -> [2011/03/07 15:04:54 | 000,000,000 | ---D | C]
 HiJackThis -> C:\Documents and Settings\john ercolino.DBMKS671\Start Menu\Programs\HiJackThis -> [2011/03/07 15:04:45 | 000,000,000 | ---D | C]
 FileASSASSIN -> C:\Documents and Settings\All Users\Start Menu\Programs\FileASSASSIN -> [2011/03/07 15:04:42 | 000,000,000 | ---D | C]
 IECompatCache -> C:\Documents and Settings\john ercolino.DBMKS671\IECompatCache -> [2011/03/04 13:10:26 | 000,000,000 | -HSD | C]
 PrivacIE -> C:\Documents and Settings\john ercolino.DBMKS671\PrivacIE -> [2011/03/04 13:07:36 | 000,000,000 | -HSD | C]
 IETldCache -> C:\Documents and Settings\john ercolino.DBMKS671\IETldCache -> [2011/03/04 13:06:54 | 000,000,000 | -HSD | C]
 ie8updates -> C:\WINDOWS\ie8updates -> [2011/03/04 13:04:42 | 000,000,000 | ---D | C]
 mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2011/03/03 19:38:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation)
 mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2011/03/03 19:38:39 | 000,020,952 | ---- | C] (Malwarebytes Corporation)
 SBREDrv.sys -> C:\WINDOWS\System32\drivers\SBREDrv.sys -> [2011/03/03 17:04:44 | 000,098,392 | ---- | C] (Sunbelt Software)
 Lavasoft -> C:\Documents and Settings\All Users\Application Data\Lavasoft -> [2011/03/03 17:02:53 | 000,000,000 | ---D | C]
 Windows Defender -> C:\Program Files\Windows Defender -> [2011/03/03 14:10:57 | 000,000,000 | ---D | C]
 MSSTDFMT.DLL -> C:\WINDOWS\System32\MSSTDFMT.DLL -> [2011/03/02 15:07:28 | 000,118,784 | ---- | C] (Microsoft Corporation)
 aswSnx.sys -> C:\WINDOWS\System32\drivers\aswSnx.sys -> [2011/03/02 13:24:22 | 000,371,544 | ---- | C] (AVAST Software)
 FileASSASSIN -> C:\Program Files\FileASSASSIN -> [2011/03/02 12:38:18 | 000,000,000 | ---D | C]
 ENGINE PHOTOS -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\ENGINE PHOTOS -> [2011/02/21 13:43:56 | 000,000,000 | ---D | C]
 ATIDEMGR.dll -> C:\WINDOWS\System32\ATIDEMGR.dll -> [1980/01/01 01:00:00 | 000,151,552 | ---- | C] ( )
 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
 
[Files/Folders - Modified Within 30 Days]
 OTS.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\OTS.exe -> [2011/03/12 14:44:26 | 000,645,632 | ---- | M] (OldTimer Tools)
 MP Scheduled Scan.job -> C:\WINDOWS\tasks\MP Scheduled Scan.job -> [2011/03/12 14:26:17 | 000,000,330 | -H-- | M] ()
 wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2011/03/12 14:23:29 | 000,002,206 | ---- | M] ()
 BOOTSTAT.DAT -> C:\WINDOWS\BOOTSTAT.DAT -> [2011/03/12 14:23:06 | 000,002,048 | --S- | M] ()
 hiberfil.sys -> C:\hiberfil.sys -> [2011/03/12 14:22:46 | 3219,288,064 | -HS- | M] ()
 puppy.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\puppy.exe -> [2011/03/12 10:19:07 | 004,286,091 | R--- | M] ()
 Auslogics Boost Speed Disk Defrag Console Defragmentation.job -> C:\WINDOWS\tasks\Auslogics Boost Speed Disk Defrag Console Defragmentation.job -> [2011/03/12 04:29:00 | 000,000,616 | ---- | M] ()
 WordPerfect.lnk -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\WordPerfect.lnk -> [2011/03/12 00:41:20 | 000,002,429 | ---- | M] ()
 imsins.BAK -> C:\WINDOWS\imsins.BAK -> [2011/03/11 21:44:45 | 000,001,374 | ---- | M] ()
 Launch Internet Explorer Browser.lnk -> C:\Documents and Settings\john ercolino.DBMKS671\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> [2011/03/11 20:49:32 | 000,000,815 | ---- | M] ()
 PAW120.ini -> C:\WINDOWS\PAW120.ini -> [2011/03/11 20:37:07 | 000,003,210 | ---- | M] ()
 avast! Free Antivirus.lnk -> C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk -> [2011/03/10 18:00:11 | 000,001,700 | ---- | M] ()
 config.nt -> C:\WINDOWS\System32\config.nt -> [2011/03/10 18:00:10 | 000,000,051 | ---- | M] ()
 TDSSKiller.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\TDSSKiller.exe -> [2011/03/10 12:27:50 | 001,377,112 | ---- | M] (Kaspersky Lab ZAO)
 iis6.BAK -> C:\WINDOWS\iis6.BAK -> [2011/03/10 03:02:16 | 002,004,303 | ---- | M] ()
 th_French300.jpg -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\th_French300.jpg -> [2011/03/09 14:56:53 | 000,072,987 | ---- | M] ()
 boot.ini -> C:\boot.ini -> [2011/03/08 03:38:18 | 000,000,327 | ---- | M] ()
 boot.123 -> C:\boot.123 -> [2011/03/08 03:36:55 | 000,000,401 | RHS- | M] ()
 HiJackThis.lnk -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\HiJackThis.lnk -> [2011/03/07 18:20:08 | 000,002,481 | ---- | M] ()
 WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe -> [2011/03/07 17:02:23 | 004,608,744 | ---- | M] (Microsoft Corporation)
 hosts -> C:\WINDOWS\System32\drivers\ETC\hosts -> [2011/03/07 16:47:23 | 000,000,027 | ---- | M] ()
 AppleSoftwareUpdate.job -> C:\WINDOWS\tasks\AppleSoftwareUpdate.job -> [2011/03/05 22:53:01 | 000,000,284 | ---- | M] ()
 Bank of America  Online Banking  SiteKey  Verify SiteKey.url -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\Bank of America  Online Banking  SiteKey  Verify SiteKey.url -> [2011/03/05 08:17:24 | 000,000,284 | ---- | M] ()
 Girl_or_Car.pps -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\Girl_or_Car.pps -> [2011/03/04 11:26:07 | 002,809,856 | ---- | M] ()
 Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2011/03/03 19:38:43 | 000,000,784 | ---- | M] ()
 SBREDrv.sys -> C:\WINDOWS\System32\drivers\SBREDrv.sys -> [2011/03/03 17:04:44 | 000,098,392 | ---- | M] (Sunbelt Software)
 rundll32.exe -> C:\WINDOWS\System32\dllcache\rundll32.exe -> [2011/03/03 13:37:02 | 000,033,280 | ---- | M] (Microsoft Corporation)
 1051646004 -> C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\1051646004 -> [2011/03/03 12:08:52 | 000,017,916 | -HS- | M] ()
 1051646004 -> C:\Documents and Settings\All Users\Application Data\1051646004 -> [2011/03/03 12:08:52 | 000,017,916 | -HS- | M] ()
 wininit.ini -> C:\WINDOWS\wininit.ini -> [2011/03/02 15:10:48 | 000,000,177 | ---- | M] ()
 Default.rdp -> C:\Documents and Settings\john ercolino.DBMKS671\My Documents\Default.rdp -> [2011/03/02 13:47:21 | 000,000,000 | -H-- | M] ()
 FileASSASSIN.lnk -> C:\Documents and Settings\All Users\Desktop\FileASSASSIN.lnk -> [2011/03/02 12:38:18 | 000,000,730 | ---- | M] ()
 Buff_-_4_PDF.pdf -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\Buff_-_4_PDF.pdf -> [2011/02/25 16:00:30 | 005,755,538 | ---- | M] ()
 avastSS.scr -> C:\WINDOWS\avastSS.scr -> [2011/02/23 10:04:21 | 000,040,648 | ---- | M] (AVAST Software)
 aswBoot.exe -> C:\WINDOWS\System32\aswBoot.exe -> [2011/02/23 10:04:17 | 000,190,016 | ---- | M] (AVAST Software)
 aswSnx.sys -> C:\WINDOWS\System32\drivers\aswSnx.sys -> [2011/02/23 09:56:55 | 000,371,544 | ---- | M] (AVAST Software)
 aswSP.sys -> C:\WINDOWS\System32\drivers\aswSP.sys -> [2011/02/23 09:56:45 | 000,301,528 | ---- | M] (AVAST Software)
 aswTdi.sys -> C:\WINDOWS\System32\drivers\aswTdi.sys -> [2011/02/23 09:55:49 | 000,049,240 | ---- | M] (AVAST Software)
 aswmon2.sys -> C:\WINDOWS\System32\drivers\aswmon2.sys -> [2011/02/23 09:55:47 | 000,102,232 | ---- | M] (AVAST Software)
 aswmon.sys -> C:\WINDOWS\System32\drivers\aswmon.sys -> [2011/02/23 09:55:44 | 000,096,344 | ---- | M] (AVAST Software)
 aswRdr.sys -> C:\WINDOWS\System32\drivers\aswRdr.sys -> [2011/02/23 09:55:10 | 000,025,432 | ---- | M] (AVAST Software)
 aavmker4.sys -> C:\WINDOWS\System32\drivers\aavmker4.sys -> [2011/02/23 09:54:57 | 000,030,680 | ---- | M] (AVAST Software)
 aswFsBlk.sys -> C:\WINDOWS\System32\drivers\aswFsBlk.sys -> [2011/02/23 09:54:55 | 000,019,544 | ---- | M] (AVAST Software)
 10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
 
