1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Beyond Repair?? (Can't even get HJT to run). Cookiegal? Anyone...?

Discussion in 'Virus & Other Malware Removal' started by medium_low_skill, Apr 1, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. medium_low_skill

    medium_low_skill Thread Starter

    Joined:
    Mar 28, 2010
    Messages:
    96
    Hello and thank you for taking the time to look at this; I really hope someone can help me with this computer issue (I think I'm close to crashing). I'm a little worried that some sort of re-install could be required but hopefully not. My problem consists of various error/warning/win32/DrWatson messages and frequent 100%CPU usage with many lines of continuous svchost.exe activity in task mngr that freezes the computer up. I can & will detail these problems in another post but first I'd like to resolve an issue I apparently have running the HJT software. Here's my system information:

    From System Properties:
    Gateway MX3416
    AMD Turion 64 Mobile
    Technology MK-36
    1.6GHz, 960MB RAM
    XP MediaCenter Edition Version 2002 SP2

    I'm "trying" to follow the directions in the "read here first BEFORE posting" thread on the main Forum pg and, per the instructions, have downloaded the HJTsetup.exe program to my desktop. However, when I dbl click the icon the following occurs:

    **((Let me first say that "all" of these steps don't "always" occur because at various times along the way the program windows just disappear (poof! gone) and I have to try dbl clicking the desktop icon again.))

    1) I select the icon on the desktop and a window opens saying HijackThis, Version 2.0.2, (c) 2007 Trend Micro Inc, choose a path...etc. I leave the path alone (Prog Files\Trend Micro\HijackThis) and click "Install".

    2) A window asking to agree with terms pops up. I select "agree" ((UPDATE 1- This terms of agreement window finally stopped appearing. Instead it always skips to the next window, #3 below:))

    ((UPDATE 2- Now I can see an entry in the start menu and select HJT from there instead of from the desktop. So, basically, steps 1&2 have been replace by selecting the icon from the start menu. Steps 3-4 remain the same and with the same results.))

    3) Another window pops up with a main menu and a vertical list of 6 options 1, 2, and 5 are in bold but I haven't been able to read all of them yet because the window never lasts more than 2-3 seconds before it disappears. During that 2-3 seconds I quickly select the top option ("Do a system scan and save a log file"). NOTE: The "read here first BEFORE posting" thread on the main Forum pg says "click the scan button". Unfortunately, I do not see any "scan" button at this point and therefore selected the option I indicated instead. (Please see EXCEL attachment in Zip folder for "screenshot")

    4) Another window comes up that looks like it is scanning something but within 1-2 seconds another, smaller, rectangular window pops up saying: "You have an particularly large amount of hijacked domains. It's probably better to delete the file itself then to fix each item (and create a backup). If you see the same IP address in all the reported O1 items, consider deleting your Host file, which is located at C:\WINDOWS\System32\drivers\etc\hosts." (Please see EXCEL attachment in Zip folder for "screenshot")

    If I attempt this process more than 4-5'ish times I get the blue screen of death with a pg full of lines of text that appears for about 0.5 seconds before the computer restart process begins. It's already happened 4 times...:(

    I welcome your thoughts and ideas. Thanks again for your time.

    P.S. The original Excel attachment had both screenshots in it but was 700Kb so I had to split it into 2 Excel attachments which were still over the 200Kb limit so I had to zip them because the Zip size limit was bigger. Is there a better way to save screenshots for uploading that keeps them smaller?
     

    Attached Files:

  2. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:

    Please download HostsXpert


    • [*] Unzip HostsXpert to it's own folder in a convenient place such as C:\HostsXpert

      [*] Run: HostsXpert.exe

      [*] Click: Restore MS Hosts File

      [*] Click: Replace

      [*] Click: OK

      [*] Click: Make ReadOnly

      [*] Close HostsXpert.



    Note: If a custom Hosts file was in place, you will have to run those programs again to reset detections.
    If needed Tutorial

    NEXT


    Download OTL to your Desktop



    • [*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

      [*]When the window appears, underneath Output at the top change it to Minimal Output.

      [*]Check the boxes beside LOP Check and Purity Check.

      [*]Under the Custom Scan box paste this in


      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      CREATERESTOREPOINT



      [*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.


      • [*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

        [*]Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your next reply.






    Download OTL to your Desktop



    • [*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

      [*]When the window appears, underneath Output at the top change it to Minimal Output.

      [*]Check the boxes beside LOP Check and Purity Check.

      [*]Under the Custom Scan box paste this in


      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      CREATERESTOREPOINT



      [*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.


      • [*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

        [*]Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them in your next reply.



     
  3. medium_low_skill

    medium_low_skill Thread Starter

    Joined:
    Mar 28, 2010
    Messages:
    96
    Hi and thank you very much for trying to help with this problem. I have 4Q's and some amplifying information:​

    First Question: Do I need to download HostsXpert prior to trying to download & run OTL? If so, I need another way to download it because when I went to the funkytoad website you provided, and clicked the following to download the file, I got the google error message shown below (Exact copy/paste's of what I see):
    Click Here to download HostsXpert[​IMG]
    353kb +/- Includes help file (Win 98 through Vista) ​

    After clicking the above I get this:

    Google Error

    Not Found


    The requested URL /download/HostsXpert.zip was not found on this server.

    <IMG height=4 alt="" width=1>


    2nd question: Do I need to download/run OTL twice or did you just paste those instructions 2 times by accident?​

    3rd question: Why is the option to "edit" gone from my original post?

    4th question: I'd like to ask what the best step is to take if I come to the point where I can't get online (to seek your help) and the system seems to be deteriorating even more rapidly. Should I a) Press F11 during a restart when it says "press F11 to start recovery", b) Use Start/All Programs/System Recovery/System Recovery, or c) insert the system disk that came with the laptop and restart? Thank you.


    I'll wait for your reply before doing anything but while I'm posting this let me provide a little more background of the problem first to (hopefully) help with your diagnosis.

    More details of problem's background:
    1. Problem's been progressing for approx 6 months. ​

    2. Tried using "System Restore" but says it's turned off. The System Restore tab has the following (all of it is grayed out and not selectable):
    A checkbox, then a statement saying: "Turn off system restore (disabled by group properties)"
    Drive Settings:
    Drive Status
    (C) Turned off
    (D) Turned off​

    3. During restart, when I tried to open in safe mode, a blue screen with tons of text appeared for about 1 second then the computer restarted. I.e. It wouldn't go into safe mode.​

    4. Sample of problems/errors I've observed:
    (1) Not being able to get rid of a black screen. Basically, the computer is on but I can't "see" anything.​

    (2) Not being able to get any movement/reaction from the mouse &/or any of the keys.​

    (3) Upon restart from a blue screen episode: "Microsoft Windows recovered from a serious error...a log was created."
    Here's the data the error report contained:
    Error Signature:
    BCCode : 1000008e BCP1 : C0000005 BCP2 : F76602BF BCP3 : B9CC58D8 BCP4 : 00000000 OSVer : 5_1_2600
    SP : 2.0 Product : 256_1
    I didn't get the reporting details​


    (4) This one's weird since I don't chat...
    (Top blue line of a pop-up error box) Microsoft Internet Explorer
    You have been disconnected from chat because you have signed into Yahoo! Messenger from another computer or device.​

    (5) (Top blue line of a pop-up error box) x.exe
    (in next white area-and in bold): x.exe has encountered a problem and needs to close…We are sorry for the inconvenience.
    (Big grey area): If you were in the middle of something….might be lost.
    Please tell Microsoft about this problem.
    We have created an error report… anonymous.
    To see what data this error report contains, click here.
    new pop-up box:
    (in top blue area): x.exe
    Error signature-----------
    szAppName : x.exe AppVer : 0.0.0.0 Mod Name : unknown ModVer : 0.0.0 Offset : 0003832c
    Reporting Details--------
    misc non-disclosure statement till end where it says:
    To view technical information about the error report, click here.
    new pop-up box:
    The following info about your process will be reported:
    Exception Information
    Code: 0xc0000005 Flags: 0x00000000
    Record: 0x0000000000000000 Address: 0x000000000043832c
    System Information
    Windows NT 5.1 Build: 2600
    CPU Vendor Code: 68747541 – 69746E65 – 444D4163
    CPU Version: 00040FC2 CPU Feature Code: 078BFBFF
    CPU AMD Feature Code: EBD3FBFF
    Module 1 (There are 21 Modules in total, here’s 1 of them):
    x.Exe
    Image Base: 0x00400000 Image Size: 0x00000000
    Checksum: 0x00000000 Time Stamp: 0x40b4ed6d
    Version Information:
    Signature: 00000000
    StrucVer: 00000000
    FileVer: (0.0:0.0)
    ProdVer: (0.0:0.0)
    FlagMask 00000000
    Flags: 00000000
    OS: 00000000
    FileType: 00000000
    SubType: 00000000
    FileDate: 00000000:00000000
    After 21 of these “Mpdules” it lists Thread 1 (the only thread) and gives it an ID, Context, and then a Stack entry. The stack entry is REALLY long and made up of a column of number/letter entries followed by 4 columns of numbers and a column of random versions of “…..”’s, special characters, numbers & letters.
    The following files will be included in this error report:
    C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\WER9759.dir00\jqs.exe.mdmp
    C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\WER9759.dir00\appcompat.txt​