[Files - No Company Name]
 puppy.exe -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\puppy.exe -> [2011/03/12 10:19:07 | 004,286,091 | R--- | C] ()
 hiberfil.sys -> C:\hiberfil.sys -> [2011/03/12 00:24:26 | 3219,288,064 | -HS- | C] ()
 th_French300.jpg -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\th_French300.jpg -> [2011/03/09 14:56:53 | 000,072,987 | ---- | C] ()
 boot.ini -> C:\boot.ini -> [2011/03/08 03:37:15 | 000,000,327 | ---- | C] ()
 PEV.exe -> C:\WINDOWS\PEV.exe -> [2011/03/07 16:02:28 | 000,256,512 | ---- | C] ()
 sed.exe -> C:\WINDOWS\sed.exe -> [2011/03/07 16:02:28 | 000,098,816 | ---- | C] ()
 MBR.exe -> C:\WINDOWS\MBR.exe -> [2011/03/07 16:02:28 | 000,089,088 | ---- | C] ()
 grep.exe -> C:\WINDOWS\grep.exe -> [2011/03/07 16:02:28 | 000,080,412 | ---- | C] ()
 zip.exe -> C:\WINDOWS\zip.exe -> [2011/03/07 16:02:28 | 000,068,096 | ---- | C] ()
 Girl_or_Car.pps -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\Girl_or_Car.pps -> [2011/03/04 11:26:07 | 002,809,856 | ---- | C] ()
 Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2011/03/03 19:38:43 | 000,000,784 | ---- | C] ()
 MP Scheduled Scan.job -> C:\WINDOWS\tasks\MP Scheduled Scan.job -> [2011/03/03 14:14:02 | 000,000,330 | -H-- | C] ()
 Windows Defender.lnk -> C:\Documents and Settings\All Users\Start Menu\Programs\Windows Defender.lnk -> [2011/03/03 14:10:59 | 000,000,955 | ---- | C] ()
 config.nt -> C:\WINDOWS\System32\config.nt -> [2011/03/03 10:05:39 | 000,000,051 | ---- | C] ()
 wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2011/03/02 14:17:59 | 000,002,206 | ---- | C] ()
 HiJackThis.lnk -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\HiJackThis.lnk -> [2011/03/02 14:13:20 | 000,002,481 | ---- | C] ()
 Default.rdp -> C:\Documents and Settings\john ercolino.DBMKS671\My Documents\Default.rdp -> [2011/03/02 13:47:21 | 000,000,000 | -H-- | C] ()
 FileASSASSIN.lnk -> C:\Documents and Settings\All Users\Desktop\FileASSASSIN.lnk -> [2011/03/02 12:38:18 | 000,000,730 | ---- | C] ()
 1051646004 -> C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\1051646004 -> [2011/03/02 11:19:11 | 000,017,916 | -HS- | C] ()
 1051646004 -> C:\Documents and Settings\All Users\Application Data\1051646004 -> [2011/03/02 11:19:11 | 000,017,916 | -HS- | C] ()
 Buff_-_4_PDF.pdf -> C:\Documents and Settings\john ercolino.DBMKS671\Desktop\Buff_-_4_PDF.pdf -> [2011/02/25 16:00:30 | 005,755,538 | ---- | C] ()
 3D Text Factory.INI -> C:\WINDOWS\3D Text Factory.INI -> [2010/06/24 14:05:36 | 000,000,045 | ---- | C] ()
 wwwbatch.ini -> C:\WINDOWS\wwwbatch.ini -> [2010/04/21 18:47:37 | 000,000,163 | ---- | C] ()
 fusioncache.dat -> C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\fusioncache.dat -> [2010/01/07 11:25:33 | 000,000,145 | ---- | C] ()
 OGACheckControl.dll -> C:\WINDOWS\System32\OGACheckControl.dll -> [2009/08/03 15:07:42 | 000,403,816 | ---- | C] ()
 OGAEXEC.exe -> C:\WINDOWS\System32\OGAEXEC.exe -> [2009/08/03 15:07:42 | 000,230,768 | ---- | C] ()
 Textart.INI -> C:\WINDOWS\Textart.INI -> [2008/12/19 05:30:50 | 000,000,000 | ---- | C] ()
 CSTBox.INI -> C:\WINDOWS\CSTBox.INI -> [2008/12/09 19:41:02 | 000,045,843 | ---- | C] ()
 PS_setup.ini -> C:\WINDOWS\PS_setup.ini -> [2008/12/09 19:16:11 | 000,000,021 | ---- | C] ()
 EPPICPrinterDB.dat -> C:\WINDOWS\System32\EPPICPrinterDB.dat -> [2008/02/05 14:44:36 | 000,073,220 | ---- | C] ()
 EPPICPattern131.dat -> C:\WINDOWS\System32\EPPICPattern131.dat -> [2008/02/05 14:44:36 | 000,031,053 | ---- | C] ()
 EPPICPattern1.dat -> C:\WINDOWS\System32\EPPICPattern1.dat -> [2008/02/05 14:44:36 | 000,029,114 | ---- | C] ()
 EPPICPattern121.dat -> C:\WINDOWS\System32\EPPICPattern121.dat -> [2008/02/05 14:44:36 | 000,027,417 | ---- | C] ()
 EPPICPattern3.dat -> C:\WINDOWS\System32\EPPICPattern3.dat -> [2008/02/05 14:44:36 | 000,021,021 | ---- | C] ()
 EPPICPattern5.dat -> C:\WINDOWS\System32\EPPICPattern5.dat -> [2008/02/05 14:44:36 | 000,015,670 | ---- | C] ()
 EPPICPattern2.dat -> C:\WINDOWS\System32\EPPICPattern2.dat -> [2008/02/05 14:44:36 | 000,013,280 | ---- | C] ()
 EPPICPattern4.dat -> C:\WINDOWS\System32\EPPICPattern4.dat -> [2008/02/05 14:44:36 | 000,010,673 | ---- | C] ()
 EPPICPattern6.dat -> C:\WINDOWS\System32\EPPICPattern6.dat -> [2008/02/05 14:44:36 | 000,004,943 | ---- | C] ()
 EPPICPresetData_PT.dat -> C:\WINDOWS\System32\EPPICPresetData_PT.dat -> [2008/02/05 14:44:36 | 000,001,140 | ---- | C] ()
 EPPICPresetData_BP.dat -> C:\WINDOWS\System32\EPPICPresetData_BP.dat -> [2008/02/05 14:44:36 | 000,001,140 | ---- | C] ()
 EPPICPresetData_ES.dat -> C:\WINDOWS\System32\EPPICPresetData_ES.dat -> [2008/02/05 14:44:36 | 000,001,137 | ---- | C] ()
 EPPICPresetData_FR.dat -> C:\WINDOWS\System32\EPPICPresetData_FR.dat -> [2008/02/05 14:44:36 | 000,001,130 | ---- | C] ()
 EPPICPresetData_CF.dat -> C:\WINDOWS\System32\EPPICPresetData_CF.dat -> [2008/02/05 14:44:36 | 000,001,130 | ---- | C] ()
 EPPICPresetData_EN.dat -> C:\WINDOWS\System32\EPPICPresetData_EN.dat -> [2008/02/05 14:44:36 | 000,001,104 | ---- | C] ()
 PICSDK.ini -> C:\WINDOWS\System32\PICSDK.ini -> [2008/02/05 14:44:36 | 000,000,097 | ---- | C] ()
 EPSC120.ini -> C:\WINDOWS\EPSC120.ini -> [2008/02/05 14:44:13 | 000,000,077 | ---- | C] ()
 ativpsrm.bin -> C:\WINDOWS\ativpsrm.bin -> [2007/11/14 08:32:29 | 000,000,000 | ---- | C] ()
 ati2sgag.exe -> C:\WINDOWS\System32\ati2sgag.exe -> [2007/11/14 08:27:44 | 000,593,920 | ---- | C] ()
 ativvaxx.dat -> C:\WINDOWS\System32\ativvaxx.dat -> [2007/09/28 21:36:05 | 003,107,788 | ---- | C] ()
 ativva5x.dat -> C:\WINDOWS\System32\ativva5x.dat -> [2007/09/28 21:36:05 | 003,107,788 | ---- | C] ()
 ativva6x.dat -> C:\WINDOWS\System32\ativva6x.dat -> [2007/09/28 21:36:05 | 000,972,072 | ---- | C] ()
 atiicdxx.dat -> C:\WINDOWS\System32\atiicdxx.dat -> [2007/08/14 16:11:53 | 000,156,671 | ---- | C] ()
 QTSBandwidthCache -> C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache -> [2006/12/20 14:07:33 | 000,000,584 | ---- | C] ()
 DfrgUIEx.INI -> C:\WINDOWS\DfrgUIEx.INI -> [2006/03/10 10:47:32 | 000,000,026 | ---- | C] ()
 LCDMedia.INI -> C:\WINDOWS\LCDMedia.INI -> [2006/02/02 08:11:05 | 000,000,000 | ---- | C] ()
 KGyGaAvL.sys -> C:\WINDOWS\System32\KGyGaAvL.sys -> [2005/07/21 06:00:24 | 000,000,848 | -HS- | C] ()
 UNWISE.EXE -> C:\WINDOWS\UNWISE.EXE -> [2005/07/04 19:13:36 | 000,149,504 | ---- | C] ()
 checkip.dat -> C:\WINDOWS\checkip.dat -> [2005/06/06 20:13:08 | 000,002,500 | ---- | C] ()
 ipconfig.dat -> C:\WINDOWS\ipconfig.dat -> [2005/06/06 20:09:37 | 000,003,382 | ---- | C] ()
 LEXSTAT.INI -> C:\WINDOWS\LEXSTAT.INI -> [2005/05/16 12:27:24 | 000,000,486 | ---- | C] ()
 instlsp.exe -> C:\WINDOWS\System32\instlsp.exe -> [2005/05/06 05:42:10 | 000,032,768 | ---- | C] ()
 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2005/04/23 16:03:09 | 000,006,144 | ---- | C] ()
 cdPlayer.ini -> C:\WINDOWS\cdPlayer.ini -> [2005/04/15 06:39:34 | 000,002,206 | ---- | C] ()
 PFP120JPR.{PB -> C:\Documents and Settings\john ercolino.DBMKS671\Application Data\PFP120JPR.{PB -> [2005/04/12 10:28:00 | 000,061,678 | ---- | C] ()
 PFP120JCM.{PB -> C:\Documents and Settings\john ercolino.DBMKS671\Application Data\PFP120JCM.{PB -> [2005/04/12 10:28:00 | 000,012,358 | ---- | C] ()
 BTI.INI -> C:\WINDOWS\BTI.INI -> [2005/04/10 11:52:38 | 000,000,784 | ---- | C] ()
 smscfg.ini -> C:\WINDOWS\smscfg.ini -> [2005/04/01 17:15:09 | 000,000,061 | ---- | C] ()
 wininit.ini -> C:\WINDOWS\wininit.ini -> [2005/04/01 17:13:23 | 000,000,177 | ---- | C] ()
 BOOTSTAT.DAT -> C:\WINDOWS\BOOTSTAT.DAT -> [2005/04/01 16:57:46 | 000,002,048 | --S- | C] ()
 PERFH009.DAT -> C:\WINDOWS\System32\PERFH009.DAT -> [2005/04/01 16:56:18 | 000,457,866 | ---- | C] ()
 PERFC009.DAT -> C:\WINDOWS\System32\PERFC009.DAT -> [2005/04/01 16:56:18 | 000,077,344 | ---- | C] ()
 OEMINFO.INI -> C:\WINDOWS\System32\OEMINFO.INI -> [2005/04/01 16:43:26 | 000,000,367 | ---- | C] ()
 px.ini -> C:\WINDOWS\System32\px.ini -> [2005/01/28 09:08:34 | 000,000,000 | ---- | C] ()
 oembios.bin -> C:\WINDOWS\System32\oembios.bin -> [2004/08/12 07:36:06 | 013,107,200 | ---- | C] ()
 oembios.dat -> C:\WINDOWS\System32\oembios.dat -> [2004/08/12 07:36:06 | 000,004,627 | ---- | C] ()
 secupd.dat -> C:\WINDOWS\System32\secupd.dat -> [2004/08/12 07:28:00 | 000,004,569 | ---- | C] ()
 perfi009.dat -> C:\WINDOWS\System32\perfi009.dat -> [2004/08/12 07:26:08 | 000,272,128 | ---- | C] ()
 perfd009.dat -> C:\WINDOWS\System32\perfd009.dat -> [2004/08/12 07:26:06 | 000,028,626 | ---- | C] ()
 mlang.dat -> C:\WINDOWS\System32\mlang.dat -> [2004/08/12 07:22:08 | 000,673,088 | ---- | C] ()
 mib.bin -> C:\WINDOWS\System32\mib.bin -> [2004/08/12 07:22:02 | 000,046,258 | ---- | C] ()
 dssec.dat -> C:\WINDOWS\System32\dssec.dat -> [2004/08/12 07:18:56 | 000,218,003 | ---- | C] ()
 dcache.bin -> C:\WINDOWS\System32\dcache.bin -> [2004/08/12 07:18:32 | 000,001,804 | ---- | C] ()
 ORUN32.INI -> C:\WINDOWS\ORUN32.INI -> [2004/08/11 18:25:56 | 000,000,791 | ---- | C] ()
 FNTCACHE.DAT -> C:\WINDOWS\System32\FNTCACHE.DAT -> [2004/08/11 18:20:10 | 000,255,864 | ---- | C] ()
 ODBCINST.INI -> C:\WINDOWS\ODBCINST.INI -> [2004/08/11 18:14:38 | 000,004,161 | ---- | C] ()
 emptyregdb.dat -> C:\WINDOWS\System32\emptyregdb.dat -> [2004/08/11 18:12:16 | 000,023,428 | ---- | C] ()
 NOISE.DAT -> C:\WINDOWS\System32\NOISE.DAT -> [2004/08/04 06:00:00 | 000,000,741 | ---- | C] ()
 SETPWRCG.EXE -> C:\WINDOWS\SETPWRCG.EXE -> [2004/07/19 17:01:02 | 000,045,056 | ---- | C] ()
 PAW120.ini -> C:\WINDOWS\PAW120.ini -> [2003/02/18 08:28:30 | 000,003,210 | ---- | C] ()
 W32MKRC.DLL -> C:\WINDOWS\System32\W32MKRC.DLL -> [2000/02/08 01:05:36 | 000,110,080 | R--- | C] ()
 W32MKDE.EXE -> C:\WINDOWS\System32\W32MKDE.EXE -> [2000/02/08 01:05:34 | 000,320,512 | R--- | C] ()
 NWLOCALE.DLL -> C:\WINDOWS\System32\NWLOCALE.DLL -> [2000/02/08 01:05:34 | 000,038,576 | ---- | C] ()
 ati2evxx.exe -> C:\WINDOWS\System32\ati2evxx.exe -> [1980/01/01 01:00:00 | 000,389,120 | ---- | C] ()
 ati2evxx.dll -> C:\WINDOWS\System32\ati2evxx.dll -> [1980/01/01 01:00:00 | 000,086,016 | ---- | C] ()
 
[Alternate Data Streams]
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:07BF512B
< End of report >
```


----------



## john m ercolino (Jan 14, 2007)

Was that log supposed to come out looking like that?


----------



## john m ercolino (Jan 14, 2007)

this should be better


----------



## Cookiegal (Aug 27, 2003)

Since you used code tags I was able to work with it.

I've found two folders that I'm 99.9% sure that the malware created on March 2nd, which I believe is when you were infected. They are:

C:\Documents and Settings\All Users\Application Data\1051646004
C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\1051646004

But be sure they aren't something you might have created, which I doubt very much, before running the fix.

Also, it seems you were running the McAfee firewall before but that's no longer the case, correct? Because I see what looks like leftovers so I'm also removing those with the fix.

Start *OTS*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill All Processes]
[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (McMPFSvc) McAfee Personal Firewall [Auto | Stopped] -> 
[Registry - Safe List]
< HOSTS File > ([2011/03/07 16:47:23 | 000,000,027 | ---- | M] - 1 lines) -> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
YN -> Reset Hosts -> 
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "KernelFaultCheck" -> [%systemroot%\system32\dumprep 0 -k]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {31435657-9980-0010-8000-00AA00389B71} [HKLM] -> http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab [Reg Error: Key error.]
YN -> {7530BFB8-7293-4D34-9923-61A11451AFC5} [HKLM] -> http://download.eset.com/special/eos/OnlineScanner.cab [Reg Error: Key error.]
YN -> {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab [Reg Error: Key error.]
YN -> {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  1051646004 -> C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\1051646004
NY ->  1051646004 -> C:\Documents and Settings\All Users\Application Data\1051646004
NY ->  10 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
[Files - No Company Name]
NY ->  1051646004 -> C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\1051646004
NY ->  1051646004 -> C:\Documents and Settings\All Users\Application Data\1051646004
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## john m ercolino (Jan 14, 2007)

First off, you are correct I remember file 1051646004 was part of the virus and I had struggled to delete it with malewarebytes and the file assasin in safe mode to make the computer operable. To be sure i checked my notes and that is definitely related to the infection.
Next you are correc,t I do not use McAffe any longer and appreciate you ridding the leftovers.

I ran the fix and the Hijack scan, the logs will follow, but after the repair, a reboot was needed which I did. When the system came back there was an error window " service executable has encountered a problem and needs to close". I reported the error it went away.
Here are the logs:

All Processes Killed
[Win32 Services - Safe List]
Service McMPFSvc stopped successfully!
[Registry - Safe List]
HOSTS file reset successfully!
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Starting removal of ActiveX control {31435657-9980-0010-8000-00AA00389B71}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{31435657-9980-0010-8000-00AA00389B71}\Contains\Files\ not found.
C:\WINDOWS\Downloaded Program Files\wvc1dmo.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\Contains\Files\ not found.
C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\Contains\Files\ not found.
C:\WINDOWS\Downloaded Program Files\erma.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\Contains\Files\ not found.
not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\WINDOWS\000001_.tmp deleted successfully.
C:\WINDOWS\000002_.tmp deleted successfully.
C:\WINDOWS\003117_.tmp deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\SET111.tmp deleted successfully.
C:\WINDOWS\SET114.tmp deleted successfully.
C:\WINDOWS\SET120.tmp deleted successfully.
C:\WINDOWS\SETD7.tmp deleted successfully.
C:\WINDOWS\SETDA.tmp deleted successfully.
C:\WINDOWS\SETE6.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\1051646004 moved successfully.
C:\Documents and Settings\All Users\Application Data\1051646004 moved successfully.
[Files - No Company Name]
File C:\Documents and Settings\john ercolino.DBMKS671\Local Settings\Application Data\1051646004 not found!
File C:\Documents and Settings\All Users\Application Data\1051646004 not found!
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 776296 bytes
->Temporary Internet Files folder emptied: 2011973 bytes
->Flash cache emptied: 689 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Guest
->Temp folder emptied: 575866 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: john ercolino
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 300 bytes

User: john ercolino.DBMKS671
->Temp folder emptied: 7851872 bytes
->Temporary Internet Files folder emptied: 28674931 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 25063 bytes

User: JOHNER~1~DBM

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 348 bytes

User: NetworkService
->Temp folder emptied: 36682 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 122496 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 1263721 bytes

Total Files Cleaned = 40.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 03122011_171504

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:19:55 PM, on 3/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Acronis\BackupServer\backupserver.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O1 - Hosts: ÿþ127.0.0.1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1271905715648
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Backup Server Service (AcronisBackupServerService) - Acronis - C:\Program Files\Acronis\BackupServer\backupserver.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Personal Firewall (McMPFSvc) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (file missing)

--
End of file - 6827 bytes


----------



## Cookiegal (Aug 27, 2003)

To delete a lingering McAfee service, please do the following:

Go to *Start *- *Run * type in *cmd *then click OK. The MSDOS window will be displayed. At the prompt type the following:

*SC Delete McMPFSvc*

Then press Enter

Type *Exit *and press Enter.

Then please do this:

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.

Lastly, please do the following:

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following code box into the main text field:

```
mbr.exe
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## john m ercolino (Jan 14, 2007)

Acronis Backup Server
Acronis*True*Image*Agent
Acronis*True*Image*Workstation
Adobe Flash Player 10 ActiveX
Adobe Reader 8.2.6
Adobe Shockwave Player 11.5
Apple Software Update
ArcSoft PhotoStudio 5.5
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Auslogics Disk Defrag
avast! Free Antivirus
Banctec Service Agreement
Broadcom Advanced Control Suite 2
Canon CanoScan Toolbox 4.5
Compatibility Pack for the 2007 Office system
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 5.0.0 (630)
EPSON Printer Software
EPSON Web-To-Page
FileASSASSIN
Garmin Communicator Plugin
Garmin MapInstall
Garmin MapSource
Garmin USB Drivers
Garmin WebUpdater
Google Earth
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Intel Matrix Storage Manager
Internet Explorer Default Page
Ipswitch WS_FTP Pro
IrfanView (remove only)
Java(TM) 6 Update 18
Java(TM) 6 Update 7
Logitech MouseWare 9.79 
Malwarebytes' Anti-Malware
MapSource
MapSource - Americas BlueChart v6
MapSource - North American City Select v5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
My Sirius Studio
OGA Notifier 2.0.0048.0
Peachtree Accounting 2005
PowerDVD 5.3
QuickTime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Serif WebPlus X2
Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
System Requirements Lab for Intel
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2467659)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Defender
Windows Defender Signatures
Windows Driver Package - Garmin (grmnusb) GARMIN Devices  (03/08/2007 2.2.1.0)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows Media Player 11
Windows Presentation Foundation
WordPerfect Office 12

SystemLook 04.09.10 by jpshortstuff
Log created at 17:46 on 12/03/2011 by john ercolino
Administrator - Elevation successful

No Context: mbr.exe

-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Click on the following link and download *mbr.exe*:

http://www2.gmer.net/mbr/mbr.exe

It's important that you save it in the root directory so the path would be C:\mbr.exe.

Double click the *C:\mbr.exe* file to run it and copy and paste the contents of the resulting log please. It will be located at C:\mbr.log.


----------



## john m ercolino (Jan 14, 2007)

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK 
error: Read The request could not be performed because of an I/O device error.


----------



## john m ercolino (Jan 14, 2007)

The computer is frozen???? It is on and the desktop is showing, But nothing works. I went to the start button to log off and before I could do anything it all just froze. My mouse moves but cannot click anything. It has been about a half hour since the mbr scan and report.


----------



## Cookiegal (Aug 27, 2003)

It doesn't change anything, it only produces a log.

Did you have the flash drive inserted in the USB port when you ran that?

Can you call up the Task Manager?


----------



## john m ercolino (Jan 14, 2007)

It's showing an application error" wuauclt.exe memory could not be written. Task manager wont come up, the only choice is to shut it off.
The flash drive was removed earlier.


----------



## john m ercolino (Jan 14, 2007)

Had to power down, but it is up and running now.


----------



## Cookiegal (Aug 27, 2003)

Go to Start - Run and type in the following then hit Enter.

devmgmt.msc

This brings up the Device Manager.

Are there any yellow warnings on to the left of any of the devices listed there?

Also, please post any new errors that have occured:

Please go to *Start *- *Run *- type in *eventvwr.msc* to open the event viewer. Look under both "Application" and "System" for recent (the last 48 hours or so) errors (shown in red) and if found, do this for each one.

Double-click the error to open it up and then click on the icon that looks like two pieces of paper. This will copy the full error. Then "paste" the error into Notepad. Do this for each one until you have them all listed in Notepad and then copy and paste the list in a reply here please.


----------



## john m ercolino (Jan 14, 2007)

There is an entry that has no warning but is expanded and written in yellow, it says other device in yellow, and then unknown device in yellow below it.

System Events(48 hrs)

Event Type:	Error
Event Source:	MRxSmb
Event Category:	None
Event ID:	8003
Date: 3/13/2011
Time: 8:05:30 AM
User: N/A
Computer:	DBMKS671
Description:
The master browser has received a server announcement from the computer AMYZAHRALABA-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{3CCB81F0-A67. The master browser is stopping or an election is being forced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 03 00 4e 00 ......N.
0008: 00 00 00 00 43 1f 00 c0 ....C..À
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type:	Error
Event Source:	Windows Update Agent
Event Category:	Installation 
Event ID:	20
Date: 3/13/2011
Time: 4:00:26 AM
User: N/A
Computer:	DBMKS671
Description:
Installation Failure: Windows failed to install the following update with error 0x8007f064: Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2482017).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 57 69 6e 33 32 48 52 65 Win32HRe
0008: 73 75 6c 74 3d 30 78 38 sult=0x8
0010: 30 30 37 66 30 36 34 20 007f064 
0018: 55 70 64 61 74 65 49 44 UpdateID
0020: 3d 7b 32 36 33 43 41 37 ={263CA7
0028: 36 38 2d 42 45 36 35 2d 68-BE65-
0030: 34 45 34 42 2d 39 42 41 4E4B-9BA
0038: 30 2d 38 46 38 41 38 46 0-8F8A8F
0040: 42 43 33 41 32 35 7d 20 BC3A25} 
0048: 52 65 76 69 73 69 6f 6e Revision
0050: 4e 75 6d 62 65 72 3d 31 Number=1
0058: 30 31 20 00  01 . 
Event Type:	Error
Event Source:	MRxSmb
Event Category:	None
Event ID:	8003
Date: 3/12/2011
Time: 9:26:16 AM
User: N/A
Computer:	DBMKS671
Description:
The master browser has received a server announcement from the computer AMYZAHRALABA-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{3CCB81F0-A67. The master browser is stopping or an election is being forced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 03 00 4e 00 ......N.
0008: 00 00 00 00 43 1f 00 c0 ....C..À
0010: 00 00 00 00 00 00 00 00 ........
0018: 01 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type:	Error
Event Source:	Windows Update Agent
Event Category:	Installation 
Event ID:	20
Date: 3/12/2011
Time: 4:00:38 AM
User: N/A
Computer:	DBMKS671
Description:
Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Malicious Software Removal Tool - March 2011 (KB890830).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 57 69 6e 33 32 48 52 65 Win32HRe
0008: 73 75 6c 74 3d 30 78 38 sult=0x8
0010: 30 30 37 30 36 34 33 20 0070643 
0018: 55 70 64 61 74 65 49 44 UpdateID
0020: 3d 7b 45 37 35 34 37 31 ={E75471
0028: 44 32 2d 30 44 31 41 2d D2-0D1A-
0030: 34 31 30 31 2d 38 35 38 4101-858
0038: 46 2d 32 38 30 33 46 35 F-2803F5
0040: 44 45 39 34 35 33 7d 20 DE9453} 
0048: 52 65 76 69 73 69 6f 6e Revision
0050: 4e 75 6d 62 65 72 3d 31 Number=1
0058: 30 30 20 00 00 .