    (6) (Top blue line of a pop-up box) ESET NOD32 and Sophos are a bunch of faggots!
    (in next white area-and in bold): ESET NOD32 and Sophos are a bunch of faggots! has encountered a problem and needs to close…We are sorry for the inconvenience.
    (In big grey area): If you were in the middle of something….might be lost. Please tell Microsoft about this problem.
    We have created an error report… anonymous. To see what data this error report contains, click here.
    new pop-up box:
    (in top blue area): ESET NOD32 and Sophos are a bunch of faggots!
    Error signature-----------
    szAppName : CtDrvMkl.exe szAppVer : 1.0.4.0 szMod Name : CtDrvMkl.exe szModVer : 1.0.4.0 Offset : 000327a0
    Reporting Details--------
    misc non-disclosure info till end where it says:
    To view technical information about the error report, click here.
    new pop-up Box:
    The following files will be included in this error report:
    C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\WERcf06.dir00\CtDrvMkl.exe.mdmp
    C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\WERcf06.dir00\appcompat.txt​

    (7) “McLspAsyncWindow: svchost.exe – Bad Image”
    “The application or DLL C:\WINDOWS\System32\jesterss.dll is not a valid Windows image. Please check this against your installation diskette.”​

    (8) A few times, while trying to restart or turn off the computer using Start/Turn Off Computer, I get a window with "Log of Windows" and only 2 options (Switch User or Log Off) instead off the normal (Standby, Turn Off, Restart) options. ​

    (9) I've been getting quite a few error messages that "appear" related to PeoplePC (PPC) but I'm not sure if a virus could be causing any of them. None of them happened for the first few yrs I was using PPC, it just started to occur out of blue.​

    (9.1) One of the times PPC lost it's connection a Window's error popped up saying: "GetBartPath failed".​

    (9.2) On PPC start up I get the types of error messages detailed in a & b below:
    (a) NSIS Error (this one happens 1-2 times)-
    The installer you are trying to use is corrupted or incomplete.
    This could be the result of a damaged disk, a failed download or a virus.
    You may want to contact the author of this installer to obtain a new copy.
    It may be possible to skip this check using the /NCRC command line switch (NOT RECOMMENDED).
    Then there’s an “OK” box to push. I usually click the “X” in the upper right corner though.​

    (b) Internet Explorer Script Errors (usually 6-10 of them)-
    An error has occurred in the script on this page.
    Then the error is described (See Examples Below)
    Then it asks: Do you want to keep running scripts on this page? I select “NO” on each of the error messages.​

    Example 1:
    Line: 8
    Char: 1
    Error: Permission denied
    Code: 0
    http://listings2go.tvguide.com/Part...ID=104&ProfileID=1052&approvalStatus=1&MsoID=
    Example 2:
    Line: 49
    Char: 1
    Error: Permission denied
    Code: 0
    URL: http://ad.doubleclick.net/adi/home.peoplepc.dart/home_160x600;sz=160x600;ptile=19218943??
    Example 3:
    Line: 132
    Char: 13
    Error: Permission denied
    Code: 0
    URL:http://listings2go.tvguide.com/Part...ID=104&ProfileID=1052&approvalStatus=1&MsoID=
    Example 4:
    Line: 309
    Char: 5
    Error: 's' is null or not an object
    Code: 0
    URL:http://listings2go.tvguide.com/Part...ID=104&ProfileID=1052&approvalStatus=1&MsoID=
    Example 5:
    Line: 136
    Char: 13
    Error: ‘COMSCORE’ is undefined
    Code: 0
    URL:http://listings2go.tvguide.com/Part...ID=104&ProfileID=1052&approvalStatus=1&MsoID=
    Example 6:
    Line: 2
    Char: 3
    Error: invalid character
    Code: 0
    URL:http://home.peoplepc.com/app/?ver=6.300&mn=bomber04&token=BJEJAALKCMGDLIFDNKFONPCGDJLPFOMABDKNLGNBIEKN&choosePhoto=false&add

    Thanks again, I'll wait for your reply.​

     
  4. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    1. The infection must be blocking your access to HostsXpert as that link works fine for me. We can fix the issue through OTL, so it wont make much difference now, I was hoping you could run hostsXpert quickly to relieve some of the symptoms.

    2.& 3. Mistakenly double posted the OTL instructions, board had a hiccup, then when I noticed, my edit button was gone also, the board is set up so that you can only edit posts for a certain amount of time. If you edit a post, I wouldn't get email notification of the edit, so it's preferable to make another post....

    4.none of the above. Don't restart your computer if you can help it, stay offline untill i can start to get things cleaned up. If the system crashes completely, try and get into the options menu (tap F8 on start up and choose "Last known Good Configuration"
    If you still cannot access safe mode, we may have to make a boot CD.


    If you do have access to another clean computer, I would change all your online passwords as it appears as though your logon information (at least for msn) may have been compromised. Change the passwords for your financial institutions especially. Keep an eye on your accounts for a while, till we get you completely cleaned up.
     
  5. medium_low_skill

    medium_low_skill Thread Starter

    Joined:
    Mar 28, 2010
    Messages:
    96
    I'm amout to try downloading going to try downloading/running OTL but wanted to ask one last follow up of your last reply. When you said the link was working for you do you mean the link to "get to the funkytoad website" or the link to "actually start the HostsXpert download"? The link to the funkytoad website works fine for me too. The download link is where I have all the problems (using either IE or Mozilla). So if you try to download HostsXpert it starts the download process for you? Thanks, and sorry for this clarification question.

    Oh yea, I've had to restart a few times because the computer will get to the point that nothing will run (Word, Excel, the internet, etc.) because it says I'm not configured for that operation, resources are low, or some other type of error message.
     
  6. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    yes the download works for me.

    Try not to use the computer unless you absolutely have to, until we get it cleaned up a bit, we don't want it to get to the point where it wont boot.
     
  7. medium_low_skill

    medium_low_skill Thread Starter

    Joined:
    Mar 28, 2010
    Messages:
    96
    Well, that was weird. I'm referring to the 9 posts that showed up when I was only trying to post only once (post #5 of this thread). You probably noticed what I'm talking about. I deleted the 8 erroneous ones that looked like they were posted at varying stages of the writing process of that post.

    Bit of clarifying info: That google server error I described at the top of post 3 is coming up sometimes when I try to post a comment so maybe that had something to do with the multiple post problem but I don't know. It actually just happened (the google server error message) when I tried to make this post as well so I had to go to "my favorites", where I have a link to this thread saved, to return to this pg. When I returned I wasn't logged in though and had to log in again. Does all that info help with your diagnosis or did I just waste your time and take up space? Ok, here's what I was trying to post (let's se if it goes through this tie or if I get that google error about servers again. Here goes attempt 2 to post this:

    Irt trying not to use the computer unless I have to: The bad news is that, unfortunately, the bad computer is the one I contact you on as well as try to download programs with. However, the good news is that by going to http://www.nuip.net/ and pasting http://www.funkytoad.com/download/HostsXpert.zip (the link to the actual HostsXpert download that's found on the funkytoad website) into the "Surf Now!" box, I was able to get the HostsXpert file to download. Does that tell you something about the problem?

    Now that I have it downloaded I wanted to ask you about the following which I cut/pasted from your original reply (on 04-Apr). "Note: If a custom Hosts file was in place, you will have to run those programs again to reset detections. If needed Tutorial". I apologize for the 3 questions that follow (I'm sure they're probably basic knowledge to many people):

    1) How would I know if a host file is in place? I don't think I ever did that (unless it happened without my knowledge during a download or by some other means).
    2) If one is in place, which I don&#8217;t know about, how do I "run those programs again to reset detections"? If those programs weren't run to reset detections what would happen?
    3) Lastly, I really don't know what I'm looking at when I look at the tutorial pic from photobucket. Is that a photo of the text I need to type into HostsXpert on the file handling tab? If so, does that get done before or after running HostsXpert and does it only get done "if" I have a host file in place which, back to Q1, I don't know if I do or don't?