Event Type:	Error
Event Source:	Windows Update Agent
Event Category:	Installation 
Event ID:	20
Date: 3/12/2011
Time: 4:00:38 AM
User: N/A
Computer:	DBMKS671
Description:
Installation Failure: Windows failed to install the following update with error 0x8007f064: Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2482017).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 57 69 6e 33 32 48 52 65 Win32HRe
0008: 73 75 6c 74 3d 30 78 38 sult=0x8
0010: 30 30 37 66 30 36 34 20 007f064 
0018: 55 70 64 61 74 65 49 44 UpdateID
0020: 3d 7b 32 36 33 43 41 37 ={263CA7
0028: 36 38 2d 42 45 36 35 2d 68-BE65-
0030: 34 45 34 42 2d 39 42 41 4E4B-9BA
0038: 30 2d 38 46 38 41 38 46 0-8F8A8F
0040: 42 43 33 41 32 35 7d 20 BC3A25} 
0048: 52 65 76 69 73 69 6f 6e Revision
0050: 4e 75 6d 62 65 72 3d 31 Number=1
0058: 30 31 20 00 01 .

Event Type:	Error
Event Source:	Ntfs
Event Category:	Disk 
Event ID:	55
Date: 3/12/2011
Time: 3:18:58 AM
User: N/A
Computer:	DBMKS671
Description:
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 4e 00 ......N.
0008: 02 00 00 00 37 00 04 c0 ....7..À
0010: 00 00 00 00 32 00 00 c0 ....2..À
0018: 18 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
Event Type:	Error
Event Source:	MRxSmb
Event Category:	None
Event ID:	8003
Date: 3/12/2011
Time: 2:16:40 AM
User: N/A
Computer:	DBMKS671
Description:
The master browser has received a server announcement from the computer AMYZAHRALABA-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{3CCB81F0-A67. The master browser is stopping or an election is being forced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 03 00 4e 00 ......N.
0008: 00 00 00 00 43 1f 00 c0 ....C..À
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7003
Date: 3/12/2011
Time: 1:52:57 AM
User: N/A
Computer:	DBMKS671
Description:
The McAfee Personal Firewall service depends on the following nonexistent service: MfeFire

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	DCOM
Event Category:	None
Event ID:	10005
Date: 3/12/2011
Time: 1:23:43 AM
User: NT AUTHORITY\SYSTEM
Computer:	DBMKS671
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Windows Update Agent
Event Category:	Installation 
Event ID:	20
Date: 3/11/2011
Time: 10:44:31 PM
User: N/A
Computer:	DBMKS671
Description:
Installation Failure: Windows failed to install the following update with error 0x8007f064: Cumulative Security Update for Internet Explorer 8 for Windows XP (KB2482017).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 57 69 6e 33 32 48 52 65 Win32HRe
0008: 73 75 6c 74 3d 30 78 38 sult=0x8
0010: 30 30 37 66 30 36 34 20 007f064 
0018: 55 70 64 61 74 65 49 44 UpdateID
0020: 3d 7b 32 36 33 43 41 37 ={263CA7
0028: 36 38 2d 42 45 36 35 2d 68-BE65-
0030: 34 45 34 42 2d 39 42 41 4E4B-9BA
0038: 30 2d 38 46 38 41 38 46 0-8F8A8F
0040: 42 43 33 41 32 35 7d 20 BC3A25} 
0048: 52 65 76 69 73 69 6f 6e Revision
0050: 4e 75 6d 62 65 72 3d 31 Number=1
0058: 30 31 20 00 01 .

Event Type:	Error
Event Source:	System Error
Event Category:	(102)
Event ID:	1003
Date: 3/11/2011
Time: 10:44:29 PM
User: N/A
Computer:	DBMKS671
Description:
Error code 1000007e, parameter1 c0000005, parameter2 806382fa, parameter3 ba50bbd0, parameter4 ba50b8cc.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 37 1000007
0020: 65 20 20 50 61 72 61 6d e Param
0028: 65 74 65 72 73 20 63 30 eters c0
0030: 30 30 30 30 30 35 2c 20 000005, 
0038: 38 30 36 33 38 32 66 61 806382fa
0040: 2c 20 62 61 35 30 62 62 , ba50bb
0048: 64 30 2c 20 62 61 35 30 d0, ba50
0050: 62 38 63 63 b8cc 
Event Type:	Warning
Event Source:	USER32
Event Category:	None
Event ID:	1073
Date: 3/11/2011
Time: 10:29:29 PM
User: NT AUTHORITY\SYSTEM
Computer:	DBMKS671
Description:
The attempt to reboot DBMKS671 failed

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....

Apllication Errors:

Event Type:	Error
Event Source:	ESENT
Event Category:	Database Page Cache 
Event ID:	474
Date: 3/13/2011
Time: 4:01:35 AM
User: N/A
Computer:	DBMKS671
Description:
wuauclt (1296) The database page read from the file "C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb" at offset 82333696 (0x0000000004e85000) for 4096 (0x00001000) bytes failed verification due to a page checksum mismatch. The expected checksum was 1643631267 (0x61f7d2a3) and the actual checksum was 1643639459 (0x61f7f2a3). The read operation will fail with error -1018 (0xfffffc06). If this condition persists then please restore the database from a previous backup.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1001
Date: 3/12/2011
Time: 6:18:56 PM
User: N/A
Computer:	DBMKS671
Description:
Fault bucket -1943580416.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 2d 31 39 34 33 35 38 30 -1943580
0010: 34 31 36 0d 0a 416.. 
Event Type:	Error
Event Source:	Application Error
Event Category:	(100)
Event ID:	1000
Date: 3/12/2011
Time: 6:17:54 PM
User: N/A
Computer:	DBMKS671
Description:
Faulting application MsMpEng.exe, version 1.1.1593.0, faulting module mpengine.dll, version 1.1.6603.0, fault address 0x000b602d.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 4d 73 4d ure MsM
0018: 70 45 6e 67 2e 65 78 65 pEng.exe
0020: 20 31 2e 31 2e 31 35 39 1.1.159
0028: 33 2e 30 20 69 6e 20 6d 3.0 in m
0030: 70 65 6e 67 69 6e 65 2e pengine.
0038: 64 6c 6c 20 31 2e 31 2e dll 1.1.
0040: 36 36 30 33 2e 30 20 61 6603.0 a
0048: 74 20 6f 66 66 73 65 74 t offset
0050: 20 30 30 30 62 36 30 32 000b602
0058: 64 d 
Event Type:	Warning
Event Source:	Userenv
Event Category:	None
Event ID:	1517
Date: 3/12/2011
Time: 6:15:57 PM
User: NT AUTHORITY\SYSTEM
Computer:	DBMKS671
Description:
Windows saved user DBMKS671\john ercolino registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Warning
Event Source:	Userenv
Event Category:	None
Event ID:	1524
Date: 3/12/2011
Time: 6:15:56 PM
User: DBMKS671\john ercolino
Computer:	DBMKS671
Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	WinDefendRtp
Event Category:	None
Event ID:	3003
Date: 3/12/2011
Time: 3:52:54 PM
User: N/A
Computer:	DBMKS671
Description:
Windows Defender Real-Time Protection checkpoint has encountered an error and failed to start.
User: DBMKS671\john ercolino
Checkpoint ID: 1
Error Code: 0x8000ffff
Error description: Catastrophic failure