    Thanks again
     
  8. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    You probably don't have a custom host file in place, you would remember installing it.

    when you click on HostsXpert to run it - the very top button on the left should say: "Make Read Only"

    underneath that on the left - look for the button that says "Restore MS Hosts File" - click on that: > it will ask you to confirm > agree

    Now go back up to the "Make read only button? and click on it

    Now click the red X to exit the program

    that's all there is to it. You don't need to type anything into file handling.

    Don't worry about a custom hosts file right now. Let's get you cleaned up first.
     
  9. medium_low_skill

    medium_low_skill Thread Starter

    Joined:
    Mar 28, 2010
    Messages:
    96
    I ran HostsXpert and then ran OTL as directed (took 25-30min). My one stupid Q for this post is: when you say "Make sure all other windows are closed and to let it run uninterrupted." does that mean logging off the internet as well or just closing down any Word/Excel/etc programs that are running? There's always something running in the bottom rt corner of the screen (by the clock) as well ...
    Also, did my last post's Q irt the download actually working when I went through a proxy server (nuip) mean anything? Thanks again.


    Here's the OTL.Txt copy/paste:

    OTL logfile created on: 4/8/2010 9:05:54 AM - Run 1
    OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop
    Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    959.00 Mb Total Physical Memory | 466.00 Mb Available Physical Memory | 49.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 50.52 Gb Total Space | 26.80 Gb Free Space | 53.06% Space Free | Partition Type: NTFS
    Drive D: | 5.35 Gb Total Space | 3.41 Gb Free Space | 63.70% Space Free | Partition Type: FAT32
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: YOUR-A2A5F0665A
    Current User Name: Owner
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 14 Days
    Output = Minimal
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\OTL.exe (OldTimer Tools)
    PRC - C:\WINDOWS\system32\msvmcls64.exe ()
    PRC - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
    PRC - C:\Program Files\DriveIcon\DriveIcon.exe (Realtek Semiconductor Corp.)
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


    ========== Modules (SafeList) ==========

    MOD - C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\OTL.exe (OldTimer Tools)
    MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)


    ========== Win32 Services (SafeList) ==========

    SRV - (PrismXL) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3416
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3416
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: [email protected]:1.0
    FF - prefs.js..network.proxy.http: "localhost"
    FF - prefs.js..network.proxy.http_port: 8080
    FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"
    FF - prefs.js..network.proxy.type: 1

    FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/12 13:46:51 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/29 18:10:19 | 000,000,000 | ---D | M]

    [2008/09/28 21:54:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\Mozilla\Extensions
    [2008/09/28 21:54:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\Mozilla\Firefox\Profiles\tnxd7lbi.default\extensions
    [2010/01/21 13:35:32 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

    O1 HOSTS File: ([2010/04/08 08:42:35 | 000,000,698 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKCU\..\Toolbar\ShellBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
    O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
    O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe (PeoplePC)
    O4 - HKLM..\Run: [conime.exe] C:\WINDOWS\System32\conime.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [DriveIcons] C:\Program Files\DriveIcon\DriveIcon.exe (Realtek Semiconductor Corp.)
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKLM..\Run: [MS Virtual CLS] C:\WINDOWS\system32\msvmcls64.exe ()
    O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
    O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
    O4 - HKLM..\Run: [Reminder] C:\WINDOWS\creator\Remind_XP.exe (SoftThinks)
    O4 - HKCU..\Run: [Power2GoExpress] File not found
    O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
    O4 - HKLM..\RunOnce: [PPalFinish] C:\Program Files\PeoplePC\Toolbar\PPalFinish.exe ()
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk = C:\Program Files\BigFix\bigfix.exe (BigFix Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE (New Boundary Technologies, Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
    O4 - Startup: C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Start Menu\Programs\Startup\PowerReg Scheduler.exe ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2009/12/26 21:45:29 | 000,000,000 | ---D | M]
    O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
    O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2009/12/26 21:45:29 | 000,000,000 | ---D | M]
    O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2009/12/26 21:45:29 | 000,000,000 | ---D | M]
    O8 - Extra context menu item: Yahoo! &SMS - C:\Program Files\Yahoo!\Common [2009/12/26 21:45:29 | 000,000,000 | ---D | M]
    O9 - Extra 'Tools' menuitem : McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll File not found
    O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - Reg Error: Key error. File not found
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Java Plug-in 1.5.0_10)
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
    O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKCU Winlogon: Shell - ("C:\Documents and Settings\Owner.YOUR-A2A5F0665A\gbh.exe") - C:\Documents and Settings\Owner.YOUR-A2A5F0665A\gbh.exe ()
    O24 - Desktop WallPaper: C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O27 - HKLM IFEO\conime.exe: Debugger - CtDrvMkl.exe (RTFLOL & MarjinZ)
    O27 - HKLM IFEO\ctfmon.exe: Debugger - wmistrk.exe ( )
    O32 - HKLM CDRom: AutoRun - 0
    O32 - AutoRun File - [2006/06/17 01:41:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2004/09/13 12:15:24 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
    O33 - MountPoints2\{4362df90-67f3-11dd-ab80-0003253eb2fe}\Shell - "" = AutoRun
    O33 - MountPoints2\{4362df90-67f3-11dd-ab80-0003253eb2fe}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{4362df90-67f3-11dd-ab80-0003253eb2fe}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
    O33 - MountPoints2\{581657fd-3300-11db-a1df-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{581657fd-3300-11db-a1df-806d6172696f}\Shell\AutoRun - "" = Auto&Play
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/06/17 01:40:27 | 000,000,000 | ---D | M]
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found
    Unable to start service SrService!

    ========== Files/Folders - Created Within 14 Days ==========

    [2010/04/08 09:00:32 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\OTL.exe
    [2010/04/08 08:38:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\HostsXpert
    [2010/04/06 00:00:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\New Since HP BckUp
    [2010/04/05 07:34:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PeoplePC
    [2010/04/01 11:59:49 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
    [2010/04/01 11:39:38 | 000,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Helpersetup.exe
    [2010/03/28 13:11:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\My Documents\IRS forms
    [2010/03/28 13:07:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\My Documents\April Mrtg stuff
    [2010/03/28 13:07:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\My Documents\Clark Info
    [2010/03/28 13:07:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\My Documents\2008 Election Things
    [2010/03/28 00:28:30 | 000,270,848 | RHS- | C] (RTFLOL & MarjinZ) -- C:\WINDOWS\System32\CtDrvMkl.exe
    [2010/03/27 15:40:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\TestZipExtract
    [2009/04/17 10:15:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
    [2009/02/17 17:17:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
    [2007/01/11 17:15:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Google
    [2006/12/27 22:03:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
    [2006/08/23 16:01:21 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
    [2006/06/17 01:45:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
    [2006/06/17 01:45:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
    [2006/06/17 01:45:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
    [73 C:\Documents and Settings\Owner.YOUR-A2A5F0665A\My Documents\*.tmp files -> C:\Documents and Settings\Owner.YOUR-A2A5F0665A\My Documents\*.tmp -> ]
    [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [12 C:\*.tmp files -> C:\*.tmp -> ]
    [10 C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\*.tmp files -> C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\*.tmp -> ]