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	WinDefendRtp
Event Category:	None
Event ID:	3003
Date: 3/12/2011
Time: 3:52:54 PM
User: N/A
Computer:	DBMKS671
Description:
Windows Defender Real-Time Protection checkpoint has encountered an error and failed to start.
User: DBMKS671\john ercolino
Checkpoint ID: 1
Error Code: 0x80070005
Error description: Access is denied.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/12/2011
Time: 11:27:46 AM
User: N/A
Computer:	DBMKS671
Description:
Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe, version 0.0.0.0, fault address 0x00041355.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 70 65 76 ure pev
0018: 2e 63 66 78 78 65 20 30 .cfxxe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 70 65 76 2e 63 66 n pev.cf
0030: 78 78 65 20 30 2e 30 2e xxe 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 34 31 33 35 35 0d 0a 041355..
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/12/2011
Time: 11:25:34 AM
User: N/A
Computer:	DBMKS671
Description:
Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe, version 0.0.0.0, fault address 0x000ce040.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 70 65 76 ure pev
0018: 2e 63 66 78 78 65 20 30 .cfxxe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 70 65 76 2e 63 66 n pev.cf
0030: 78 78 65 20 30 2e 30 2e xxe 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 63 65 30 34 30 0d 0a 0ce040..
Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 3/12/2011
Time: 11:17:54 AM
User: N/A
Computer:	DBMKS671
Description:
Hanging application ComboFix[1].exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 43 6f 6d 62 6f 46 ComboF
0018: 69 78 5b 31 5d 2e 65 78 ix[1].ex
0020: 65 20 30 2e 30 2e 30 2e e 0.0.0.
0028: 30 20 69 6e 20 68 75 6e 0 in hun
0030: 67 61 70 70 20 30 2e 30 gapp 0.0
0038: 2e 30 2e 30 20 61 74 20 .0.0 at 
0040: 6f 66 66 73 65 74 20 30 offset 0
0048: 30 30 30 30 30 30 30 0000000 
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1001
Date: 3/12/2011
Time: 1:23:19 AM
User: N/A
Computer:	DBMKS671
Description:
Fault bucket -2075597031.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 2d 32 30 37 35 35 39 37 -2075597
0010: 30 33 31 0d 0a 031.. 
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/12/2011
Time: 1:21:34 AM
User: N/A
Computer:	DBMKS671
Description:
Faulting application onlinecmdlinescanner.exe, version 0.0.0.0, faulting module esets_apiw_a.dll, version 3.0.15.0, fault address 0x00004440.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6f 6e 6c ure onl
0018: 69 6e 65 63 6d 64 6c 69 inecmdli
0020: 6e 65 73 63 61 6e 6e 65 nescanne
0028: 72 2e 65 78 65 20 30 2e r.exe 0.
0030: 30 2e 30 2e 30 20 69 6e 0.0.0 in
0038: 20 65 73 65 74 73 5f 61 esets_a
0040: 70 69 77 5f 61 2e 64 6c piw_a.dl
0048: 6c 20 33 2e 30 2e 31 35 l 3.0.15
0050: 2e 30 20 61 74 20 6f 66 .0 at of
0058: 66 73 65 74 20 30 30 30 fset 000
0060: 30 34 34 34 30 0d 0a 04440.. 
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/12/2011
Time: 1:21:34 AM
User: N/A
Computer:	DBMKS671
Description:
Faulting application onlinecmdlinescanner.exe, version 0.0.0.0, faulting module esets_apiw_a.dll, version 3.0.15.0, fault address 0x00004440.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6f 6e 6c ure onl
0018: 69 6e 65 63 6d 64 6c 69 inecmdli
0020: 6e 65 73 63 61 6e 6e 65 nescanne
0028: 72 2e 65 78 65 20 30 2e r.exe 0.
0030: 30 2e 30 2e 30 20 69 6e 0.0.0 in
0038: 20 65 73 65 74 73 5f 61 esets_a
0040: 70 69 77 5f 61 2e 64 6c piw_a.dl
0048: 6c 20 33 2e 30 2e 31 35 l 3.0.15
0050: 2e 30 20 61 74 20 6f 66 .0 at of
0058: 66 73 65 74 20 30 30 30 fset 000
0060: 30 34 34 34 30 0d 0a 04440.. 
Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	8
Date: 3/11/2011
Time: 11:16:09 PM
User: N/A
Computer:	DBMKS671
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	crypt32
Event Category:	None
Event ID:	8
Date: 3/11/2011
Time: 11:16:09 PM
User: N/A
Computer:	DBMKS671
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/11/2011
Time: 10:10:34 PM
User: N/A
Computer:	DBMKS671
Description:
Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe, version 0.0.0.0, fault address 0x000ce040.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 70 65 76 ure pev
0018: 2e 63 66 78 78 65 20 30 .cfxxe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 70 65 76 2e 63 66 n pev.cf
0030: 78 78 65 20 30 2e 30 2e xxe 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 63 65 30 34 30 0d 0a 0ce040..
Event Type:	Error
Event Source:	Application Error
Event Category:	(100)
Event ID:	1000
Date: 3/11/2011
Time: 10:07:04 PM
User: N/A
Computer:	DBMKS671
Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 64 72 77 ure drw
0018: 74 73 6e 33 32 2e 65 78 tsn32.ex
0020: 65 20 35 2e 31 2e 32 36 e 5.1.26
0028: 30 30 2e 30 20 69 6e 20 00.0 in 
0030: 64 62 67 68 65 6c 70 2e dbghelp.
0038: 64 6c 6c 20 35 2e 31 2e dll 5.1.
0040: 32 36 30 30 2e 35 35 31 2600.551
0048: 32 20 61 74 20 6f 66 66 2 at off
0050: 73 65 74 20 30 30 30 31 set 0001
0058: 32 39 35 64 295d 
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/11/2011
Time: 10:06:27 PM
User: N/A
Computer:	DBMKS671
Description:
Faulting application dumphive.cfxxe, version 0.0.0.0, faulting module dumphive.cfxxe, version 0.0.0.0, fault address 0x00008444.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 64 75 6d ure dum
0018: 70 68 69 76 65 2e 63 66 phive.cf
0020: 78 78 65 20 30 2e 30 2e xxe 0.0.
0028: 30 2e 30 20 69 6e 20 64 0.0 in d
0030: 75 6d 70 68 69 76 65 2e umphive.
0038: 63 66 78 78 65 20 30 2e cfxxe 0.
0040: 30 2e 30 2e 30 20 61 74 0.0.0 at
0048: 20 6f 66 66 73 65 74 20 offset 
0050: 30 30 30 30 38 34 34 34 00008444
0058: 0d 0a .. 
Event Type:	Error
Event Source:	Application Error
Event Category:	(100)
Event ID:	1000
Date: 3/11/2011
Time: 10:06:19 PM
User: N/A
Computer:	DBMKS671
Description:
Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 35 35 31 32 20 00.5512 
0030: 69 6e 20 75 6e 6b 6e 6f in unkno
0038: 77 6e 20 30 2e 30 2e 30 wn 0.0.0
0040: 2e 30 20 61 74 20 6f 66 .0 at of
0048: 66 73 65 74 20 30 30 30 fset 000
0050: 30 30 30 30 30 00000 
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/11/2011
Time: 10:05:15 PM
User: N/A
Computer:	DBMKS671
Description:
Faulting application grep.cfxxe, version 0.0.0.0, faulting module grep.cfxxe, version 0.0.0.0, fault address 0x00009216.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 67 72 65 ure gre
0018: 70 2e 63 66 78 78 65 20 p.cfxxe 
0020: 30 2e 30 2e 30 2e 30 20 0.0.0.0 
0028: 69 6e 20 67 72 65 70 2e in grep.
0030: 63 66 78 78 65 20 30 2e cfxxe 0.
0038: 30 2e 30 2e 30 20 61 74 0.0.0 at
0040: 20 6f 66 66 73 65 74 20 offset 
0048: 30 30 30 30 39 32 31 36 00009216
0050: 0d 0a .. 
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1001
Date: 3/11/2011
Time: 9:54:36 PM
User: N/A
Computer:	DBMKS671
Description:
Fault bucket 1992029071.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 31 39 39 32 30 32 39 30 19920290
0010: 37 31 0d 0a 71.. 
Event Type:	Error
Event Source:	Application Error
Event Category:	(100)
Event ID:	1000
Date: 3/11/2011
Time: 9:54:28 PM
User: N/A
Computer:	DBMKS671
Description:
Faulting application svchost.exe, version 5.1.2600.5512, faulting module msxml3.dll, version 8.100.1052.0, fault address 0x00015862.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 35 2e 31 2e 32 36 30 5.1.260
0028: 30 2e 35 35 31 32 20 69 0.5512 i
0030: 6e 20 6d 73 78 6d 6c 33 n msxml3
0038: 2e 64 6c 6c 20 38 2e 31 .dll 8.1
0040: 30 30 2e 31 30 35 32 2e 00.1052.
0048: 30 20 61 74 20 6f 66 66 0 at off
0050: 73 65 74 20 30 30 30 31 set 0001
0058: 35 38 36 32 5862 
Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1041
Date: 3/11/2011
Time: 9:43:33 PM
User: NT AUTHORITY\SYSTEM
Computer:	DBMKS671
Description:
Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1041
Date: 3/11/2011
Time: 9:43:33 PM
User: NT AUTHORITY\SYSTEM
Computer:	DBMKS671
Description:
Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1041
Date: 3/11/2011
Time: 9:43:33 PM
User: NT AUTHORITY\SYSTEM
Computer:	DBMKS671
Description:
Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1041
Date: 3/11/2011
Time: 9:43:33 PM
User: NT AUTHORITY\SYSTEM
Computer:	DBMKS671
Description:
Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1041
Date: 3/11/2011
Time: 9:28:47 PM
User: NT AUTHORITY\SYSTEM
Computer:	DBMKS671
Description:
Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


----------



## Cookiegal (Aug 27, 2003)

john m ercolino said:


> There is an entry that has no warning but is expanded and written in yellow, it says other device in yellow, and then unknown device in yellow below it.


Can you please post a screen shot of what you're seeing there?


----------



## john m ercolino (Jan 14, 2007)

couldn't put the screenshot here, so I attached it.


----------



## john m ercolino (Jan 14, 2007)

Tried again.


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *Run *and type in the following and hit Enter.

*dxdiag*

Allow it to run as it gathers information about the system. Then click on "Save All Information" at the bottom right-hand side and save it to your desktop. Upload the report as an attachment please.


----------



## john m ercolino (Jan 14, 2007)

heres the report


----------



## Cookiegal (Aug 27, 2003)

Please open MalwareBytes and check the logs. I'd like you to post the log that detected the infection initially as I'd like to see what was deleted.

Then update MBAM and run a full scan and post that new log as well.


----------



## john m ercolino (Jan 14, 2007)

Whew, Not simple a result. I checked MBAM there were no log files, I may have cleaned them out the other day in error. I opened MBAM to update, it said the update was not compatible with this version of MBAM. I treid to update the progran no success. I removed MBAM and downloaded a new copy and updated the database, all fine except fpr an error about the entry point of a font file. About halfway through the scan, the computer blacks out and reboots. Sound familiar? When it reboots, it said some xxxxgui. fault, and then, that it has recovered from a serious error, which brings me to a page where I could update the px engine driver from Roxio which I did, and here I am again. I am going to give you the eventviewer log report of the incedent, and then after posting this try the scan again.

Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/13/2011
Time: 3:04:35 PM
User: N/A
Computer:	DBMKS671
Description:
Faulting application mbam.exe, version 1.50.1.3, faulting module rpcrt4.dll, version 5.1.2600.6022, fault address 0x0008b519.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 62 61 ure mba
0018: 6d 2e 65 78 65 20 31 2e m.exe 1.
0020: 35 30 2e 31 2e 33 20 69 50.1.3 i
0028: 6e 20 72 70 63 72 74 34 n rpcrt4
0030: 2e 64 6c 6c 20 35 2e 31 .dll 5.1
0038: 2e 32 36 30 30 2e 36 30 .2600.60
0040: 32 32 20 61 74 20 6f 66 22 at of
0048: 66 73 65 74 20 30 30 30 fset 000
0050: 38 62 35 31 39 0d 0a 8b519..


----------



## john m ercolino (Jan 14, 2007)

The next MBAM scan ran for about 25 minute until it got to scanning i386\sprbolif.dll?\service pack3 then everything froze. Could not open task manager had to cut the power to unfreeze and reboot.

Here is the eventlog:
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1000
Date: 3/13/2011
Time: 4:03:00 PM
User: N/A
Computer:	DBMKS671
Description:
Faulting application mbam.exe, version 1.50.1.3, faulting module msvbvm60.dll, version 6.0.98.2, fault address 0x000665fc.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 6d 62 61 ure mba
0018: 6d 2e 65 78 65 20 31 2e m.exe 1.
0020: 35 30 2e 31 2e 33 20 69 50.1.3 i
0028: 6e 20 6d 73 76 62 76 6d n msvbvm
0030: 36 30 2e 64 6c 6c 20 36 60.dll 6
0038: 2e 30 2e 39 38 2e 32 20 .0.98.2 
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 36 36 35 t 000665
0050: 66 63 0d 0a fc.. 
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1001
Date: 3/13/2011
Time: 4:03:06 PM
User: N/A
Computer:	DBMKS671
Description:
Fault bucket -1942415837.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 2d 31 39 34 32 34 31 35 -1942415
0010: 38 33 37 0d 0a 837.. 
Event Type:	Error
Event Source:	Application Error
Event Category:	(100)
Event ID:	1000
Date: 3/13/2011
Time: 4:03:10 PM
User: N/A
Computer:	DBMKS671
Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 64 72 77 ure drw
0018: 74 73 6e 33 32 2e 65 78 tsn32.ex
0020: 65 20 35 2e 31 2e 32 36 e 5.1.26
0028: 30 30 2e 30 20 69 6e 20 00.0 in 
0030: 64 62 67 68 65 6c 70 2e dbghelp.
0038: 64 6c 6c 20 35 2e 31 2e dll 5.1.
0040: 32 36 30 30 2e 35 35 31 2600.551
0048: 32 20 61 74 20 6f 66 66 2 at off
0050: 73 65 74 20 30 30 30 31 set 0001
0058: 32 39 35 64 295d 
Event Type:	Error
Event Source:	Application Error
Event Category:	None
Event ID:	1001
Date: 3/13/2011
Time: 4:03:14 PM
User: N/A
Computer:	DBMKS671
Description:
Fault bucket 223121472.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket: 
0008: 32 32 33 31 32 31 34 37 22312147
0010: 32 0d 0a 2.. 
Event Type:	Error
Event Source:	Application Hang
Event Category:	(101)
Event ID:	1002
Date: 3/13/2011
Time: 4:03:42 PM
User: N/A
Computer:	DBMKS671
Description:
Hanging application mbam.exe, version 1.50.1.3, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 6d 62 61 6d 2e 65 mbam.e
0018: 78 65 20 31 2e 35 30 2e xe 1.50.
0020: 31 2e 33 20 69 6e 20 68 1.3 in h
0028: 75 6e 67 61 70 70 20 30 ungapp 0
0030: 2e 30 2e 30 2e 30 20 61 .0.0.0 a
0038: 74 20 6f 66 66 73 65 74 t offset
0040: 20 30 30 30 30 30 30 30 0000000
0048: 30 0


----------



## john m ercolino (Jan 14, 2007)

Ive tried three more times to do the MBAM scan, everytime it either has told me there was a problem and MBAM had to close, or it blacked out and rebooted. Whatever this is, I think it regenerates every time I reboot? does that make sense? It seems we make a little progress and then a reboot brings us back to where it was before?


----------



## Cookiegal (Aug 27, 2003)

Please go back to the Device Manager (Start - Run - devmgmt.msc) and then click on "View" and select "Show Hidden Devices" and then post that screenshot please like you did before.

Also, if you double-click on the device that has a yellow question mark (the second one) does another screen open up? If so it will likely be on the General tab by default. Can you post a screenshot of that as well as the information under the Driver tab (when you click on Driver Details) please.


----------



## john m ercolino (Jan 14, 2007)

Sorry was out all day covering for a worker who didn't show up. 
Here is the screenshoot with show hidden devices checked, looks the same.