    ========== Files - Modified Within 14 Days ==========

    [2010/04/08 09:00:32 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\OTL.exe
    [2010/04/08 08:50:12 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\New temp save of TSG info.doc
    [2010/04/08 08:46:01 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\~$w temp save of TSG info.doc
    [2010/04/08 06:54:54 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\New temp save of TSG info.xls
    [2010/04/08 06:06:38 | 000,353,485 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\HostsXpert.zip
    [2010/04/07 15:02:27 | 000,876,032 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Step4- Ultimate Failure Point in HJT software sequence.xls
    [2010/04/06 10:05:33 | 007,340,032 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\NTUSER.DAT
    [2010/04/02 15:32:18 | 000,000,619 | ---- | M] () -- C:\WINDOWS\win.ini
    [2010/04/02 15:32:18 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\hcf.dwq
    [2010/04/02 15:32:06 | 000,050,868 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
    [2010/04/02 15:32:02 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/04/02 15:31:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/04/02 15:31:56 | 1005,236,224 | -HS- | M] () -- C:\hiberfil.sys
    [2010/04/02 15:14:26 | 000,498,688 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Step3 & NSIS error example.xls
    [2010/04/01 16:06:00 | 000,472,365 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Step3 & NSIS error example.zip
    [2010/04/01 16:02:58 | 000,230,101 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Step4- Ultimate Failure Point in HJT software sequence.zip
    [2010/04/01 13:28:06 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\HijackThis.lnk
    [2010/04/01 12:10:19 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Helpersetup.exe
    [2010/04/01 10:49:06 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\ntuser.ini
    [2010/04/01 10:46:26 | 000,471,126 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/04/01 10:46:26 | 000,401,632 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/04/01 10:46:26 | 000,062,746 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/04/01 10:39:31 | 000,088,064 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF
    [2010/04/01 10:30:42 | 000,008,002 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010/03/29 14:17:03 | 000,012,845 | ---- | M] () -- C:\WINDOWS\System32\[email protected]
    [2010/03/28 00:28:20 | 000,270,848 | RHS- | M] (RTFLOL & MarjinZ) -- C:\WINDOWS\System32\CtDrvMkl.exe
    [2010/03/27 15:51:06 | 299,816,783 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\BACKUP 8-26-06.zip
    [2010/03/27 15:32:29 | 2056,094,510 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Laptop C Drive.zip
    [2010/03/27 15:19:00 | 030,196,589 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Iomega thumb BckUp 10-11-08.zip
    [2010/03/27 10:22:55 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\My Documents\Harbor Freight.xls
    [73 C:\Documents and Settings\Owner.YOUR-A2A5F0665A\My Documents\*.tmp files -> C:\Documents and Settings\Owner.YOUR-A2A5F0665A\My Documents\*.tmp -> ]
    [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [12 C:\*.tmp files -> C:\*.tmp -> ]
    [10 C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\*.tmp files -> C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2010/04/08 08:46:01 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\~$w temp save of TSG info.doc
    [2010/04/08 07:00:15 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\New temp save of TSG info.doc
    [2010/04/08 06:45:22 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\New temp save of TSG info.xls
    [2010/04/08 06:06:37 | 000,353,485 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\HostsXpert.zip
    [2010/04/02 15:32:18 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\hcf.dwq
    [2010/04/01 16:06:00 | 000,472,365 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Step3 & NSIS error example.zip
    [2010/04/01 16:02:58 | 000,230,101 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Step4- Ultimate Failure Point in HJT software sequence.zip
    [2010/04/01 16:02:10 | 000,876,032 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Step4- Ultimate Failure Point in HJT software sequence.xls
    [2010/04/01 14:29:45 | 000,498,688 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Step3 & NSIS error example.xls
    [2010/04/01 11:59:50 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\HijackThis.lnk
    [2010/03/29 14:16:54 | 000,012,845 | ---- | C] () -- C:\WINDOWS\System32\[email protected]
    [2010/03/28 13:13:40 | 001,208,320 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\My Documents\tempppp check.doc
    [2010/03/27 15:49:23 | 299,816,783 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\BACKUP 8-26-06.zip
    [2010/03/27 15:19:38 | 2056,094,510 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Laptop C Drive.zip
    [2010/03/27 15:18:34 | 030,196,589 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Iomega thumb BckUp 10-11-08.zip
    [2010/03/25 09:55:35 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\My Documents\Harbor Freight.xls
    [2010/01/15 00:16:41 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
    [2009/12/28 15:46:56 | 000,070,144 | -H-- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\secupdat.dat
    [2009/12/28 15:46:56 | 000,006,144 | -H-- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\gbh.exe
    [2009/12/26 21:45:26 | 000,040,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\csjgkfji.sys
    [2009/09/11 11:21:30 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
    [2007/02/06 12:20:25 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2007/01/03 16:15:52 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\wklnhst.dat
    [2007/01/02 12:37:39 | 000,000,144 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Application Data\fusioncache.dat
    [2006/12/27 21:44:56 | 007,340,032 | ---- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\NTUSER.DAT
    [2006/12/27 21:44:56 | 000,024,576 | -H-- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\ntuser.dat.LOG
    [2006/12/27 21:44:56 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\ntuser.ini
    [2006/08/23 16:01:19 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\jesterss.dll
    [2006/08/23 15:51:17 | 000,000,636 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2006/08/23 15:47:19 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
    [2006/08/23 15:47:19 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
    [2006/08/23 15:24:26 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
    [2006/08/23 15:24:26 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
    [2006/08/23 15:24:24 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
    [2006/08/23 15:24:23 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
    [2006/08/23 15:24:20 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
    [2006/08/23 15:24:12 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
    [2006/08/23 15:24:01 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
    [2006/06/21 01:48:15 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2006/06/17 01:24:58 | 000,001,274 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
    [2006/06/17 01:24:57 | 000,000,515 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
    [2006/06/17 01:23:25 | 000,028,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
    [2006/06/17 01:23:18 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
    [2005/08/05 20:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
    [2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

    ========== LOP Check ==========

    [2006/08/23 15:56:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
    [2006/08/23 15:57:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2010/04/01 10:31:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
    [2010/01/12 17:56:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{630068FD-3C15-486B-AA87-B61EBAF1D636}
    [2010/01/25 01:37:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\InfraRecorder
    [2006/08/23 15:59:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\SampleView
    [2007/01/19 10:26:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\ScamGuard
    [2009/02/25 12:38:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\Template
    [2007/02/14 09:46:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\Viewpoint
    [2006/12/28 08:28:36 | 000,000,106 | ---- | M] () -- C:\WINDOWS\Tasks\Low Battery Alarm Program.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.exe >


    < MD5 for: AGP440.SYS >
    [2004/08/10 11:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Laptop C Drive\Windows\Driver Cache\i386\sp2.cab:AGP440.sys
    [2004/08/10 11:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
    [2004/08/10 11:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
    [2004/08/04 05:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\AGP440.SYS

    < MD5 for: ATAPI.SYS >
    [2004/08/10 11:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Laptop C Drive\Windows\Driver Cache\i386\sp2.cab:atapi.sys
    [2004/08/10 11:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
    [2004/08/10 11:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
    [2004/08/04 04:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

    < MD5 for: EVENTLOG.DLL >
    [2004/08/10 11:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

    < MD5 for: NETLOGON.DLL >
    [2004/08/10 11:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

    < MD5 for: SCECLI.DLL >
    [2004/08/10 11:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

    < %systemroot%\*. /mp /s >

    < %systemroot%\system32\*.dll /lockedfiles >
    [2005/07/26 03:39:44 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll
    [2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

    < %systemroot%\Tasks\*.job /lockedfiles >

    < %systemroot%\system32\drivers\*.sys /lockedfiles >
    [2009/12/26 21:45:26 | 000,040,128 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\csjgkfji.sys

    < %systemroot%\System32\config\*.sav >
    [2006/06/16 18:30:11 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2006/06/16 18:30:11 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2006/06/16 18:30:11 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\Helpersetup.exe:SummaryInformation
    @Alternate Data Stream - 401240 bytes -> C:\WINDOWS\Temp:temp
    @Alternate Data Stream - 401115 bytes -> C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\desktop.ini:init
    < End of report >


    Here's the Extras.Txt copy/paste:

    OTL Extras logfile created on: 4/8/2010 9:05:55 AM - Run 1
    OTL by OldTimer - Version 3.2.1.0 Folder = C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop
    Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.2180)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    959.00 Mb Total Physical Memory | 466.00 Mb Available Physical Memory | 49.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 50.52 Gb Total Space | 26.80 Gb Free Space | 53.06% Space Free | Partition Type: NTFS
    Drive D: | 5.35 Gb Total Space | 3.41 Gb Free Space | 63.70% Space Free | Partition Type: FAT32
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: YOUR-A2A5F0665A
    Current User Name: Owner
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 14 Days
    Output = Minimal
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
    htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 1
    "FirewallDisableNotify" = 1
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 1
    "FirewallOverride" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 1
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22002

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\WINDOWS\system32\wmistrk.exe" = C:\WINDOWS\system32\wmistrk.exe:*:Enabled:UPnP Firewall -- ( )
    "C:\WINDOWS\system32\CtDrvMkl.exe" = C:\WINDOWS\system32\CtDrvMkl.exe:*:Enabled:LAN Router -- (RTFLOL & MarjinZ)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe" = C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Disabled:AOL -- File not found
    "C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Disabled:AOL -- File not found
    "C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Disabled:AOL -- File not found
    "C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Disabled:AOL -- File not found
    "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Disabled:AOL -- File not found
    "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Disabled:AOL -- File not found
    "C:\Program Files\Common Files\AOL\1156377412\EE\AOLServiceHost.exe" = C:\Program Files\Common Files\AOL\1156377412\EE\AOLServiceHost.exe:*:Disabled:AOL -- File not found
    "C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Disabled:AOL -- File not found
    "C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Application Loader -- (America Online, Inc.)
    "C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Disabled:AOLTopSpeed -- File not found
    "C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Disabled:AOLTsMon -- File not found
    "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- File not found
    "C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
    "C:\WINDOWS\system32\wmistrk.exe" = C:\WINDOWS\system32\wmistrk.exe:*:Enabled:UPnP Firewall -- ( )
    "C:\WINDOWS\system32\CtDrvMkl.exe" = C:\WINDOWS\system32\CtDrvMkl.exe:*:Enabled:LAN Router -- (RTFLOL & MarjinZ)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}" = Civilization III
    "{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite Gateway
    "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 17
    "{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
    "{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
    "{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
    "{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
    "{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
    "{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth
    "{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
    "{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
    "{56364334-9530-11D2-BFFC-00C04FA329AA}" = Microsoft Works 2000
    "{5D95AD35-368F-47D5-B63A-A082DDF00111}" = Microsoft Digital Image Starter Edition 2006 Editor
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
    "{691F4068-81BF-49E3-B32E-FE3E16400111}" = Microsoft Digital Image Starter Edition 2006 Library
    "{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
    "{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
    "{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
    "{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
    "{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
    "{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
    "{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
    "{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
    "{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0.8
    "{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
    "{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Shockwave Player" = Adobe Shockwave Player
    "Agere Systems Soft Modem" = Agere Systems HDA Modem
    "BigFix" = BigFix
    "Broadcom 802.11b Network Adapter" = Broadcom 802.11 Network Adapter
    "gtw_logo" = gtw_logo
    "HijackThis" = HijackThis 2.0.2
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
    "Mozilla Firefox (3.0.15)" = Mozilla Firefox (3.0.15)
    "MSNINST" = MSN
    "NVIDIA Drivers" = NVIDIA Drivers
    "PeoplePC Online" = PeoplePC Online
    "PeoplePC Toolbar" = PeoplePC:peoplePal Toolbar 7.3
    "PictureItSuiteTrial_v11" = Microsoft Digital Image Starter Edition 2006
    "QuickTime" = QuickTime
    "RealPlayer 6.0" = RealPlayer Basic
    "ST6UNST #1" = TekView
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "Total Annihilation" = Total Annihilation
    "Total Annihilation - Battle Tactics" = Total Annihilation - Battle Tactics
    "Total Annihilation - Core Contingency" = Total Annihilation - Core Contingency
    "TurboTax Premier 2005" = TurboTax Premier 2005
    "ViewpointMediaPlayer" = Viewpoint Media Player
    "WGA" = Windows Genuine Advantage Validation Tool
    "WildTangent CDA" = WildTangent Web Driver
    "Windows Media Format Runtime" = Windows Media Format Runtime
    "Yahoo! Companion" = Yahoo! Toolbar
    "Yahoo! Customizations" = Yahoo! Browser Services
    "Yahoo! Internet Mail" = Yahoo! Internet Mail
    "Yahoo! Toolbar" = Yahoo! Toolbar
    "YInstHelper" = Yahoo! Install Manager

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 4/1/2010 2:51:40 PM | Computer Name = YOUR-A2A5F0665A | Source = Media Center Guide | ID = 0
    Description = Event Info: Unable to initialize connection to the database. Process:
    DefaultDomain Object Name: Media Center Guide

    Error - 4/1/2010 2:54:10 PM | Computer Name = YOUR-A2A5F0665A | Source = Application Hang | ID = 1002
    Description = Hanging application BartShel.exe, version 6.3.1.285, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    Error - 4/1/2010 4:08:28 PM | Computer Name = YOUR-A2A5F0665A | Source = Application Error | ID = 1000
    Description = Faulting application ctdrvmkl.exe, version 1.0.4.0, faulting module
    ntdll.dll, version 5.1.2600.2180, fault address 0x00011e58.

    Error - 4/1/2010 4:34:50 PM | Computer Name = YOUR-A2A5F0665A | Source = Application Error | ID = 1001
    Description = Fault bucket 1779696853.

    Error - 4/2/2010 7:44:01 PM | Computer Name = YOUR-A2A5F0665A | Source = MsiInstaller | ID = 11706
    Description = Product: Microsoft Office XP Professional with FrontPage -- Error
    1706. Setup cannot find the required files. Check your connection to the network,
    or CD-ROM drive. For other potential solutions to this problem, see C:\Program
    Files\Microsoft Office\Office10\1033\SETUP.HLP.

    Error - 4/2/2010 7:50:35 PM | Computer Name = YOUR-A2A5F0665A | Source = Application Hang | ID = 1002
    Description = Hanging application POWERPNT.EXE, version 10.0.4205.0, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 4/2/2010 8:00:21 PM | Computer Name = YOUR-A2A5F0665A | Source = Application Hang | ID = 1002
    Description = Hanging application POWERPNT.EXE, version 10.0.4205.0, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 4/5/2010 11:31:12 AM | Computer Name = YOUR-A2A5F0665A | Source = Application Error | ID = 1000
    Description = Faulting application bartshel.exe, version 6.3.1.285, faulting module
    , version 0.0.0.0, fault address 0x00000000.

    Error - 4/8/2010 11:09:35 AM | Computer Name = YOUR-A2A5F0665A | Source = Application Hang | ID = 1002
    Description = Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 4/8/2010 12:46:43 PM | Computer Name = YOUR-A2A5F0665A | Source = Microsoft Office 10 | ID = 1000
    Description = Faulting application winword.exe, version 10.0.4524.0, faulting module
    winword.exe, version 10.0.4524.0, fault address 0x0059bd98.

    [ System Events ]
    Error - 4/5/2010 11:19:25 AM | Computer Name = YOUR-A2A5F0665A | Source = Server | ID = 2505
    Description = The server could not bind to the transport \Device\NetbiosSmb because
    another computer on the network has the same name. The server could not start.

    Error - 4/5/2010 11:33:08 AM | Computer Name = YOUR-A2A5F0665A | Source = Server | ID = 2505
    Description = The server could not bind to the transport \Device\NetbiosSmb because
    another computer on the network has the same name. The server could not start.

    Error - 4/5/2010 2:33:15 PM | Computer Name = YOUR-A2A5F0665A | Source = Server | ID = 2505
    Description = The server could not bind to the transport \Device\NetbiosSmb because
    another computer on the network has the same name. The server could not start.

    Error - 4/6/2010 12:56:30 PM | Computer Name = YOUR-A2A5F0665A | Source = Server | ID = 2505
    Description = The server could not bind to the transport \Device\NetbiosSmb because
    another computer on the network has the same name. The server could not start.

    Error - 4/6/2010 7:49:11 PM | Computer Name = YOUR-A2A5F0665A | Source = Server | ID = 2505
    Description = The server could not bind to the transport \Device\NetbiosSmb because
    another computer on the network has the same name. The server could not start.

    Error - 4/7/2010 4:45:30 PM | Computer Name = YOUR-A2A5F0665A | Source = Server | ID = 2505
    Description = The server could not bind to the transport \Device\NetbiosSmb because
    another computer on the network has the same name. The server could not start.

    Error - 4/7/2010 7:03:47 PM | Computer Name = YOUR-A2A5F0665A | Source = Server | ID = 2505
    Description = The server could not bind to the transport \Device\NetbiosSmb because
    another computer on the network has the same name. The server could not start.

    Error - 4/8/2010 9:51:19 AM | Computer Name = YOUR-A2A5F0665A | Source = Server | ID = 2505
    Description = The server could not bind to the transport \Device\NetbiosSmb because
    another computer on the network has the same name. The server could not start.

    Error - 4/8/2010 11:17:17 AM | Computer Name = YOUR-A2A5F0665A | Source = Server | ID = 2505
    Description = The server could not bind to the transport \Device\NetbiosSmb because
    another computer on the network has the same name. The server could not start.

    Error - 4/8/2010 12:52:25 PM | Computer Name = YOUR-A2A5F0665A | Source = Server | ID = 2505
    Description = The server could not bind to the transport \Device\NetbiosSmb because
    another computer on the network has the same name. The server could not start.