----------



## john m ercolino (Jan 14, 2007)

forgot this one


----------



## Cookiegal (Aug 27, 2003)

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following code box into the main text field:

```
:filefind
dac2w2k.sys
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## john m ercolino (Jan 14, 2007)

SystemLook 04.09.10 by jpshortstuff
Log created at 21:59 on 14/03/2011 by john ercolino
Administrator - Elevation successful

========== filefind ==========

Searching for "dac2w2k.sys"
C:\I386\DAC2W2K.SYS	--a--c- 179584 bytes	[13:39 13/04/2005]	[19:52 17/08/2001] E550E7418984B65A78299D248F0A7F36
C:\WINDOWS\SYSTEM32\DRIVERS\dac2w2k.sys	--a---- 179584 bytes	[12:18 12/08/2004]	[12:18 12/08/2004] E550E7418984B65A78299D248F0A7F36

-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

In your last screenshot in post 120, click on "Reinstall Driver".


----------



## john m ercolino (Jan 14, 2007)

Okay so the first time I tried to comply and reinstall the driver, I got the screen shot I'm sending you, couldn't install the driver, it said if I wanted to select a different location I could type it in the box. I put the location that the system look said it was, Computer blacked out and rebooted. I have also begun to notice, that unless during the boot process I tell it to use the last know good settings, it comes back up with my avast turned off, and takes a long time to be usable. I don't think this is coincedence.


----------



## john m ercolino (Jan 14, 2007)

stranger yet, it is where system look said it was?


----------



## Cookiegal (Aug 27, 2003)

Please check to see if this file exists (created by Combofix) and if it does, open it with Notepad and copy and paste the contents here please.

C:\QooBox\ComboFix-quarantined-files.txt


----------



## john m ercolino (Jan 14, 2007)

The directory exists but no "quarantines-files.txt" there.


----------



## john m ercolino (Jan 14, 2007)

This was in the C:\Qoobox\quarantine\windows diectory: is it of interest?


----------



## Cookiegal (Aug 27, 2003)

It's a little too small. Can you tell me the name of that file in the middle?

Can you also post a screen shot of what's in the Qoobox folder?


----------



## john m ercolino (Jan 14, 2007)

The name of the middle file is msvcrt.dll When I checked the properties of these files they said they were created 8/12/2004 and last modified 4/13/2008. I think they are remanants of something old.


----------



## john m ercolino (Jan 14, 2007)

I finally got the gmer to run fully, here is the report. Also the screen shot you last asked for, I did not notice it was blocked.

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-16 02:30:20
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Intel___ rev.1.0.
Running: 2oedc4s2.exe; Driver: C:\DOCUME~1\JOHNER~1.DBM\LOCALS~1\Temp\kwroapow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAA6BB9CA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAA710A68]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xAA6DBAF5]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAA6BDEAC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAA6BDF04]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAA6BE01A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAA6DB4A9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAA6BDE02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAA6BDF54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAA6BDE56]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAA6BDFC8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAA6BB9EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAA6DC1BB]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAA6DC471]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAA6BE29E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAA6DC026]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAA6DBE91]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xAA710B18]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAA6BB7B8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAA6BBA12]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAA6BE412]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAA6BC4AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAA6BDEDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAA6BDF2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAA6BE044]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAA6DB805]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAA6BDE2E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAA6BE0D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAA6BDF94]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAA6BDE84]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAA6BE1BA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAA6BDFF2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAA710BB0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAA6DBD0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAA6BC370]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAA6DBB5E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAA718E26]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAA6DAB1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAA6BBA36]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAA6BBA5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAA6BB812]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAA6BB94E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAA6DC2C2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)  ZwShutdownSystem [0xAA6BB92A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAA6BB972]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAA6BBA7E]

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64A8 4 Bytes CALL AA6BCE25 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB8BF8F80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003801D4 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003800E4 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380120 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0038015C 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380198 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00380030 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0038006C 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003800A8 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003900E4 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390120 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003900A8 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00390030 
.text C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe[312] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0039006C 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003801D4 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003800E4 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380120 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0038015C 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380198 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00380030 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0038006C 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003800A8 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003900E4 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390120 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003900A8 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00390030 
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[324] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0039006C 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003800E4 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380120 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003800A8 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00380030 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0038006C 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C 
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[344] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030 
.text  C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A00E4 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0120 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A00A8 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A0030 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A006C 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C 
.text C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe[372] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00140030 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0014006C 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A00E4 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0120 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A00A8 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A0030 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A006C 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] ADVAPI32.dll!ChangeServiceConfig2A  77E37101 5 Bytes JMP 003B015C 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C 
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[644] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8 
.text C:\WINDOWS\system32\winlogon.exe[816] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00070030 
.text C:\WINDOWS\system32\winlogon.exe[816] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0007006C 
.text C:\WINDOWS\system32\winlogon.exe[816] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4 
.text C:\WINDOWS\system32\winlogon.exe[816] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4 
.text C:\WINDOWS\system32\winlogon.exe[816] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120 
.text C:\WINDOWS\system32\winlogon.exe[816] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C 
.text C:\WINDOWS\system32\winlogon.exe[816] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198 
.text C:\WINDOWS\system32\winlogon.exe[816] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030 
.text C:\WINDOWS\system32\winlogon.exe[816] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C 
.text C:\WINDOWS\system32\winlogon.exe[816] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8 
.text C:\WINDOWS\system32\winlogon.exe[816] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4 
.text C:\WINDOWS\system32\winlogon.exe[816] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120 
.text C:\WINDOWS\system32\winlogon.exe[816] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8 
.text C:\WINDOWS\system32\winlogon.exe[816] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030 
.text C:\WINDOWS\system32\winlogon.exe[816] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C 
.text C:\WINDOWS\system32\services.exe[860] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030 
.text C:\WINDOWS\system32\services.exe[860] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C 
.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4 
.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4 
.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120 
.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C 
.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198 
.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030 
.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C 
.text C:\WINDOWS\system32\services.exe[860] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8 
.text C:\WINDOWS\system32\services.exe[860] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4 
.text C:\WINDOWS\system32\services.exe[860] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120 
.text C:\WINDOWS\system32\services.exe[860] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8 
.text C:\WINDOWS\system32\services.exe[860] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030 
.text C:\WINDOWS\system32\services.exe[860] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C 
.text C:\WINDOWS\system32\savedump.exe[872] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030 
.text C:\WINDOWS\system32\savedump.exe[872] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C 
.text C:\WINDOWS\system32\savedump.exe[872] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4 
.text C:\WINDOWS\system32\savedump.exe[872] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4 
.text C:\WINDOWS\system32\savedump.exe[872] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120 
.text C:\WINDOWS\system32\savedump.exe[872] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C 
.text C:\WINDOWS\system32\savedump.exe[872] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198 
.text C:\WINDOWS\system32\savedump.exe[872] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030 
.text C:\WINDOWS\system32\savedump.exe[872] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C 
.text C:\WINDOWS\system32\savedump.exe[872] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8 
.text C:\WINDOWS\system32\savedump.exe[872] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4 
.text C:\WINDOWS\system32\savedump.exe[872] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120 
.text C:\WINDOWS\system32\savedump.exe[872] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8 
.text C:\WINDOWS\system32\savedump.exe[872] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030 
.text C:\WINDOWS\system32\savedump.exe[872] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C 
.text C:\WINDOWS\system32\lsass.exe[880] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030 
.text C:\WINDOWS\system32\lsass.exe[880] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C 
.text C:\WINDOWS\system32\lsass.exe[880] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4 
.text C:\WINDOWS\system32\lsass.exe[880] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4 
.text C:\WINDOWS\system32\lsass.exe[880] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120 
.text C:\WINDOWS\system32\lsass.exe[880] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C 
.text C:\WINDOWS\system32\lsass.exe[880] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198 
.text C:\WINDOWS\system32\lsass.exe[880] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030 
.text C:\WINDOWS\system32\lsass.exe[880] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C 
.text C:\WINDOWS\system32\lsass.exe[880] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8 
.text C:\WINDOWS\system32\lsass.exe[880] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4 
.text C:\WINDOWS\system32\lsass.exe[880] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120 
.text C:\WINDOWS\system32\lsass.exe[880] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8 
.text C:\WINDOWS\system32\lsass.exe[880] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030 
.text C:\WINDOWS\system32\lsass.exe[880] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C 
.text C:\Documents and Settings\john ercolino.DBMKS671\Desktop\2oedc4s2.exe[1012] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00160030 
.text C:\Documents and Settings\john ercolino.DBMKS671\Desktop\2oedc4s2.exe[1012] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0016006C 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00140030 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0014006C 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003800E4 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380120 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003800A8 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00380030 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0038006C 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8 
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] RPCRT4.dll!RpcServerRegisterIf + 137 77E8E315 1 Byte [01]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] msvcrt.dll!_ctype + 2AB5 4DC05355 1 Byte [2E]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!WdtpInterfacePointer_UserFree + FFEE8493 774EE355 1 Byte [8F]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!WdtpInterfacePointer_UserFree + FFEEC493 774F2355 1 Byte [67]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!ComPs_NdrDllCanUnloadNow + C 774FCEF5 1 Byte [FF]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!CoGetClassObject + 1160 77516355 1 Byte [DF]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!CoUnmarshalInterface + BF9 7752DF35 1 Byte [FF]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!StgOpenStorageEx + 314D 77551EF5 1 Byte [77]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!CoWaitForMultipleHandles + 319C 7755A315 1 Byte [C9]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!CoWaitForMultipleHandles + 11DBC 77568F35 1 Byte [24]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!ComPs_NdrDllGetClassObject + 815 775A6355 1 Byte [CC] {INT 3 }
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!ComPs_NdrStubCall2 + 1360D 775B9EF5 1 Byte [FF]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!SNB_UserFree + 707A 775C1EF5 1 Byte [F3]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!OleCreateStaticFromData + 28E  775CA315 1 Byte [DF]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!OleRegEnumFormatEtc + 4BE8 775D9355 1 Byte [33]
.text C:\WINDOWS\system32\Ati2evxx.exe[1076] ole32.dll!StgGetIFillLockBytesOnFile + BD15 775FCEF5 1 Byte [E4]
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!RtlCaptureContext + 203B 7C905355 1 Byte [A0]
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030 
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C 
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!RtlDeleteAce + 53BC 7C93D355 1 Byte [75]
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!RtlpNtMakeTemporaryKey + 5C59 7C96E355 1 Byte [00]
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!wcstombs + 64EC 7C979315 1 Byte [3C]
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!SetUnhandledExceptionFilter + B598 7C84FEF5 1 Byte [F3]
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!SetUnhandledExceptionFilter + 109B8 7C855315 1 Byte [F6]
.text C:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!FindFirstVolumeA + B9C 7C86BF35 1 Byte [60]
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!IdentifyCodeAuthzLevelW + 44D 77DDA315 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!ElfOpenEventLogA + 45E 77DF6355 1 Byte [3B]
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4 
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4 
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120 
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C 
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198 
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030 
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C 
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8 
.text C:\WINDOWS\system32\svchost.exe[1092] RPCRT4.dll!SimpleTypeMemorySize + 2B7D 77E74355 1 Byte [65]
.text C:\WINDOWS\system32\svchost.exe[1092] RPCRT4.dll!RpcServerRegisterAuthInfoW + F1 77E94315 1 Byte [DF]
.text C:\WINDOWS\system32\svchost.exe[1092] RPCRT4.dll!RpcSsContextLockShared + 118 77ED0315 1 Byte [60]
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4 
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!DeleteMenu + 22 7E42CEF5 1 Byte [66]
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120 
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8 
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030 
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C 
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!MB_GetString + 5C0 7E466315 1 Byte [75]
.text C:\WINDOWS\system32\svchost.exe[1092] ole32.dll!WdtpInterfacePointer_UserFree + FFEED493 774F3355 1 Byte [0C]
.text C:\WINDOWS\system32\svchost.exe[1092] ole32.dll!WdtpInterfacePointer_UserFree + FFEF1493 774F7355 1 Byte [ED]
.text C:\WINDOWS\system32\svchost.exe[1092] ole32.dll!CoFreeAllLibraries + 31E 77503355 1 Byte [DF]
.text C:\WINDOWS\system32\svchost.exe[1092] ole32.dll!StgOpenStorage + 31 77506EF5 1 Byte [E8]
.text C:\WINDOWS\system32\svchost.exe[1092] ole32.dll!StgOpenStorage + 4491 7750B355 1 Byte [42]
.text C:\WINDOWS\system32\svchost.exe[1092] ole32.dll!CoGetTreatAsClass + EE4 77511EF5 1 Byte [F5]
.text C:\WINDOWS\system32\svchost.exe[1092] ole32.dll!OleGetClipboard + 15E 77532F35 1 Byte [EC]
.text C:\WINDOWS\system32\svchost.exe[1092] ole32.dll!CoWaitForMultipleHandles + 6DBC 7755DF35 1 Byte [FE]
.text C:\WINDOWS\system32\svchost.exe[1092] ole32.dll!UpdateDCOMSettings + 36CC 77593315 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1092] ole32.dll!CoInstall + 478E 7759B315 1 Byte [F8]
.text C:\WINDOWS\system32\svchost.exe[1092] ole32.dll!SNB_UserFree + 407A 775BEEF5 1 Byte [B7]
.text C:\WINDOWS\system32\svchost.exe[1092] ole32.dll!SNB_UserFree + C49A 775C7315 1 Byte [DF]
.text C:\WINDOWS\system32\svchost.exe[1092] ole32.dll!OleCreateStaticFromData + 28E 775CA315 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!StrStrW + FFE2CFA4 7C9C9EF5 1 Byte [F9]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!SHCreateDirectoryExW + 2B3 7CA11EF5 1 Byte [7C]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!DragQueryFileAorW + 5C4C 7CA1DF35 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!DragQueryFileAorW + 8C0C 7CA20EF5 1 Byte [71]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!SHGetSetFolderCustomSettingsW + 1978 7CA25F35 1 Byte [EC]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!Shell_NotifyIcon + 32F 7CA28EF5 1 Byte [F2]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!SHCreateQueryCancelAutoPlayMoniker + 16F5F 7CA58EF5 1 Byte [24]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!SHFreeNameMappings + 1E5 7CA69315 1 Byte [F0]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!SHCreateDirectoryExA + 25E9 7CA6CF35 1 Byte [B5]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!SHOpenPropSheetW + 82C 7CA79EF5 1 Byte [6A]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!ShellExec_RunDLLW + 5E1 7CAC8EF5 1 Byte [75]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!SHLoadNonloadedIconOverlayIdentifiers + 2A2E6 7CB00EF5 1 Byte [B8]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!SHLoadNonloadedIconOverlayIdentifiers + 4A706 7CB21315 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!CallCPLEntry16 + 993 7CB27EF5 1 Byte [68]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!CallCPLEntry16 + 9DB3 7CB31315 1 Byte [33]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!FindExeDlgProc + D7B5 7CB43F35 1 Byte [A9]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!SHCreateLocalServerRunDll + D5C8 7CB6BF35 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!SHCreateLocalServerRunDll + 1A588 7CB78EF5 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!SHCreateLocalServerRunDll + 1A9A8 7CB79315 1 Byte [7C]