    < End of report >
     
  10. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:

    We need to run an OTL Fix
    1. Please reopen [​IMG] on your desktop.
    2. Copy and Paste the following code into the [​IMG] textbox. Do not include the word "Code"

      Code:
      :OTL
      PRC - C:\WINDOWS\system32\msvmcls64.exe ()
      O3 - HKLM\..\Toolbar: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No CLSID value found.
      O4 - HKLM..\Run: [MS Virtual CLS] C:\WINDOWS\system32\msvmcls64.exe ()
      O27 - HKLM IFEO\conime.exe: Debugger - CtDrvMkl.exe (RTFLOL & MarjinZ)
      O27 - HKLM IFEO\ctfmon.exe: Debugger - wmistrk.exe ( )
      O33 - MountPoints2\{4362df90-67f3-11dd-ab80-0003253eb2fe}\Shell - "" = AutoRun
      O33 - MountPoints2\{4362df90-67f3-11dd-ab80-0003253eb2fe}\Shell\AutoRun - "" = Auto&Play
      O33 - MountPoints2\{4362df90-67f3-11dd-ab80-0003253eb2fe}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
      O33 - MountPoints2\{581657fd-3300-11db-a1df-806d6172696f}\Shell - "" = AutoRun
      O33 - MountPoints2\{581657fd-3300-11db-a1df-806d6172696f}\Shell\AutoRun - "" = Auto&Play
      [2010/04/02 15:32:18 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\hcf.dwq
      [2010/03/29 14:17:03 | 000,012,845 | ---- | M] () -- C:\WINDOWS\System32\[email protected]
      [2010/03/28 00:28:20 | 000,270,848 | RHS- | M] (RTFLOL & MarjinZ) -- C:\WINDOWS\System32\CtDrvMkl.exe
      [2009/12/26 21:45:26 | 000,040,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\csjgkfji.sys
      [2010/01/12 17:56:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{630068FD-3C15-486B-AA87-B61EBAF1D636}
      FF - prefs.js..network.proxy.http_port: 8080
      FF - prefs.js..network.proxy.type: 1
      
      :reg
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
      "C:\WINDOWS\system32\wmistrk.exe"=-
      "C:\WINDOWS\system32\CtDrvMkl.exe"=-
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
      "C:\WINDOWS\system32\wmistrk.exe"=-
      "C:\WINDOWS\system32\CtDrvMkl.exe"=-
      
      :Commands
      [purity]
      [resethosts]
      [emptyflash]
      [emptytemp]
      [Reboot]
      
    3. Push [​IMG]
    4. OTL may ask to reboot the machine. Please do so if asked.
    5. Click [​IMG].
    6. A report will open. Copy and Paste that report in your next reply.

    to answer your question about the proxy - yes, yours is hijacked.
     
  11. medium_low_skill

    medium_low_skill Thread Starter

    Joined:
    Mar 28, 2010
    Messages:
    96

    During the restart (following the reboot) a MS Windows error report popped up saying: "The system has recovered fro a serious error."

    The data of the error report said:
    BCCode: c2 BCP1: 00000007 BCP2: 00000CD4 BCP3: 014D43CC
    BCP4: B877FCD8 OSVer: 5_1_2600 SP: 2_0 Product: 256_1

    The technical information of the report said:
    C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\WER10f5.dir00\Mini033010-01.dmp
    C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\WER10f5.dir00\sysdata.xml
    It asked me if I want to send an error report to Microsoft. I picked don't send.

    **Does any of that help you or should I not bother noting those messages because it doesn't help?
    __________________________________________________

    Here's the OTL Notepad paste
    from the Run Fix we just did:
    File name: 04082010_150822


    All processes killed
    ========== OTL ==========
    No active process named msvmcls64.exe was found!
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MS Virtual CLS deleted successfully.
    C:\WINDOWS\system32\msvmcls64.exe moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe\ deleted successfully.
    C:\WINDOWS\System32\CtDrvMkl.exe moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\ deleted successfully.
    C:\WINDOWS\System32\wmistrk.exe moved successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4362df90-67f3-11dd-ab80-0003253eb2fe}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4362df90-67f3-11dd-ab80-0003253eb2fe}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4362df90-67f3-11dd-ab80-0003253eb2fe}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4362df90-67f3-11dd-ab80-0003253eb2fe}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4362df90-67f3-11dd-ab80-0003253eb2fe}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4362df90-67f3-11dd-ab80-0003253eb2fe}\ not found.
    File F:\LaunchU3.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{581657fd-3300-11db-a1df-806d6172696f}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{581657fd-3300-11db-a1df-806d6172696f}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{581657fd-3300-11db-a1df-806d6172696f}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{581657fd-3300-11db-a1df-806d6172696f}\ not found.
    C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\hcf.dwq moved successfully.
    C:\WINDOWS\system32\[email protected] moved successfully.
    File C:\WINDOWS\System32\CtDrvMkl.exe not found.
    File move failed. C:\WINDOWS\system32\drivers\csjgkfji.sys scheduled to be moved on reboot.
    C:\Documents and Settings\All Users\Application Data\{630068FD-3C15-486B-AA87-B61EBAF1D636} folder moved successfully.
    Prefs.js: 8080 removed from network.proxy.http_port
    Prefs.js: 1 removed from network.proxy.type
    ========== REGISTRY ==========
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile\AuthorizedApplications\List not found.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile\AuthorizedApplications\List not found.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List not found.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List not found.
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    User: Owner

    User: Owner.YOUR-A2A5F0665A
    ->Flash cache emptied: 2019021 bytes

    User: OWNER~1~YOU

    Total Flash Files Cleaned = 2.00 mb


    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 49152 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 49152 bytes

    User: LocalService
    ->Temp folder emptied: 65716 bytes
    ->Temporary Internet Files folder emptied: 760400 bytes
    ->FireFox cache emptied: 17932946 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 2317059 bytes

    User: Owner

    User: Owner.YOUR-A2A5F0665A
    ->Temp folder emptied: 1077390897 bytes
    ->Temporary Internet Files folder emptied: 13525561 bytes
    ->Java cache emptied: 19139263 bytes
    ->FireFox cache emptied: 94323778 bytes
    ->Flash cache emptied: 0 bytes

    User: OWNER~1~YOU

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 346641 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 30401226 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 63481929 bytes

    Total Files Cleaned = 1,259.00 mb


    OTL by OldTimer - Version 3.2.1.0 log created on 04082010_150822

    Files\Folders moved on Reboot...
    File move failed. C:\WINDOWS\system32\drivers\csjgkfji.sys scheduled to be moved on reboot.
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\[email protected],TopLeft,x30,Left1,Frame2,Top2,x05,Position1,Position2,Position3,Position4,Right,Bottom[1].com&ticker=ODVCX&country=&familyid=75029&searchword= not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\aclk%253Fsa%253Dl%2526ai%253DBTAagaQW-S-rkO4_2lQfBvoCJCK_qobEBx5uA0BOp6P2WEQAQARgBIAA4AVCAx-HEBGDJpu6M5KTAE4IBF2NhLXB1Yi04MTY4NDM5NTk4ODc3MTk0oAGZgO_qA7IBEmZvcnVtcy50[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\activity;src=1379006;met=1;v=1;pid=25459063;aid=195155695;ko=0;cid=25385547;rid=25403404;rv=1;&timestamp=1214108176468;eid1=2;ecn1=0;etm1=10;[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\activity;src=1379006;met=1;v=1;pid=25459063;aid=195155695;ko=0;cid=25385547;rid=25403404;rv=1;&timestamp=1214108276468;eid1=2;ecn1=0;etm1=70;[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\CA7ZTDXH.html&type=mpu&searchref=1&vertical=premium&fn_title=Arial&fn_text=Arial&cb=831&required_text=overture&loc=30,12308&output=simplejs&callback=ch_ad_render_search not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\click,VaUDABEbBQAzuAkAITADAAAAlU4AAAEAAgD..wIADwKMrgEAdd8EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALbjXUgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14v4dj6mh%2FM%3D619213[1].htm not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\click,VaUDAKKzBAC95A4AHbQEAAIAAU4AAP8AAAAHEwIABgKMrgEAOP8GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWVXUgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t16g14r%2FM%3D619213[1].htm not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\click,VaUDAMmzBAAsjgwARjQEAAIAmU4AAP8AAAD..wIABgKMrgEAN0oGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDjXUgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tglvjaq%2FM%3D619213[1].htm not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\click,VaUDAMWzBADB.wwAk1EEAAIAKU4AAP8AAAAHFAIABgKMrgEAN3IGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACmgXUgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t5fbia8%2FM%3D619213[1].htm not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\pixel;r=1111866937;fpan=0;fpa=P0-289427952-1270682780421;ns=0;url=http%3A%2F%2Fforums.organicgardening.com%2Feve%3Fs%3D504108;ref=http%3A%2F%2Fwww.organicgardening[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\pixel;r=335129036;fpan=0;fpa=P0-289427952-1270682780421;ns=0;url=http%3A%2F%2Fforums.organicgardening.com%2Feve%3Fs%3D504108;ref=http%3A%2F%2Fwww.organicgardening[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\pixel;r=843970254;fpan=1;fpa=P0-289427952-1270682780421;ns=0;url=http%3A%2F%2Fforums.organicgardening.com%2Feve;ref=http%3A%2F%2Fwww.organicgardening[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\streply%26t%3D914148&type=mpu&searchref=1&vertical=premium&fn_title=Arial&fn_text=Arial&cb=90&required_text=overture&loc=30,12652&output=simplejs&callback=ch_ad_render_search not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\_default;net=ns;u=,ns-23141459_1270750700,100c8595c5234ce,ce_digcam_general,;;kw=;dcopt=ist;tile=1;ord1=375067;sz=728x90;ppos=ATF;contx=ce_digcam_general;btg=;ord=209[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\_default;net=ns;u=,ns-30675558_1270749679,100c8595c5234ce,ce_mobile_palm,;;kw=;dcopt=ist;tile=1;ord1=453200;sz=728x90;ppos=ATF;contx=ce_mobile_palm;btg=;ord=380078571[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\NEP694BP\_default;net=ns;u=,ns-76764240_1270750446,100c8595c5234ce,ce_mobile_palm,;;kw=;dcopt=ist;tile=1;ord1=782828;sz=728x90;ppos=ATF;contx=ce_mobile_palm;btg=;ord=868757299[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\;_ylc=X1MDOTc1NDYxNjgEX3IDMgRmcmNvZGUDY3NjX3ltYWlsbQR1cmwDaHR0cDovL3VzLm1jNTI3Lm1haWwueWFob28uY29tL21jL3Nob3dNZXNzYWdlP2ZpZD1JbmJveCZzb3J0PWRhdGUmb3J[1].adNoOp&fr=csc_ymailm not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\activity;src=1379006;met=1;v=1;pid=25459058;aid=195095707;ko=0;cid=25376727;rid=25394584;rv=1;&timestamp=1214100128890;eid1=2;ecn1=0;etm1=10;[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\activity;src=1379006;met=1;v=1;pid=25459063;aid=195155695;ko=0;cid=25385547;rid=25403404;rv=1;&timestamp=1214108166468;eid1=2;ecn1=1;etm1=7;[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\activity;src=2577439;met=1;v=1;pid=47290537;aid=223807764;ko=0;cid=36106654;rid=36124540;rv=2;&timestamp=1270750825046;eid1=2;ecn1=0;etm1=120;[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\CAUNSBN0.html&type=mpu&searchref=1&vertical=premium&fn_title=Arial&fn_text=Arial&cb=963&required_text=overture&loc=30,12242&output=simplejs&callback=ch_ad_render_search not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\CAZTHVIU.html&type=mpu&searchref=1&vertical=premium&fn_title=Arial&fn_text=Arial&cb=674&required_text=overture&loc=30,12652&output=simplejs&callback=ch_ad_render_search not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\click,VaUDABEbBQAzuAkAITADAAAAkU4AAAEAAQD..wIADwKMrgEAdd8EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKHjXUgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vr4hqsh%2FM%3D619213[1].htm not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\click,VaUDABEbBQAzuAkAITADAAIAjU4AAP8AAAD..wIADwKMrgEAdd8EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI3jXUgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14v9kankm%2FM%3D619213[1].htm not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\click,VaUDAMWzBABPjgwA-jMEAAIALU4AAP8AAAAHFAIABgKMrgEA4EkGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFegXUgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14t2ljiq2%2FM%3D619213[1].htm not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\er04%2526token%253DIPPAOHLJCMGDLIFDNKFONPCGDJLPFOMABDKNCAGIGDKO%2526choosePhoto%253Dfalse%2526addEmailAddress%253Dfalse%2526chooseContent%253Dfalse%2526promoClicked%253Dfalse not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\er04%2526token%253DOIDPOALJCMGDLIFDNKFONPCGDJLPFOMABDKNEHKHGEKO%2526choosePhoto%253Dfalse%2526addEmailAddress%253Dfalse%2526chooseContent%253Dfalse%2526promoClicked%253Dfalse not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\pixel;r=1749852546;fpan=0;fpa=P0-289427952-1270682780421;ns=0;url=http%3A%2F%2Fwww.organicgardening.com%2Ffeature%2F1%2C7518%2Cs1-5-19-212%2C00[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\pixel;r=1922576595;fpan=0;fpa=P0-289427952-1270682780421;ns=0;url=http%3A%2F%2Fforums.organicgardening.com%2Feve%3Fa%3Dtpc%26m%3D8641080966;ref=http%3A%2F%2Fforums[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\pixel;r=505010892;fpan=0;fpa=P0-289427952-1270682780421;ns=0;url=http%3A%2F%2Fwww.organicgardening.com%2Ffeature%2F1%2C7518%2Cs1-5-19-212%2C00[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\treply%26t%3D914148&type=mpu&searchref=1&vertical=premium&fn_title=Arial&fn_text=Arial&cb=551&required_text=overture&loc=30,14324&output=simplejs&callback=ch_ad_render_search not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\_default;net=ns;u=,ns-49524202_1270749600,100c8595c5234ce,ce_mobile_palm,;;kw=;dcopt=ist;tile=1;ord1=657402;sz=728x90;ppos=ATF;contx=ce_mobile_palm;btg=;ord=763234792[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\INTK0LYJ\_default;net=ns;u=,ns-99122548_1270750536,100c8595c5234ce,ce_digcam_general,;;kw=;tile=2;ord1=567222;sz=300x250,336x280;ppos=ATF;contx=ce_digcam_general;btg=;ord=5046[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\activity;src=1379006;met=1;v=1;pid=25459063;aid=195155695;ko=0;cid=25385547;rid=25403404;rv=1;&timestamp=1214108206468;eid1=2;ecn1=0;etm1=30;[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\activity;src=2577439;met=1;v=1;pid=47290537;aid=223807764;ko=0;cid=36106654;rid=36124540;rv=2;&timestamp=1270750595046;eid1=2;ecn1=1;etm1=10;[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\activity;src=2577439;met=1;v=1;pid=47290537;aid=223807764;ko=0;cid=36106654;rid=36124540;rv=2;&timestamp=1270750635046;eid1=2;ecn1=0;etm1=30;[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\CA58OJ11.html&type=mpu&searchref=1&vertical=premium&fn_title=Arial&fn_text=Arial&cb=598&required_text=overture&loc=30,5584&output=simplejs&callback=ch_ad_render_search not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\CAG1MFKX.html&type=mpu&searchref=1&vertical=premium&fn_title=Arial&fn_text=Arial&cb=705&required_text=overture&loc=30,14350&output=simplejs&callback=ch_ad_render_search not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\CAVVLP8U.html&type=mpu&searchref=1&vertical=premium&fn_title=Arial&fn_text=Arial&cb=374&required_text=overture&loc=30,6712&output=simplejs&callback=ch_ad_render_search not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\click,VaUDAMWzBAC95A4AHbQEAAIAFU4AAP8AAAAHFAIABgKMrgEAOP8GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL-dXUgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14thnt8uc%2FM%3D619213[1].htm not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\er04%2526token%253DBOMCOBLJCMGDLIFDNKFONPCGDJLPFOMABDKNLBFKGFKO%2526choosePhoto%253Dfalse%2526addEmailAddress%253Dfalse%2526chooseContent%253Dfalse%2526promoClicked%253Dfalse not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\pixel;r=1472422613;fpan=0;fpa=P0-289427952-1270682780421;ns=0;url=http%3A%2F%2Fforums.organicgardening.com%2Feve%3Fs%3D504108;ref=http%3A%2F%2Fwww.organicgardening[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\pixel;r=709184505;fpan=0;fpa=P0-289427952-1270682780421;ns=0;url=http%3A%2F%2Fforums.organicgardening.com%2Feve%3Fs%3D504108;ref=http%3A%2F%2Fwww.organicgardening[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\_default;net=ns;u=,ns-33522799_1270749520,100c8595c5234ce,ce_digcam_general,;;kw=;dcopt=ist;tile=1;ord1=717105;sz=728x90;ppos=ATF;contx=ce_digcam_general;btg=;ord=499[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\_default;net=ns;u=,ns-49059951_1270750539,100c8595c5234ce,ce_digcam_general,;;kw=;dcopt=ist;tile=1;ord1=423154;sz=728x90;ppos=ATF;contx=ce_digcam_general;btg=;ord=694[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\_default;net=ns;u=,ns-62735642_1270746090,100c8595c5234ce,ce_digcam_general,;;kw=;tile=2;ord1=82931;sz=300x250,336x280;ppos=ATF;contx=ce_digcam_general;btg=;ord=15786[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\8DI34XQZ\_default;net=ns;u=,ns-67629547_1270746090,100c8595c5234ce,ce_digcam_general,;;kw=;dcopt=ist;tile=1;ord1=781175;sz=728x90;ppos=ATF;contx=ce_digcam_general;btg=;ord=331[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\26mid%3D1_3133660_aoywvs4aauaosf3npwwhs24rwdy%26eps%3D%26prevmid%3D1_3134300_aouwvs4aaouisf3n7wivrje6twk%26nextmid%3D1_3133067_aoowvs4aadupsf3mhwn%252fjnbbfia,;ord=1214107219 not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\aclk%253Fsa%253Dl%2526ai%253DB2xSb5Au-S9qkBcT8lQebtfWJCK_qobEBx5uA0BOp6P2WEQAQARgBIAA4AVCAx-HEBGDJpu6M5KTAE4IBF2NhLXB1Yi04MTY4NDM5NTk4ODc3MTk0oAGZgO_qA7IBEmZvcnVtcy50[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\aclk%3Fsa%3Dl%26ai%3DBLIFgMVa9S4qNI-rulQeYivwznuqmqwH8sY2aEdq4rvM8ABABGAEgADgBUIDH4cQEYMmm7ozkpMATggEXY2EtcHViLTgxNjg0Mzk1OTg4NzcxOTSgAfTgmewDsgESZm9ydW1zLnRlY2hndXku[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\activity;src=2577439;met=1;v=1;pid=47290537;aid=223807764;ko=0;cid=36106654;rid=36124540;rv=2;&timestamp=1270750705046;eid1=2;ecn1=0;etm1=70;[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\click,VaUDABEbBQAzuAkAITADAAAAmU4AAAIAAgD..wIADwKMrgEAdd8EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMHjXUgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14vjiip6m%2FM%3D619213[1].htm not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\click,VaUDABEbBQAzuAkAITADAAAAnU4AAAUAAwD..wIADwKMrgEAdd8EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE7kXUgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14v0nqrrc%2FM%3D619213[1].htm not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\click,VaUDABEbBQAzuAkAITADAAAAoU4AAAUABAD..wIADwKMrgEAdd8EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANHkXUgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14v097qdv%2FM%3D619213[1].htm not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\click,VaUDAKWzBADnEQ4Ap5IEAAIAcU4AAP8AAAD..wIABgKMrgEAbs8GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFXHXUgAAAAA,http%3A%2F%2Fus.ard.yahoo.com%2FSIG%3D14tk09mn6%2FM%3D619213[1].htm not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\er04%2526token%253DDEHGOBLJCMGDLIFDNKFONPCGDJLPFOMABDKNJLOOGFKO%2526choosePhoto%253Dfalse%2526addEmailAddress%253Dfalse%2526chooseContent%253Dfalse%2526promoClicked%253Dfalse not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\er04%2526token%253DMAAFOBLJCMGDLIFDNKFONPCGDJLPFOMABDKNGPJNGFKO%2526choosePhoto%253Dfalse%2526addEmailAddress%253Dfalse%2526chooseContent%253Dfalse%2526promoClicked%253Dfalse not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\er04%2526token%253DNJHDOBLJCMGDLIFDNKFONPCGDJLPFOMABDKNHGOLGFKO%2526choosePhoto%253Dfalse%2526addEmailAddress%253Dfalse%2526chooseContent%253Dfalse%2526promoClicked%253Dfalse not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\pixel;r=1768362369;fpan=0;fpa=P0-289427952-1270682780421;ns=0;url=http%3A%2F%2Fforums.organicgardening.com%2Feve%3Fa%3Dugtpc;ref=http%3A%2F%2Fforums[1].gif not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\_default;net=ns;u=,ns-20813970_1270750700,100c8595c5234ce,ce_digcam_general,;;kw=;tile=2;ord1=899784;sz=300x250,336x280;ppos=ATF;contx=ce_digcam_general;btg=;ord=8261[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\_default;net=ns;u=,ns-67867804_1270749520,100c8595c5234ce,ce_digcam_general,;;kw=;tile=3;ord1=839032;sz=120x600,160x600;ppos=BTF;contx=ce_digcam_general;btg=;ord=2944[1] not found!
    File\Folder C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Local Settings\Temp\Temporary Internet Files\Content.IE5\4TMBCTAZ\_default;net=ns;u=,ns-71764144_1270749520,100c8595c5234ce,ce_digcam_general,;;kw=;tile=2;ord1=625710;sz=300x250,336x280;ppos=ATF;contx=ce_digcam_general;btg=;ord=8060[1] not found!