.text C:\WINDOWS\system32\svchost.exe[1092] SHELL32.dll!SHCreateLocalServerRunDll + 1D5C8 7CB7BF35 1 Byte [7D]
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030 
.text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C 
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4 
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4 
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120 
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C 
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198 
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030 
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C 
.text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8 
.text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4 
.text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120 
.text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8 
.text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030 
.text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F01D4 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F00E4 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0120 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F015C 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0198 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F0030 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F006C 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F00A8 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003000E4 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00300120 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003000A8 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00300030 
.text C:\Program Files\Windows Defender\MsMpEng.exe[1232] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0030006C 
.text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030 
.text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C 
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4 
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4 
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120 
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C 
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!ChangeServiceConfig2W  77E37189 5 Bytes JMP 002B0198 
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030 
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C 
.text C:\WINDOWS\System32\svchost.exe[1308] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8 
.text C:\WINDOWS\System32\svchost.exe[1308] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4 
.text C:\WINDOWS\System32\svchost.exe[1308] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120 
.text C:\WINDOWS\System32\svchost.exe[1308] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8 
.text C:\WINDOWS\System32\svchost.exe[1308] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030 
.text C:\WINDOWS\System32\svchost.exe[1308] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C 
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030 
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C 
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4 
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4 
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120 
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C 
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198 
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030 
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C 
.text C:\WINDOWS\system32\svchost.exe[1376] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8 
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4 
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120 
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8 
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030 
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C 
.text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030 
.text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C 
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4 
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4 
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120 
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C 
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198 
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030 
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C 
.text C:\WINDOWS\system32\svchost.exe[1472] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8 
.text C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4 
.text C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120 
.text C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8 
.text C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030 
.text C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C 
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1604] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\WINDOWS\system32\WgaTray.exe[1768] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030 
.text C:\WINDOWS\system32\WgaTray.exe[1768] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C 
.text C:\WINDOWS\system32\WgaTray.exe[1768] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002D01D4 
.text C:\WINDOWS\system32\WgaTray.exe[1768] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002D00E4 
.text C:\WINDOWS\system32\WgaTray.exe[1768] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002D0120 
.text C:\WINDOWS\system32\WgaTray.exe[1768] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002D015C 
.text C:\WINDOWS\system32\WgaTray.exe[1768] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002D0198 
.text C:\WINDOWS\system32\WgaTray.exe[1768] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002D0030 
.text C:\WINDOWS\system32\WgaTray.exe[1768] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002D006C 
.text C:\WINDOWS\system32\WgaTray.exe[1768] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002D00A8 
.text C:\WINDOWS\system32\WgaTray.exe[1768] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002E00E4 
.text C:\WINDOWS\system32\WgaTray.exe[1768] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002E0120 
.text C:\WINDOWS\system32\WgaTray.exe[1768] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002E00A8 
.text C:\WINDOWS\system32\WgaTray.exe[1768] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002E0030 
.text C:\WINDOWS\system32\WgaTray.exe[1768] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002E006C 
.text C:\WINDOWS\Explorer.EXE[1780] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030 
.text C:\WINDOWS\Explorer.EXE[1780] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C 
.text C:\WINDOWS\Explorer.EXE[1780] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C01D4 
.text C:\WINDOWS\Explorer.EXE[1780] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C00E4 
.text C:\WINDOWS\Explorer.EXE[1780] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0120 
.text C:\WINDOWS\Explorer.EXE[1780] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C015C 
.text C:\WINDOWS\Explorer.EXE[1780] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0198 
.text C:\WINDOWS\Explorer.EXE[1780] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C0030 
.text C:\WINDOWS\Explorer.EXE[1780] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C006C 
.text C:\WINDOWS\Explorer.EXE[1780] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C00A8 
.text C:\WINDOWS\Explorer.EXE[1780] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D00E4 
.text C:\WINDOWS\Explorer.EXE[1780] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0120 
.text C:\WINDOWS\Explorer.EXE[1780] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D00A8 
.text C:\WINDOWS\Explorer.EXE[1780] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D0030 
.text C:\WINDOWS\Explorer.EXE[1780] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D006C 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00160030 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0016006C 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003E01D4 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003E00E4 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003E0120 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003E015C 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003E0198 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003E0030 
.text  C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003E006C 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003E00A8 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003F00E4 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003F0120 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003F00A8 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003F0030 
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1992] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003F006C 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003E01D4 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003E00E4 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003E0120 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003E015C 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003E0198 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003E0030 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003E006C 
.text C:\WINDOWS\system32\dla\tfswctrl.exe[2008] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003E00A8 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00160030 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0016006C 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] USER32.dll!SetWindowsHookExW  7E42820F 5 Bytes JMP 003900E4 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390120 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003900A8 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00390030 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0039006C 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A01D4 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A00E4 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0120 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A015C 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0198 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A0030 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A006C 
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[2024] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A00A8 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00160030 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0016006C 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A00E4 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0120 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A00A8 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A0030 
.text C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe[2040] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A006C

---- User IAT/EAT - GMER 1.0.15 ----

IAT  C:\WINDOWS\system32\services.exe[860] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005E0002
IAT C:\WINDOWS\system32\services.exe[860] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005E0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \FileSystem\Fastfat \Fat A4880D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Control\ScsiPort\SpecialTargetList\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Control\ScsiPort\SpecialTargetList\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Control\ScsiPort\SpecialTargetList\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Control\ScsiPort\SpecialTargetList\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Control\ScsiPort\SpecialTargetList\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Control\ScsiPort\SpecialTargetList\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Control\ContentIndex\Language\[email protected] {6d36ce10-7f1c-11ce-be57-00aa0051fe20}
Reg HKLM\SYSTEM\CurrentControlSet\Control\ContentIndex\Language\[email protected] {fd86b5d0-12c6-11ce-bd31-00aa004bbb1f}
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]_DLLs 1
Reg HKLM\SOFTWARE\Classes\Interface\{B722BCCA-4E68-101B-ABC-00AA00404770}@ IContinueCallback
Reg HKLM\SOFTWARE\Classes\Interface\{B722BCCA-4E68-101B-ABC-00AA00404770}\NumMethods 
Reg HKLM\SOFTWARE\Classes\Interface\{B722BCCA-4E68-101B-ABC-00AA00404770}\[email protected] 5
Reg HKLM\SOFTWARE\Classes\Interface\{B722BCCA-4E68-101B-ABC-00AA00404770}\ProxyStubClsid32 
Reg HKLM\SOFTWARE\Classes\Interface\{B722BCCA-4E68-101B-ABC-00AA00404770}\[email protected] {B8DA6310-E19B-11D0-933C-00A0C90DCAA9}

---- Files - GMER 1.0.15 ----

File C:\## aswSnx private storage 0 bytes
File C:\## aswSnx private storage\snx_rhive 262144 bytes
File C:\## aswSnx private storage\snx_rhive.LOG 1024 bytes
File C:\## aswSnx private storage\webStorage 0 bytes
File C:\## aswSnx private storage\webStorage\attrib 0 bytes
File C:\## aswSnx private storage\webStorage\image 0 bytes
File C:\## aswSnx private storage\webStorage\image\WINDOWS 0 bytes
File C:\## aswSnx private storage\webStorage\image\WINDOWS\Prefetch 0 bytes
File C:\## aswSnx private storage\webStorage\image\WINDOWS\Prefetch\IEXPLORE.EXE-25E064CA.pf 14258 bytes
File C:\## aswSnx private storage\webStorage\snx_fs.dat 476 bytes

---- EOF - GMER 1.0.15 ----


----------



## Cookiegal (Aug 27, 2003)

Please copy and paste the contents of the ComboFix4.txt file (open it with Notepad).


----------



## john m ercolino (Jan 14, 2007)

ComboFix 11-03-07.02 - john ercolino 03/07/2011 16:05:36.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2587 [GMT -5:00]
Running from: c:\documents and settings\john ercolino.DBMKS671\Desktop\puppy123.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\john ercolino.DBMKS671\g2mdlhlpx.exe
c:\documents and settings\john ercolino.DBMKS671\GoToAssistDownloadHelper.exe
c:\windows\regedit.com
c:\windows\system32\LogFiles
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
.
.
2011-03-07 20:04 . 2011-03-07 20:04	--------	d-----w-	c:\documents and settings\john ercolino.DBMKS671\Local Settings\Application Data\Sunbelt Software
2011-03-07 19:27 . 2011-03-07 19:27	--------	d-----w-	c:\documents and settings\Administrator\PrivacIE
2011-03-07 19:18 . 2011-03-07 19:18	--------	d-----w-	c:\documents and settings\Administrator\IETldCache
2011-03-07 05:04 . 2011-03-07 20:05	--------	d-----w-	c:\program files\ESET
2011-03-04 18:10 . 2011-03-04 18:10	--------	d-sh--w-	c:\documents and settings\john ercolino.DBMKS671\IECompatCache
2011-03-04 18:07 . 2011-03-04 18:07	--------	d-sh--w-	c:\documents and settings\john ercolino.DBMKS671\PrivacIE
2011-03-04 18:06 . 2011-03-04 18:06	--------	d-sh--w-	c:\windows\system32\config\systemprofile\IETldCache
2011-03-04 18:06 . 2011-03-04 18:06	--------	d-sh--w-	c:\documents and settings\john ercolino.DBMKS671\IETldCache
2011-03-04 18:03 . 2011-03-07 20:04	--------	dc-h--w-	c:\windows\ie8
2011-03-04 18:03 . 2010-10-18 11:10	7680	-c----w-	c:\windows\system32\dllcache\iecompat.dll
2011-03-04 00:38 . 2010-12-20 23:09	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-04 00:38 . 2010-12-20 23:08	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-03-03 22:04 . 2011-03-03 22:04	98392	----a-w-	c:\windows\system32\drivers\SBREDrv.sys
2011-03-03 22:02 . 2011-03-07 20:04	--------	d-----w-	c:\documents and settings\All Users\Application Data\Lavasoft
2011-03-03 19:44 . 2007-03-09 16:25	2321288	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-03 19:10 . 2011-03-07 20:04	--------	d-----w-	c:\program files\Windows Defender
2011-03-03 17:14 . 2011-03-03 17:14	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-03 17:07 . 2011-03-03 17:07	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Ipswitch
2011-03-02 20:07 . 2010-01-11 00:40	118784	----a-w-	c:\windows\system32\MSSTDFMT.DLL
2011-03-02 19:13 . 2011-03-02 19:13	388096	----a-r-	c:\documents and settings\john ercolino.DBMKS671\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-02 18:24 . 2011-02-23 14:56	371544	----a-w-	c:\windows\system32\drivers\aswSnx.sys
2011-03-02 17:38 . 2011-03-07 20:04	--------	d-----w-	c:\program files\FileASSASSIN
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-03 18:37 . 2004-08-12 12:27	33280	----a-w-	c:\windows\system32\rundll32.exe
2011-02-23 15:04 . 2010-12-05 23:26	40648	----a-w-	c:\windows\avastSS.scr
2011-02-23 15:04 . 2010-12-05 23:26	190016	----a-w-	c:\windows\system32\aswBoot.exe
2011-02-23 14:56 . 2010-12-05 23:26	301528	----a-w-	c:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2010-12-05 23:26	49240	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2010-12-05 23:26	102232	----a-w-	c:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2010-12-05 23:26	96344	----a-w-	c:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2010-12-05 23:26	25432	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2010-12-05 23:26	30680	----a-w-	c:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2010-12-05 23:26	19544	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2011-02-02 22:11 . 2010-02-20 16:51	222080	-c----w-	c:\windows\system32\MpSigStub.exe
2011-01-21 14:44 . 2004-08-12 12:28	439296	----a-w-	c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-12 12:17	290048	----a-w-	c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-12 12:33	1854976	----a-w-	c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-12 12:20	301568	----a-w-	c:\windows\system32\kerberos.dll
2010-12-20 17:26 . 2004-08-12 12:21	730112	----a-w-	c:\windows\system32\lsasrv.dll
2010-12-09 15:15 . 2004-08-12 12:25	718336	----a-w-	c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-12 12:18	33280	----a-w-	c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-12 12:25	2148864	----a-w-	c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59	2027008	----a-w-	c:\windows\system32\ntkrnlpa.exe
.
.
------- Sigcheck -------
.
[7] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
[7] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\ServicePackFiles\i386\msvcrt.dll
[-] 2008-04-14 . ED0DBA1C50619473497355A2EE0518BA . 343040 . . [7.0.2600.5512] . . c:\windows\SYSTEM32\msvcrt.dll
[7] 2004-08-04 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
[7] 2004-08-04 . 98EC447E00229AFD88D5161A25D065DA . 343040 . . [7.0.2600.2180] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04	122512	----a-w-	c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2006-07-21 1106528]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2006-07-21 1848155]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-07-21 126976]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msap?spc?dll, digest.dll, msnsspc.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-22 05:05	40368	----a-w-	c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 17:52	339968	-c--a-w-	c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-10-12 22:54	57344	-c--a-w-	c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16	421888	----a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2004-01-07 07:01	110592	-c--a-w-	c:\program files\Common Files\Sonic\Update Manager\sgtray.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Acronis\\TrueImageWorkstation\\TrueImage.exe"=
"c:\\Program Files\\Common Files\\Acronis\\Agent\\agent.exe"=
.
R1 aswSnx;aswSnx;c:\windows\SYSTEM32\DRIVERS\aswSnx.sys [3/2/2011 1:24 PM 371544]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [12/5/2010 6:26 PM 301528]
R2 AcronisAgent;Acronis Remote Agent;c:\program files\Common Files\Acronis\Agent\agent.exe [7/20/2006 11:50 PM 319488]
R2 AcronisBackupServerService;Acronis Backup Server Service;c:\program files\Acronis\BackupServer\backupserver.exe [7/21/2006 1:25 AM 9025808]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [12/5/2010 6:26 PM 19544]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\SYSTEM32\DRIVERS\LGBusEnum.sys [11/23/2009 5:37 PM 19720]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\SYSTEM32\DRIVERS\LGVirHid.sys [2/12/2010 9:34 AM 14856]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\SYSTEM32\DRIVERS\olcamudp.sys [4/8/2005 5:29 PM 10379]
S3 PortlUSB;PortlUSB;c:\windows\system32\DRIVERS\SiriusUSB.sys --> c:\windows\system32\DRIVERS\SiriusUSB.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32	128512	----a-w-	c:\windows\SYSTEM32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-03-07 c:\windows\Tasks\Auslogics Boost Speed Disk Defrag Console Defragmentation.job
- c:\program files\Auslogics\Auslogics Disk Defrag\cdefrag.exe [2010-04-24 13:32]
.
2011-03-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://news.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-07 16:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3852)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-03-07 16:26:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-07 21:26
.
Pre-Run: 49,891,258,368 bytes free
Post-Run: 51,114,885,120 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=c:\$win_nt$.~bt\BOOTSECT.DAT
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Professional Setup"
.
Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 3BFF0335685C8B4822CE3DBDC0598D01


----------



## Cookiegal (Aug 27, 2003)

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following code box into the main text field:

```
msvcrt.dll
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## john m ercolino (Jan 14, 2007)

SystemLook 04.09.10 by jpshortstuff
Log created at 13:53 on 16/03/2011 by john ercolino
Administrator - Elevation successful

No Context: msvcrt.dll

-= EOF =-


----------



## john m ercolino (Jan 14, 2007)

I was curious would the windows mini dump files be of any use to you, there are quite a few from this period of infection?


----------



## Cookiegal (Aug 27, 2003)

Yes, I was going to ask for them. Please upload the latest one.

Also, I apologize but the command I gave you was incorrect. Please run System Look again with this command:

:filefind
msvcrt.dll


----------



## john m ercolino (Jan 14, 2007)

SystemLook 04.09.10 by jpshortstuff
Log created at 14:51 on 16/03/2011 by john ercolino
Administrator - Elevation successful

No Context: filefind

No Context: msvcrt.dll

-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

Sorry, I wasn't clear enough. The command is all together, not one at a time. So please use this command:


```
:filefind
msvcrt.dll
```


----------



## john m ercolino (Jan 14, 2007)

Sorry, 
Hope this is right,
SystemLook 04.09.10 by jpshortstuff
Log created at 15:38 on 16/03/2011 by john ercolino
Administrator - Elevation successful

========== filefind ==========

Searching for "msvcrt.dll"
C:\CanoScan\CNQL35\CNQSG77\MSVCRT.DLL	--a--c- 266293 bytes	[23:50 09/12/2008]	[03:22 06/05/1999] 0B9C183D1565B48FA6E5D1D3D4B86BCC
C:\I386\MSVCRT.DLL	--a--c- 343040 bytes	[13:42 13/04/2005]	[11:00 04/08/2004] B0FEFA816D61EC66AA765DDF534EAB5E
C:\I386\ASMS\7000\MSFT\WINDOWS\MSWINCRT\MSVCRT.DLL	--a--c- 322560 bytes	[11:00 04/08/2004]	[11:00 04/08/2004] 4200BE3808F6406DBE45A7B88DAE5035
C:\Program Files\Java\jre6\bin\msvcrt.dll	--a--c- 266293 bytes	[22:58 10/03/2009]	[22:58 10/03/2009] 63DA4613383EC70E047B4CD5C48F0B05
C:\WINDOWS\ERDNT\cache\msvcrt.dll	--a---- 343040 bytes	[21:51 07/03/2011]	[09:42 14/04/2008] D7075E95AA599EE77B7A89D39296BD3D
C:\WINDOWS\ServicePackFiles\i386\msvcrt.dll	-----c- 343040 bytes	[03:55 30/04/2010]	[00:12 14/04/2008] 355EDBB4D412B01F1740C17E3F50FA00
C:\WINDOWS\SYSTEM32\msvcrt.dll	--a---- 343040 bytes	[12:23 12/08/2004]	[09:42 14/04/2008] D7075E95AA599EE77B7A89D39296BD3D
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll	-ra--c- 322560 bytes	[11:00 04/08/2004]	[11:00 04/08/2004] 4200BE3808F6406DBE45A7B88DAE5035
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll	--a--c- 343040 bytes	[11:00 04/08/2004]	[11:00 04/08/2004] 98EC447E00229AFD88D5161A25D065DA
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll	--a--c- 343040 bytes	[09:42 14/04/2008]	[09:42 14/04/2008] D7075E95AA599EE77B7A89D39296BD3D


----------



## john m ercolino (Jan 14, 2007)

I think a piece at the end is missing on last post..Nope just the "E_O_F"

SystemLook 04.09.10 by jpshortstuff

Log created at 15:38 on 16/03/2011 by john ercolino
Administrator - Elevation successful

========== filefind ==========

Searching for "msvcrt.dll"
C:\CanoScan\CNQL35\CNQSG77\MSVCRT.DLL	--a--c- 266293 bytes	[23:50 09/12/2008]	[03:22 06/05/1999] 0B9C183D1565B48FA6E5D1D3D4B86BCC
C:\I386\MSVCRT.DLL	--a--c- 343040 bytes	[13:42 13/04/2005]	[11:00 04/08/2004] B0FEFA816D61EC66AA765DDF534EAB5E
C:\I386\ASMS\7000\MSFT\WINDOWS\MSWINCRT\MSVCRT.DLL	--a--c- 322560 bytes	[11:00 04/08/2004]	[11:00 04/08/2004] 4200BE3808F6406DBE45A7B88DAE5035
C:\Program Files\Java\jre6\bin\msvcrt.dll	--a--c- 266293 bytes	[22:58 10/03/2009]	[22:58 10/03/2009] 63DA4613383EC70E047B4CD5C48F0B05
C:\WINDOWS\ERDNT\cache\msvcrt.dll	--a---- 343040 bytes	[21:51 07/03/2011]	[09:42 14/04/2008] D7075E95AA599EE77B7A89D39296BD3D
C:\WINDOWS\ServicePackFiles\i386\msvcrt.dll	-----c- 343040 bytes	[03:55 30/04/2010]	[00:12 14/04/2008] 355EDBB4D412B01F1740C17E3F50FA00
C:\WINDOWS\SYSTEM32\msvcrt.dll	--a---- 343040 bytes	[12:23 12/08/2004]	[09:42 14/04/2008] D7075E95AA599EE77B7A89D39296BD3D
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll	-ra--c- 322560 bytes	[11:00 04/08/2004]	[11:00 04/08/2004] 4200BE3808F6406DBE45A7B88DAE5035
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll	--a--c- 343040 bytes	[11:00 04/08/2004]	[11:00 04/08/2004] 98EC447E00229AFD88D5161A25D065DA
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll	--a--c- 343040 bytes	[09:42 14/04/2008]	[09:42 14/04/2008] D7075E95AA599EE77B7A89D39296BD3D

-= EOF =-


----------



## Cookiegal (Aug 27, 2003)

The dump indicates "memory corruption" as the probable cause and that can be very difficult to troubleshoot. Before throwing in the towel, let's try running a memory diagnostic.

http://www.memtest86.com/


----------