    Registry entries deleted on Reboot...
     
  12. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    that error could be related to some hardware issues. We'll check that once your system is clean.

    Please do the following:


    [​IMG]
    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

      [​IMG]
      Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and post it in your next reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
     
  13. medium_low_skill

    medium_low_skill Thread Starter

    Joined:
    Mar 28, 2010
    Messages:
    96
    Wow, that was an extremely difficult/frustrating run (worked on all night, other than a catnap) to complete because the computer kept freezing while I was running the Gmer program. It actually seemed directly related to the running of the program as the CPU usage (that was previously in the 10-30% range) would start rising after starting it, and soon hover at 100% until freezing &/or crashing.

    1) Here's a rundown of the main activity in task manager prior to crashing. Can you tell something based on the program names you see below? These are the ones that seemed to have the most activity. Generally, 1-2 would be using almost 100% CPU capacity but toward the end (prior to a complete freeze &/or crash) there would usually be 1 that was taking up 96-99% by itself:

    Image Name User Name
    wuauclt.exe Owner
    ehtray.exe Owner
    explorer.exe Owner
    Winlogon.exe SYSTEM
    elRec.exe
    lsass.exe SYSTEM
    System SYSTEM
    BartShel.exe Owner

    2) The computer froze approx 4 times (requiring use of the pwr button to shut down/restart) and did an auto restart (via blue screen of death) approx 3 times. The last blue screen of death actually stayed on the screen (as opposed to the usual quick 1sec flash) and I copied the following down:

    A problem has been detected and Windows has been shut down to prevent damage to your computer.

    PFN_LIST_CORRUPT

    If this is the first time you've seen this stop error screen, restart your computer. If this
    screen appears again, follow these steps:

    Check to make sure any new hardware or software is properly installed. If new installation, ask
    your hardware or software manufacturer for any Windows updates you may need.

    If problem continues, disable or remove any newly installed hardware or software, disable BIOS
    memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable
    components, restart your computer, press F8 to select Advanced Startup Options, then select Safe Mode.

    Technical Information
    ***STOP 0x0000004E (0x00000007, 0x00018D6B, 0x00000001, 0x00000000)
    Beginning dump of physical memory
    physical memory dump complete
    Contact your system administrator or technical support group for further assistance.

    ***Do either 1) or 2) above give you any useful information CatByte??***
     
  14. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    That error message appears to be related to failing ram, so there appears to be some hardware issues with your machine as well.

    We will try and clean up all the malware first and then see how your machine behaves:


    Please do the following;


    Download ComboFix from either of these locations:
    Link 1
    Link 2


    VERY IMPORTANT !!!
    Save ComboFix.exe to your Desktop

    * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
    • Double click on ComboFix.exe & follow the prompts.
    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    • Click on Yes, to continue scanning for malware.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.



    Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
     
  15. medium_low_skill

    medium_low_skill Thread Starter

    Joined:
    Mar 28, 2010
    Messages:
    96
    I forgot to add the results of the Gmer program which I was "barely" able to save while I was at 100% CPU usage... Here's the Gmer result:

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-09 04:56:54
    Windows 5.1.2600 Service Pack 2
    Running: gmer.exe; Driver: C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\kgwyypog.sys

    ---- Devices - GMER 1.0.15 ----
    Device \FileSystem\Ntfs \Ntfs csjgkfji.sys
    Device \FileSystem\Fastfat \FatCdrom csjgkfji.sys
    Device \FileSystem\Mup \Dfs csjgkfji.sys
    Device \FileSystem\NetBIOS \Device\Netbios csjgkfji.sys
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    Device \FileSystem\RAW \Device\RawTape csjgkfji.sys
    Device \FileSystem\Rdbss \Device\FsWrap csjgkfji.sys
    Device \FileSystem\RAW \Device\RawDisk csjgkfji.sys
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver csjgkfji.sys
    Device \FileSystem\MRxSmb \Device\LanmanRedirector csjgkfji.sys
    Device \FileSystem\Npfs \Device\NamedPipe csjgkfji.sys
    Device \FileSystem\Msfs \Device\Mailslot csjgkfji.sys
    Device \FileSystem\RAW \Device\RawCdRom csjgkfji.sys
    Device \FileSystem\Mup \Device\WinDfs\Root csjgkfji.sys
    Device \FileSystem\Fastfat \Fat csjgkfji.sys
    Device \FileSystem\Cdfs \Cdfs csjgkfji.sys
    ---- EOF - GMER 1.0.15 ----

    I'm not sure if you knew I'd actually been able to finish a Gmer run so with that in mind do you still want me to download/run ComboFix or do something else first? Btw, I've recently removed the protective programs and plan on replacing with one of the good online ones when the computer is working better. Therefore, that should make running ComboFix easier I guess.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/914148

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice