Jump to content

TrepidatioN

Honorary Members
  • Posts

    32
  • Joined

  • Last visited

Everything posted by TrepidatioN

  1. Ok so I managed to just run OTL without killing the processes. OTL logfile created on: 1/29/2012 10:57:27 AM - Run 2 OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\LesLynn\Desktop Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.2180) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1022.09 Mb Total Physical Memory | 305.69 Mb Available Physical Memory | 29.91% Memory free 2.40 Gb Paging File | 1.48 Gb Available in Paging File | 61.58% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 144.30 Gb Total Space | 132.24 Gb Free Space | 91.64% Space Free | Partition Type: NTFS Drive F: | 3.82 Gb Total Space | 2.11 Gb Free Space | 55.24% Space Free | Partition Type: FAT32 Computer Name: LESDESKTOP | User Name: LesLynn | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012/01/20 19:32:50 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\LesLynn\Desktop\OTL.scr PRC - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2011/12/24 17:50:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe PRC - [2011/08/11 17:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe PRC - [2011/06/17 17:10:02 | 001,664,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe PRC - [2011/06/14 16:31:43 | 000,137,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe PRC - [2005/11/28 13:56:51 | 000,026,112 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe PRC - [2005/09/08 19:20:46 | 000,464,384 | ---- | M] (Musicmatch, Inc.) -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe PRC - [2005/09/08 19:20:46 | 000,102,400 | ---- | M] (Musicmatch, Inc.) -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe PRC - [2005/06/17 07:56:14 | 000,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe PRC - [2005/06/17 07:55:58 | 000,086,140 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe PRC - [2005/03/23 00:20:44 | 000,339,968 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe PRC - [2004/08/10 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2004/04/07 12:07:32 | 001,135,728 | ---- | M] (America Online, Inc.) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe PRC - [2003/11/19 17:48:14 | 000,032,881 | ---- | M] () -- C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ========== Modules (No Company Name) ========== MOD - [2005/09/01 07:51:14 | 000,122,880 | ---- | M] () -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmgit.dll MOD - [2005/08/05 14:01:54 | 000,356,352 | ---- | M] () -- C:\WINDOWS\system32\encdec.dll MOD - [2005/08/05 14:01:54 | 000,282,112 | ---- | M] () -- C:\WINDOWS\system32\sbe.dll MOD - [2005/08/05 14:01:54 | 000,159,744 | ---- | M] () -- C:\WINDOWS\system32\VBICodec.ax MOD - [2005/08/05 13:06:50 | 000,165,376 | ---- | M] () -- C:\WINDOWS\system32\mpg2splt.ax MOD - [2005/06/28 13:55:08 | 001,287,680 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll MOD - [2004/08/10 05:00:00 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll MOD - [2004/08/10 05:00:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll MOD - [2003/11/19 17:48:14 | 000,032,881 | ---- | M] () -- C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe MOD - [2003/09/23 01:00:00 | 000,106,496 | ---- | M] () -- C:\Program Files\Dell\ShareDLL\djbsdk.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- -- (HidServ) SRV - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2011/08/11 17:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE) SRV - [2011/06/17 17:10:02 | 001,664,744 | ---- | M] (Symantec Corporation) [unknown | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe -- (SmcService) SRV - [2011/06/17 16:50:28 | 000,280,496 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe -- (SNAC) SRV - [2011/06/14 16:31:43 | 000,137,224 | ---- | M] (Symantec Corporation) [unknown | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe -- (SepMasterService) SRV - [2005/06/17 07:55:58 | 000,086,140 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe -- (IAANTMon) Intel® SRV - [2004/04/07 12:07:32 | 001,135,728 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS) ========== Driver Services (SafeList) ========== DRV - [2012/01/18 17:58:55 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120128.009\NAVEX15.SYS -- (NAVEX15) DRV - [2012/01/18 17:58:55 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120128.009\NAVENG.SYS -- (NAVENG) DRV - [2012/01/18 17:58:48 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl) DRV - [2012/01/18 17:58:48 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv) DRV - [2012/01/18 17:56:38 | 000,127,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent) DRV - [2012/01/18 17:55:57 | 000,092,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SysPlant.sys -- (SysPlant) DRV - [2012/01/18 17:52:52 | 000,239,168 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys -- (dtsoftbus01) DRV - [2012/01/06 22:15:52 | 000,820,344 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120123.011\BHDrvx86.sys -- (BHDrvx86) DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector) DRV - [2011/07/26 02:03:20 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20120128.001\IDSXpx86.sys -- (IDSxpx86) DRV - [2011/07/22 10:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV) DRV - [2011/07/12 15:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL) DRV - [2011/06/17 17:06:46 | 000,023,984 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SyDvCtrl32.sys -- (SyDvCtrl) DRV - [2011/05/27 20:07:29 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtsp.sys -- (SRTSP) DRV - [2011/05/27 20:07:29 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtspx.sys -- (SRTSPX) Symantec Real Time Storage Protection (PEL) DRV - [2011/05/20 18:50:02 | 000,118,960 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\teefer.sys -- (Teefer2) DRV - [2011/05/17 20:32:27 | 000,756,856 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMEFA.SYS -- (SymEFA) DRV - [2011/05/10 20:54:58 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys -- (SymIRON) DRV - [2011/05/02 19:18:59 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMDS.SYS -- (SymDS) DRV - [2011/04/20 22:21:31 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\symtdi.sys -- (SYMTDI) DRV - [2005/11/28 13:56:54 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM) DRV - [2005/08/04 04:10:18 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2005/06/14 22:40:08 | 000,180,864 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM) DRV - [2005/03/05 00:06:50 | 000,135,296 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atinavxx.sys -- (ATIAVPCI) DRV - [2004/08/03 23:10:14 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE) DRV - [2003/11/17 21:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2) DRV - [2003/11/17 21:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf) DRV - [2003/11/17 21:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP) DRV - [2003/01/10 16:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFFPlgn\ [2012/01/18 17:57:06 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/27 20:29:27 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/27 20:29:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\LesLynn\Application Data\Mozilla\Extensions [2012/01/27 20:29:27 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2011/12/21 01:24:52 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2011/12/20 22:30:41 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2011/12/20 22:30:41 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml O1 HOSTS File: ([2004/08/10 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions) O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\IPS\IPSBHO.dll (Symantec Corporation) O2 - BHO: (WeCareReminder Class) - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\Documents and Settings\All Users\Application Data\WeCareReminder\IEHelperv2.5.0.dll (We-Care.com) O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found. O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe (Corel, Inc.) O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [MimBoot] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot.exe (Musicmatch, Inc.) O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.) O4 - HKLM..\Run: [QBReminderFlash] C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe () O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.) O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe () O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme () O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1326864763984 (WUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03) O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4F27E899-6767-4F58-A41D-9E07693616B8}: DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3 O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com) O20 - Winlogon\Notify\dimsntfy: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found O20 - Winlogon\Notify\SEP: DllName - (C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll) - File not found O24 - Desktop WallPaper: C:\Documents and Settings\LesLynn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\LesLynn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2005/08/16 04:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2012/01/27 20:29:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Local Settings\Application Data\Mozilla [2012/01/27 20:29:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Application Data\Mozilla [2012/01/27 20:29:25 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2012/01/27 18:48:18 | 000,000,000 | ---D | C] -- C:\_OTL [2012/01/27 18:17:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt [2012/01/20 19:37:46 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\LesLynn\Desktop\OTH.scr [2012/01/20 19:37:45 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\LesLynn\Desktop\OTL.scr [2012/01/20 18:46:26 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC [2012/01/20 18:44:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware [2012/01/20 18:44:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [2012/01/20 18:44:00 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware [2012/01/20 18:10:48 | 001,975,600 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\LesLynn\Desktop\tdsskiller.exe [2012/01/18 19:56:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Start Menu\Programs\HiJackThis [2012/01/18 19:56:41 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [2012/01/18 19:26:47 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\LesLynn\Desktop\dds.scr [2012/01/18 19:11:43 | 000,000,000 | --SD | C] -- C:\ComboFix [2012/01/18 18:50:13 | 000,000,000 | RHSD | C] -- C:\cmdcons [2012/01/18 18:45:39 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2012/01/18 18:45:39 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2012/01/18 18:45:39 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2012/01/18 18:45:39 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2012/01/18 18:44:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2012/01/18 18:42:10 | 000,000,000 | ---D | C] -- C:\Qoobox [2012/01/18 18:41:44 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LesLynn\My Documents\My Videos [2012/01/18 18:41:44 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LesLynn\Start Menu\Programs\Administrative Tools [2012/01/18 17:57:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Local Settings\Application Data\Symantec [2012/01/18 17:56:38 | 000,127,096 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS [2012/01/18 17:56:38 | 000,060,872 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL [2012/01/18 17:56:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared [2012/01/18 17:55:57 | 000,374,704 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\sysfer.dll [2012/01/18 17:55:57 | 000,240,048 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\SymVPN.dll [2012/01/18 17:55:57 | 000,094,128 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\FwsVpn.dll [2012/01/18 17:55:57 | 000,092,080 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SysPlant.sys [2012/01/18 17:55:57 | 000,032,208 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WGX.SYS [2012/01/18 17:55:57 | 000,010,672 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\sysferThunk.dll [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86 [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Symantec Endpoint Protection [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Symantec [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105 [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP\0C01029F [2012/01/18 17:53:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WeCareReminder [2012/01/18 17:53:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Application Data\OpenCandy [2012/01/18 17:53:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\DAEMON Tools Lite [2012/01/18 17:52:52 | 000,239,168 | ---- | C] (DT Soft Ltd) -- C:\WINDOWS\System32\drivers\dtsoftbus01.sys [2012/01/18 17:52:44 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite [2012/01/18 17:52:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Application Data\DAEMON Tools Lite [2012/01/18 17:52:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite [2012/01/18 07:24:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SWF Studio [2012/01/18 00:20:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch [2012/01/18 00:07:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump [2012/01/18 00:02:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting [2012/01/18 00:02:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas [2012/01/18 00:02:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us [2012/01/18 00:02:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en [2012/01/18 00:02:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits [2012/01/18 00:00:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic [2012/01/17 23:52:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun [2012/01/17 23:43:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Local Settings\Application Data\Identities [2012/01/17 23:42:02 | 014,717,808 | ---- | C] (DT Soft Ltd.) -- C:\Documents and Settings\LesLynn\Desktop\DTLite4451-0236.exe [2012/01/17 23:37:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak [2012/01/17 23:37:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage [2012/01/17 23:34:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall [2012/01/17 23:34:24 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$MSI31Uninstall_KB893803v2$ [2012/01/17 23:33:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution [2012/01/17 23:32:32 | 000,000,000 | --SD | C] -- C:\Documents and Settings\LesLynn\UserData [2012/01/17 23:30:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall [2012/01/17 23:14:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Application Data\Malwarebytes [2012/01/17 23:14:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware [2012/01/17 23:14:30 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2012/01/17 23:14:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012/01/17 23:14:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2012/01/17 23:09:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Application Data\Macromedia [2012/01/17 23:07:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Application Data\McAfee.com Personal Firewall [2012/01/17 23:06:14 | 000,000,000 | --SD | C] -- C:\Documents and Settings\LesLynn\Application Data\Microsoft [2012/01/17 23:06:14 | 000,000,000 | --SD | C] -- C:\Documents and Settings\LesLynn\Cookies [2012/01/17 23:06:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\LesLynn\SendTo [2012/01/17 23:06:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\LesLynn\Recent [2012/01/17 23:06:14 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\LesLynn\Application Data [2012/01/17 23:06:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LesLynn\Start Menu\Programs\Startup [2012/01/17 23:06:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LesLynn\Start Menu [2012/01/17 23:06:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LesLynn\My Documents\My Pictures [2012/01/17 23:06:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LesLynn\My Documents\My Music [2012/01/17 23:06:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LesLynn\My Documents [2012/01/17 23:06:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LesLynn\Favorites [2012/01/17 23:06:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LesLynn\Start Menu\Programs\Accessories [2012/01/17 23:06:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\LesLynn\Templates [2012/01/17 23:06:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\LesLynn\PrintHood [2012/01/17 23:06:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\LesLynn\NetHood [2012/01/17 23:06:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\LesLynn\Local Settings [2012/01/17 23:06:14 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\LesLynn\Application Data\Gtek [2012/01/17 23:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Local Settings\Application Data\Wildtangent [2012/01/17 23:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Application Data\Sun [2012/01/17 23:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Local Settings\Application Data\Musicmatch [2012/01/17 23:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Local Settings\Application Data\Microsoft [2012/01/17 23:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Application Data\Identities [2012/01/17 23:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Desktop [2012/01/17 23:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Start Menu\Programs\Dell Accessories [2012/01/17 23:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Start Menu\Programs\Dell [2012/01/17 23:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\My Documents\CCWin [2012/01/17 23:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Local Settings\Application Data\BVRP Software [2012/01/17 23:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Local Settings\Application Data\ApplicationHistory [2012/01/17 23:06:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LesLynn\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030} [2012/01/17 23:05:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles [2012/01/10 14:36:38 | 004,763,456 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\LesLynn\Desktop\procexp.exe [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012/01/29 10:58:14 | 000,381,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2012/01/29 10:58:14 | 000,053,436 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2012/01/29 10:53:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2012/01/29 10:53:42 | 1071,812,608 | -HS- | M] () -- C:\hiberfil.sys [2012/01/27 20:29:29 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\LesLynn\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2012/01/27 20:29:29 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2012/01/20 19:32:50 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\LesLynn\Desktop\OTL.scr [2012/01/20 19:32:40 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\LesLynn\Desktop\OTH.scr [2012/01/20 18:44:05 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2012/01/19 08:03:04 | 001,975,600 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\LesLynn\Desktop\tdsskiller.exe [2012/01/18 19:56:52 | 000,002,451 | ---- | M] () -- C:\Documents and Settings\LesLynn\Desktop\HiJackThis.lnk [2012/01/18 19:54:22 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\LesLynn\Desktop\HiJackThis.msi [2012/01/18 19:21:56 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\LesLynn\Desktop\dds.scr [2012/01/18 18:50:32 | 000,000,325 | RHS- | M] () -- C:\boot.ini [2012/01/18 18:06:15 | 001,083,176 | ---- | M] () -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86\Cat.DB [2012/01/18 17:56:38 | 000,127,096 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS [2012/01/18 17:56:38 | 000,060,872 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL [2012/01/18 17:56:38 | 000,007,510 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT [2012/01/18 17:56:38 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF [2012/01/18 17:55:57 | 000,374,704 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\sysfer.dll [2012/01/18 17:55:57 | 000,240,048 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\SymVPN.dll [2012/01/18 17:55:57 | 000,094,128 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\FwsVpn.dll [2012/01/18 17:55:57 | 000,092,080 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SysPlant.sys [2012/01/18 17:55:57 | 000,032,208 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WGX.SYS [2012/01/18 17:55:57 | 000,010,672 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\sysferThunk.dll [2012/01/18 17:55:57 | 000,000,114 | ---- | M] () -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86\isolate.ini [2012/01/18 17:53:07 | 000,001,613 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DAEMON Tools Lite.lnk [2012/01/18 17:52:52 | 000,239,168 | ---- | M] (DT Soft Ltd) -- C:\WINDOWS\System32\drivers\dtsoftbus01.sys [2012/01/18 17:29:20 | 000,038,528 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF [2012/01/18 17:28:20 | 000,204,920 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2012/01/18 00:21:31 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx [2012/01/18 00:21:04 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb [2012/01/18 00:21:04 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb [2012/01/18 00:11:03 | 000,250,032 | ---- | M] () -- C:\ntldr [2012/01/17 23:50:22 | 004,763,456 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\LesLynn\Desktop\procexp.exe [2012/01/17 23:50:22 | 000,072,268 | ---- | M] () -- C:\Documents and Settings\LesLynn\Desktop\procexp.chm [2012/01/17 23:44:38 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1 [2012/01/17 23:42:11 | 014,717,808 | ---- | M] (DT Soft Ltd.) -- C:\Documents and Settings\LesLynn\Desktop\DTLite4451-0236.exe [2012/01/17 23:37:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2012/01/17 23:34:49 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2012/01/17 23:14:31 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2012/01/17 23:06:39 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\LesLynn\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk [2012/01/17 23:06:31 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\LesLynn\Desktop\Windows Media Player.lnk [2012/01/17 23:06:24 | 000,001,478 | ---- | M] () -- C:\Documents and Settings\LesLynn\Application Data\Microsoft\Internet Explorer\Quick Launch\Media Center.lnk [2012/01/17 23:05:52 | 000,000,448 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf [2012/01/17 23:05:46 | 000,000,209 | ---- | M] () -- C:\Boot.bak [2012/01/17 23:00:33 | 000,008,192 | ---- | M] () -- C:\WINDOWS\REGLOCS.OLD [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2012/01/27 20:29:29 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\LesLynn\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2012/01/27 20:29:29 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk [2012/01/27 20:29:29 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2012/01/20 20:00:48 | 1071,812,608 | -HS- | C] () -- C:\hiberfil.sys [2012/01/20 18:44:05 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2012/01/18 19:56:42 | 000,002,451 | ---- | C] () -- C:\Documents and Settings\LesLynn\Desktop\HiJackThis.lnk [2012/01/18 19:56:27 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\LesLynn\Desktop\HiJackThis.msi [2012/01/18 18:50:29 | 000,000,209 | ---- | C] () -- C:\Boot.bak [2012/01/18 18:50:18 | 000,260,272 | RHS- | C] () -- C:\cmldr [2012/01/18 18:45:39 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe [2012/01/18 18:45:39 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe [2012/01/18 18:45:39 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2012/01/18 18:45:39 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2012/01/18 18:45:39 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2012/01/18 17:56:39 | 001,083,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86\Cat.DB [2012/01/18 17:56:38 | 000,007,510 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT [2012/01/18 17:56:38 | 000,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF [2012/01/18 17:55:57 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86\isolate.ini [2012/01/18 17:53:07 | 000,001,613 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DAEMON Tools Lite.lnk [2012/01/17 23:59:10 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll [2012/01/17 23:58:54 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin [2012/01/17 23:58:48 | 000,844,314 | ---- | C] () -- C:\WINDOWS\System32\msdxm.ocx [2012/01/17 23:58:46 | 000,004,310 | ---- | C] () -- C:\WINDOWS\System32\odbcconf.rsp [2012/01/17 23:58:37 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys [2012/01/17 23:58:36 | 000,250,032 | ---- | C] () -- C:\ntldr [2012/01/17 23:44:38 | 000,004,128 | ---- | C] () -- C:\INFCACHE.1 [2012/01/17 23:14:31 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2012/01/17 23:06:31 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\LesLynn\Desktop\Windows Media Player.lnk [2012/01/17 23:06:15 | 000,002,007 | ---- | C] () -- C:\Documents and Settings\LesLynn\Application Data\Microsoft\Internet Explorer\Quick Launch\Play Games.lnk [2012/01/17 23:06:15 | 000,001,769 | ---- | C] () -- C:\Documents and Settings\LesLynn\Application Data\Microsoft\Internet Explorer\Quick Launch\Musicmatch Jukebox.lnk [2012/01/17 23:06:15 | 000,001,478 | ---- | C] () -- C:\Documents and Settings\LesLynn\Application Data\Microsoft\Internet Explorer\Quick Launch\Media Center.lnk [2012/01/17 23:06:15 | 000,001,298 | ---- | C] () -- C:\Documents and Settings\LesLynn\Desktop\Media Center.lnk [2012/01/17 23:06:15 | 000,000,779 | ---- | C] () -- C:\Documents and Settings\LesLynn\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk [2012/01/17 23:06:15 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\LesLynn\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk [2012/01/17 23:06:15 | 000,000,669 | ---- | C] () -- C:\Documents and Settings\LesLynn\Application Data\Microsoft\Internet Explorer\Quick Launch\America Online 9.0.lnk [2012/01/17 23:06:15 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\LesLynn\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf [2012/01/17 23:06:14 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\LesLynn\Start Menu\Programs\Remote Assistance.lnk [2012/01/17 23:06:14 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\LesLynn\Start Menu\Programs\Windows Media Player.lnk [2012/01/17 23:06:14 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\LesLynn\Start Menu\Programs\Internet Explorer.lnk [2012/01/17 23:06:14 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\LesLynn\Start Menu\Programs\Outlook Express.lnk [2012/01/17 23:06:14 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\LesLynn\Local Settings\Application Data\fusioncache.dat [2012/01/17 23:00:33 | 000,008,192 | ---- | C] () -- C:\WINDOWS\REGLOCS.OLD [2005/11/28 14:06:10 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2005/11/28 14:03:38 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE [2005/11/28 13:58:30 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini [2005/11/28 13:56:13 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat [2005/11/28 13:48:37 | 000,028,779 | ---- | C] () -- C:\WINDOWS\System32\javaw.exe [2005/11/28 13:48:37 | 000,024,681 | ---- | C] () -- C:\WINDOWS\System32\java.exe [2005/11/28 13:28:32 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe [2005/11/28 13:28:26 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat [2005/11/28 13:27:44 | 000,000,387 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI [2005/08/16 04:48:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat [2005/08/16 04:38:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat [2005/08/16 04:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini [2005/08/16 04:33:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2005/08/16 04:27:59 | 000,204,920 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2005/08/16 04:18:35 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat [2005/08/16 04:18:33 | 000,381,692 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat [2005/08/16 04:18:33 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat [2005/08/16 04:18:33 | 000,053,436 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat [2005/08/16 04:18:33 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat [2005/08/16 04:18:32 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat [2005/08/16 04:18:30 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin [2005/08/16 04:18:28 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat [2005/08/16 04:18:23 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat [2005/08/16 04:18:23 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin [2005/08/16 04:18:15 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat [2005/08/05 14:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll [2005/04/09 17:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini ========== LOP Check ========== [2012/01/18 17:52:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite [2005/08/16 20:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream [2012/01/18 17:53:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WeCareReminder [2012/01/18 17:53:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LesLynn\Application Data\DAEMON Tools Lite [2012/01/18 17:53:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LesLynn\Application Data\OpenCandy ========== Purity Check ========== < End of report >
  2. I think we have to rule OTL out as a solution. It simply doesn't want to run correctly. Most of the time it simply freezes when trying to kill processes. If it does manage to kill processes it freezes when trying to run OTL through OTH.
  3. Well no luck with that approach. OTL simply kills the processes and that is it. Rebooted the machine by turning the power off and no log file generated.
  4. Thanks. I just got back from a business trip and will try it ASAP.
  5. Hello, OTL would only run in safe mode. I hope this isn’t a problem. When running the process kill it would freeze. In the case it did manage to actually kill the processes it would not successfully launch the scanner. So I resorted to safe mode. OTL logfile created on: 1/20/2012 7:55:54 PM - Run 1 OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\LesLynn\Desktop Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.2180) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1022.09 Mb Total Physical Memory | 719.44 Mb Available Physical Memory | 70.39% Memory free 2.40 Gb Paging File | 2.22 Gb Available in Paging File | 92.48% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 144.30 Gb Total Space | 133.79 Gb Free Space | 92.72% Space Free | Partition Type: NTFS Computer Name: LESDESKTOP | User Name: Administrator | Logged in as Administrator. Boot Mode: SafeMode | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012/01/20 19:32:50 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\LesLynn\Desktop\OTL.scr PRC - [2012/01/20 19:32:40 | 000,258,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\LesLynn\Desktop\OTH.scr PRC - [2011/08/11 17:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe ========== Modules (No Company Name) ========== MOD - [2004/08/10 05:00:00 | 000,015,360 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Disabled | Stopped] -- -- (HidServ) SRV - [2011/12/24 17:50:18 | 000,652,872 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2011/08/11 17:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE) SRV - [2011/06/17 17:10:02 | 001,664,744 | ---- | M] (Symantec Corporation) [unknown | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe -- (SmcService) SRV - [2011/06/17 16:50:28 | 000,280,496 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe -- (SNAC) SRV - [2011/06/14 16:31:43 | 000,137,224 | ---- | M] (Symantec Corporation) [unknown | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe -- (SepMasterService) SRV - [2005/06/17 07:55:58 | 000,086,140 | ---- | M] (Intel Corporation) [Auto | Stopped] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe -- (IAANTMon) Intel® SRV - [2004/04/07 12:07:32 | 001,135,728 | ---- | M] (America Online, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe -- (AOL ACS) ========== Driver Services (SafeList) ========== DRV - [2012/01/18 17:58:55 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120120.004\NAVEX15.SYS -- (NAVEX15) DRV - [2012/01/18 17:58:55 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120120.004\NAVENG.SYS -- (NAVENG) DRV - [2012/01/18 17:58:48 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl) DRV - [2012/01/18 17:58:48 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv) DRV - [2012/01/18 17:56:38 | 000,127,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent) DRV - [2012/01/18 17:55:57 | 000,092,080 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\SysPlant.sys -- (SysPlant) DRV - [2012/01/18 17:52:52 | 000,239,168 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys -- (dtsoftbus01) DRV - [2012/01/06 22:15:52 | 000,820,344 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120106.011\BHDrvx86.sys -- (BHDrvx86) DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector) DRV - [2011/07/26 02:03:20 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20120119.002\IDSXpx86.sys -- (IDSxpx86) DRV - [2011/07/22 10:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV) DRV - [2011/07/12 15:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL) DRV - [2011/06/17 17:06:46 | 000,023,984 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SyDvCtrl32.sys -- (SyDvCtrl) DRV - [2011/05/27 20:07:29 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Stopped] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtsp.sys -- (SRTSP) DRV - [2011/05/27 20:07:29 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtspx.sys -- (SRTSPX) Symantec Real Time Storage Protection (PEL) DRV - [2011/05/20 18:50:02 | 000,118,960 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\teefer.sys -- (Teefer2) DRV - [2011/05/17 20:32:27 | 000,756,856 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMEFA.SYS -- (SymEFA) DRV - [2011/05/10 20:54:58 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys -- (SymIRON) DRV - [2011/05/02 19:18:59 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMDS.SYS -- (SymDS) DRV - [2011/04/20 22:21:31 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\symtdi.sys -- (SYMTDI) DRV - [2005/11/28 13:56:54 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM) DRV - [2005/08/04 04:10:18 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag) DRV - [2005/06/14 22:40:08 | 000,180,864 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA) High Definition Audio Driver (WDM) DRV - [2005/03/05 00:06:50 | 000,135,296 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinavxx.sys -- (ATIAVPCI) DRV - [2004/08/03 23:10:14 | 000,015,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE) DRV - [2003/11/17 21:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2) DRV - [2003/11/17 21:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf) DRV - [2003/11/17 21:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP) DRV - [2003/01/10 16:13:04 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3549125778-2360857574-3899148976-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway IE - HKU\S-1-5-21-3549125778-2360857574-3899148976-500\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com IE - HKU\S-1-5-21-3549125778-2360857574-3899148976-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html IE - HKU\S-1-5-21-3549125778-2360857574-3899148976-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway IE - HKU\S-1-5-21-3549125778-2360857574-3899148976-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll () FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFFPlgn\ [2012/01/18 17:57:06 | 000,000,000 | ---D | M] O1 HOSTS File: ([2004/08/10 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll File not found O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions) O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\IPS\IPSBHO.dll (Symantec Corporation) O2 - BHO: (WeCareReminder Class) - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\Documents and Settings\All Users\Application Data\WeCareReminder\IEHelperv2.5.0.dll (We-Care.com) O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found. O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe (Corel, Inc.) O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [MimBoot] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mimboot.exe (Musicmatch, Inc.) O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.) O4 - HKLM..\Run: [QBReminderFlash] C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe () O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.) O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.) O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe () O4 - HKU\S-1-5-21-3549125778-2360857574-3899148976-500..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) O4 - HKU\S-1-5-21-3549125778-2360857574-3899148976-500..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe (America Online, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme () O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-3549125778-2360857574-3899148976-500\Software\Policies\Microsoft\Internet Explorer\Recovery present O7 - HKU\S-1-5-21-3549125778-2360857574-3899148976-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1326864763984 (WUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03) O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_03) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4F27E899-6767-4F58-A41D-9E07693616B8}: DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3 O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com) O20 - Winlogon\Notify\dimsntfy: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found O20 - Winlogon\Notify\SEP: DllName - (C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll) - File not found O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2005/08/16 04:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2012/01/20 19:00:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia [2012/01/20 18:46:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Symantec [2012/01/20 18:46:26 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC [2012/01/20 18:44:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com [2012/01/20 18:44:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware [2012/01/20 18:44:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [2012/01/20 18:44:00 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware [2012/01/20 18:43:51 | 014,179,112 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\Administrator\Desktop\SUPERAntiSpyware.exe [2012/01/20 18:30:03 | 001,975,600 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\fixit.exe [2012/01/20 18:19:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes [2012/01/18 19:56:41 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [2012/01/18 19:11:43 | 000,000,000 | --SD | C] -- C:\ComboFix [2012/01/18 18:50:13 | 000,000,000 | RHSD | C] -- C:\cmdcons [2012/01/18 18:45:39 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2012/01/18 18:45:39 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2012/01/18 18:45:39 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2012/01/18 18:45:39 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2012/01/18 18:44:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2012/01/18 18:42:10 | 000,000,000 | ---D | C] -- C:\Qoobox [2012/01/18 17:56:38 | 000,127,096 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS [2012/01/18 17:56:38 | 000,060,872 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL [2012/01/18 17:56:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared [2012/01/18 17:55:57 | 000,374,704 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\sysfer.dll [2012/01/18 17:55:57 | 000,240,048 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\SymVPN.dll [2012/01/18 17:55:57 | 000,094,128 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\FwsVpn.dll [2012/01/18 17:55:57 | 000,092,080 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SysPlant.sys [2012/01/18 17:55:57 | 000,032,208 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WGX.SYS [2012/01/18 17:55:57 | 000,010,672 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\sysferThunk.dll [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86 [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Symantec Endpoint Protection [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Symantec [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105 [2012/01/18 17:55:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\SEP\0C01029F [2012/01/18 17:53:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WeCareReminder [2012/01/18 17:53:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\DAEMON Tools Lite [2012/01/18 17:52:52 | 000,239,168 | ---- | C] (DT Soft Ltd) -- C:\WINDOWS\System32\drivers\dtsoftbus01.sys [2012/01/18 17:52:44 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite [2012/01/18 17:52:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite [2012/01/18 07:24:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SWF Studio [2012/01/18 00:20:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch [2012/01/18 00:07:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump [2012/01/18 00:02:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting [2012/01/18 00:02:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas [2012/01/18 00:02:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us [2012/01/18 00:02:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en [2012/01/18 00:02:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits [2012/01/18 00:00:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic [2012/01/17 23:52:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun [2012/01/17 23:37:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak [2012/01/17 23:37:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage [2012/01/17 23:34:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall [2012/01/17 23:34:24 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$MSI31Uninstall_KB893803v2$ [2012/01/17 23:33:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution [2012/01/17 23:30:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall [2012/01/17 23:14:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware [2012/01/17 23:14:30 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2012/01/17 23:14:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2012/01/17 23:14:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2012/01/17 23:05:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012/01/20 19:53:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2012/01/20 19:38:57 | 000,381,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2012/01/20 19:38:57 | 000,053,436 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2012/01/20 18:44:05 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2012/01/20 18:40:32 | 014,179,112 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\Administrator\Desktop\SUPERAntiSpyware.exe [2012/01/19 08:03:04 | 001,975,600 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\fixit.exe [2012/01/18 18:50:32 | 000,000,325 | RHS- | M] () -- C:\boot.ini [2012/01/18 18:06:15 | 001,083,176 | ---- | M] () -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86\Cat.DB [2012/01/18 17:56:38 | 000,127,096 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS [2012/01/18 17:56:38 | 000,060,872 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL [2012/01/18 17:56:38 | 000,007,510 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT [2012/01/18 17:56:38 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF [2012/01/18 17:55:57 | 000,374,704 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\sysfer.dll [2012/01/18 17:55:57 | 000,240,048 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\SymVPN.dll [2012/01/18 17:55:57 | 000,094,128 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\FwsVpn.dll [2012/01/18 17:55:57 | 000,092,080 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SysPlant.sys [2012/01/18 17:55:57 | 000,032,208 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\WGX.SYS [2012/01/18 17:55:57 | 000,010,672 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\sysferThunk.dll [2012/01/18 17:55:57 | 000,000,114 | ---- | M] () -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86\isolate.ini [2012/01/18 17:53:07 | 000,001,613 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DAEMON Tools Lite.lnk [2012/01/18 17:52:52 | 000,239,168 | ---- | M] (DT Soft Ltd) -- C:\WINDOWS\System32\drivers\dtsoftbus01.sys [2012/01/18 17:29:20 | 000,038,528 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF [2012/01/18 17:28:20 | 000,204,920 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2012/01/18 00:21:31 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx [2012/01/18 00:21:04 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb [2012/01/18 00:21:04 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb [2012/01/18 00:11:03 | 000,250,032 | ---- | M] () -- C:\ntldr [2012/01/17 23:44:38 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1 [2012/01/17 23:37:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2012/01/17 23:34:49 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2012/01/17 23:14:31 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2012/01/17 23:05:52 | 000,000,448 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf [2012/01/17 23:05:46 | 000,000,209 | ---- | M] () -- C:\Boot.bak [2012/01/17 23:00:33 | 000,008,192 | ---- | M] () -- C:\WINDOWS\REGLOCS.OLD [2012/01/17 22:05:52 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rkill.exe [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2012/01/20 18:44:05 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2012/01/20 18:34:37 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rkill.exe [2012/01/18 18:50:29 | 000,000,209 | ---- | C] () -- C:\Boot.bak [2012/01/18 18:50:18 | 000,260,272 | RHS- | C] () -- C:\cmldr [2012/01/18 18:45:39 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe [2012/01/18 18:45:39 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe [2012/01/18 18:45:39 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2012/01/18 18:45:39 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2012/01/18 18:45:39 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2012/01/18 17:56:39 | 001,083,176 | ---- | C] () -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86\Cat.DB [2012/01/18 17:56:38 | 000,007,510 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT [2012/01/18 17:56:38 | 000,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF [2012/01/18 17:55:57 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\drivers\SEP\0C01029F\136B.105\x86\isolate.ini [2012/01/18 17:53:07 | 000,001,613 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DAEMON Tools Lite.lnk [2012/01/17 23:59:10 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll [2012/01/17 23:58:54 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin [2012/01/17 23:58:48 | 000,844,314 | ---- | C] () -- C:\WINDOWS\System32\msdxm.ocx [2012/01/17 23:58:46 | 000,004,310 | ---- | C] () -- C:\WINDOWS\System32\odbcconf.rsp [2012/01/17 23:58:37 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys [2012/01/17 23:58:36 | 000,250,032 | ---- | C] () -- C:\ntldr [2012/01/17 23:44:38 | 000,004,128 | ---- | C] () -- C:\INFCACHE.1 [2012/01/17 23:14:31 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk [2012/01/17 23:00:33 | 000,008,192 | ---- | C] () -- C:\WINDOWS\REGLOCS.OLD [2005/11/28 14:06:10 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2005/11/28 14:03:38 | 000,149,504 | ---- | C] () -- C:\WINDOWS\UNWISE.EXE [2005/11/28 13:58:30 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini [2005/11/28 13:56:13 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat [2005/11/28 13:48:37 | 000,028,779 | ---- | C] () -- C:\WINDOWS\System32\javaw.exe [2005/11/28 13:48:37 | 000,024,681 | ---- | C] () -- C:\WINDOWS\System32\java.exe [2005/11/28 13:28:32 | 000,049,152 | ---- | C] () -- C:\WINDOWS\setpwrcg.exe [2005/11/28 13:28:26 | 000,095,617 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat [2005/11/28 13:27:44 | 000,000,387 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI [2005/08/16 20:52:01 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat [2005/08/16 04:48:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat [2005/08/16 04:38:45 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat [2005/08/16 04:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini [2005/08/16 04:33:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2005/08/16 04:27:59 | 000,204,920 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2005/08/16 04:18:35 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat [2005/08/16 04:18:33 | 000,381,692 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat [2005/08/16 04:18:33 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat [2005/08/16 04:18:33 | 000,053,436 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat [2005/08/16 04:18:33 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat [2005/08/16 04:18:32 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat [2005/08/16 04:18:30 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin [2005/08/16 04:18:28 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat [2005/08/16 04:18:23 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat [2005/08/16 04:18:23 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin [2005/08/16 04:18:15 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat [2005/08/05 14:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll [2005/04/09 17:04:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini ========== LOP Check ========== [2012/01/18 17:52:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite [2005/08/16 20:54:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream [2005/11/28 13:57:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint [2012/01/18 17:53:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WeCareReminder [2012/01/18 17:53:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LesLynn\Application Data\DAEMON Tools Lite [2012/01/18 17:53:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LesLynn\Application Data\OpenCandy ========== Purity Check ========== < End of report > OTL Extras logfile created on: 1/20/2012 7:55:54 PM - Run 1 OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\LesLynn\Desktop Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.2180) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1022.09 Mb Total Physical Memory | 719.44 Mb Available Physical Memory | 70.39% Memory free 2.40 Gb Paging File | 2.22 Gb Available in Paging File | 92.48% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 144.30 Gb Total Space | 133.79 Gb Free Space | 92.72% Space Free | Partition Type: NTFS Computer Name: LESDESKTOP | User Name: Administrator | Logged in as Administrator. Boot Mode: SafeMode | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* .url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* htmlfile [edit] -- Reg Error: Key error. InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (America Online, Inc) "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (America Online, Inc.) "C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- (America Online, Inc.) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (America Online, Inc) "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (America Online, Inc.) "C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- (America Online, Inc.) "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation) "C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe:*:Enabled:SNAC Service -- (Symantec Corporation) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player "{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data "{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel "{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE "{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA "{14374619-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Simple Start Special Edition "{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD LE "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager "{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10 "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers "{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page "{390FF986-468D-4CA9-8830-2C4B313F447F}" = ATI Parental Control "{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis "{4CEA6811-DFAD-4892-828D-49941FE3B779}" = Intel® PROSet for Wired Connections "{548EEA8E-8299-497F-8057-811D2D7097DC}" = Dell Support 3.1 "{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool "{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5 "{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal "{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer "{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03 "{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files "{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore "{7A3F0566-5E05-4919-9C98-456F6B5CF831}" = Get High Speed Internet! "{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper "{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox "{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6 "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager "{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders "{A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8}" = Symantec Endpoint Protection "{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU "{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio "{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update "{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1 "{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12 "{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy "{C34C7BE6-51B7-4DE5-A341-F4AA684EC594}" = ASPCA Tri Reminder by We-Care.com v4.0.13.5 "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware "{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU "{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect "{E7559288-223B-453C-9F06-340E3BE21E39}" = MyWay Search Assistant "{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player "12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic "America Online us" = America Online (Choose which version to remove) "AOL Connectivity Services" = AOL Connectivity Services "AOLCoach" = AOL Coach Version 1.0(Build:20040229.1 en) "ATI Display Driver" = ATI Display Driver "B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto "CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem "DAEMON Tools Lite" = DAEMON Tools Lite "Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver "Dell Game Console" = Dell Game Console "EmeraldQFE2" = Windows Media Player 10 Hotfix [see EmeraldQFE2 for more information] "ESPNMotion" = ESPNMotion "InstallShield_{390FF986-468D-4CA9-8830-2C4B313F447F}" = ATI Parental Control "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800 "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "PROSet" = Intel® PRO Network Connections Drivers "QuickTime" = QuickTime "RealPlayer 6.0" = RealPlayer Basic "StreetPlugin" = Learn2 Player (Uninstall Only) "ViewpointMediaPlayer" = Viewpoint Media Player "WebCyberCoach_wtrb" = WebCyberCoach 3.2 Dell "WildTangent CDA" = WildTangent Web Driver "Windows Media Format Runtime" = Windows Media Format Runtime ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 1/18/2012 8:27:50 PM | Computer Name = LESDESKTOP | Source = Symantec AntiVirus | ID = 16711725 Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\DOCUMENTS AND SETTINGS\LESLYNN\LOCAL SETTINGS\TEMP\RARSFX0\PEV.EXE File: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Location: Deleted or access blocked Computer: LESDESKTOP User: LesLynn Action taken: Date found: Wednesday, January 18, 2012 6:27:50 PM Error - 1/18/2012 8:27:50 PM | Computer Name = LESDESKTOP | Source = Symantec AntiVirus | ID = 16711725 Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\DOCUMENTS AND SETTINGS\LESLYNN\LOCAL SETTINGS\TEMP\RARSFX0\PEV.EXE File: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe Location: Deleted or access blocked Computer: LESDESKTOP User: LesLynn Action taken: Date found: Wednesday, January 18, 2012 6:27:50 PM Error - 1/18/2012 8:27:50 PM | Computer Name = LESDESKTOP | Source = Symantec AntiVirus | ID = 16711725 Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\DOCUMENTS AND SETTINGS\LESLYNN\LOCAL SETTINGS\TEMP\RARSFX0\PEV.EXE File: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Location: Deleted or access blocked Computer: LESDESKTOP User: LesLynn Action taken: Date found: Wednesday, January 18, 2012 6:27:50 PM Error - 1/18/2012 8:27:51 PM | Computer Name = LESDESKTOP | Source = Symantec AntiVirus | ID = 16711725 Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\DOCUMENTS AND SETTINGS\LESLYNN\LOCAL SETTINGS\TEMP\RARSFX0\PEV.EXE File: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Location: Deleted or access blocked Computer: LESDESKTOP User: LesLynn Action taken: Date found: Wednesday, January 18, 2012 6:27:51 PM Error - 1/18/2012 8:27:51 PM | Computer Name = LESDESKTOP | Source = Symantec AntiVirus | ID = 16711725 Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\DOCUMENTS AND SETTINGS\LESLYNN\LOCAL SETTINGS\TEMP\RARSFX0\PEV.EXE File: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe Location: Deleted or access blocked Computer: LESDESKTOP User: LesLynn Action taken: Date found: Wednesday, January 18, 2012 6:27:51 PM Error - 1/18/2012 8:27:51 PM | Computer Name = LESDESKTOP | Source = Symantec AntiVirus | ID = 16711725 Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\DOCUMENTS AND SETTINGS\LESLYNN\LOCAL SETTINGS\TEMP\RARSFX0\PEV.EXE File: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Location: Deleted or access blocked Computer: LESDESKTOP User: LesLynn Action taken: Date found: Wednesday, January 18, 2012 6:27:51 PM Error - 1/18/2012 8:27:53 PM | Computer Name = LESDESKTOP | Source = Symantec AntiVirus | ID = 16711725 Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\DOCUMENTS AND SETTINGS\LESLYNN\LOCAL SETTINGS\TEMP\RARSFX0\PEV.EXE File: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Location: Deleted or access blocked Computer: LESDESKTOP User: LesLynn Action taken: Date found: Wednesday, January 18, 2012 6:27:53 PM Error - 1/18/2012 8:27:53 PM | Computer Name = LESDESKTOP | Source = Symantec AntiVirus | ID = 16711725 Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\DOCUMENTS AND SETTINGS\LESLYNN\LOCAL SETTINGS\TEMP\RARSFX0\PEV.EXE File: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe Location: Deleted or access blocked Computer: LESDESKTOP User: LesLynn Action taken: Date found: Wednesday, January 18, 2012 6:27:53 PM Error - 1/18/2012 8:27:53 PM | Computer Name = LESDESKTOP | Source = Symantec AntiVirus | ID = 16711725 Description = Scan type: Tamper Protection Scan Event: Security risk detected: C:\DOCUMENTS AND SETTINGS\LESLYNN\LOCAL SETTINGS\TEMP\RARSFX0\PEV.EXE File: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe Location: Deleted or access blocked Computer: LESDESKTOP User: LesLynn Action taken: Date found: Wednesday, January 18, 2012 6:27:53 PM Error - 1/18/2012 8:28:55 PM | Computer Name = LESDESKTOP | Source = Application Error | ID = 1000 Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting module mshtml.dll, version 6.0.2900.2722, fault address 0x00071a78. [ System Events ] Error - 1/20/2012 9:49:15 PM | Computer Name = LESDESKTOP | Source = Service Control Manager | ID = 7034 Description = The MBAMService service terminated unexpectedly. It has done this 1 time(s). Error - 1/20/2012 9:49:15 PM | Computer Name = LESDESKTOP | Source = Service Control Manager | ID = 7034 Description = The Intel® Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s). Error - 1/20/2012 9:54:12 PM | Computer Name = LESDESKTOP | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E} Error - 1/20/2012 9:54:23 PM | Computer Name = LESDESKTOP | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error - 1/20/2012 9:55:32 PM | Computer Name = LESDESKTOP | Source = Service Control Manager | ID = 7001 Description = The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: %%31 Error - 1/20/2012 9:55:32 PM | Computer Name = LESDESKTOP | Source = Service Control Manager | ID = 7001 Description = The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: %%31 Error - 1/20/2012 9:55:32 PM | Computer Name = LESDESKTOP | Source = Service Control Manager | ID = 7001 Description = The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: %%31 Error - 1/20/2012 9:55:32 PM | Computer Name = LESDESKTOP | Source = Service Control Manager | ID = 7001 Description = The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: %%31 Error - 1/20/2012 9:55:32 PM | Computer Name = LESDESKTOP | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL SRTSP SRTSPX SymIRON SYMTDI SysPlant Tcpip WS2IFSL Error - 1/20/2012 9:55:32 PM | Computer Name = LESDESKTOP | Source = Service Control Manager | ID = 7031 Description = The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service. < End of report >
  6. Hello Maniac and thanks for your reply Unfortunately TDSS killer will not run. When I started the machine today Symantec Endpoint detected what is called Trojan.ADH.2. I also ran Malwarebytes in safe mode and it detected the following: Malwarebytes Anti-Malware (PRO) 1.60.0.1800 www.malwarebytes.org Database version: v2012.01.20.04 Windows XP Service Pack 2 x86 NTFS (Safe Mode) Internet Explorer 6.0.2900.2180 Administrator :: LESDESKTOP [administrator] Protection: Disabled 1/20/2012 6:20:08 PM mbam-log-2012-01-20 (18-20-08).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 174641 Time elapsed: 1 minute(s), 44 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 2 HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Data: -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{4D25F926-B9FE-4682-BF72-8AB8210D6D75} (Adware.MyWebSearch) -> Data: -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) I of course removed the threats but I feel but my problems still persist. Thanks.
  7. Hello, I recently restored a dell image to a PC and I keep getting infected with a browser Hijacker. It is undectable by malwarebytes or symantec endpoint. The machine also BSOD's when trying to run any DOS based diagnostic or removal tools. I really could use some advice on this one. I couldn't get DDS to run by a Hijackthis log revealed the following: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 7:57:05 PM, on 1/18/2012 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe C:\Program Files\America Online 9.0\aoltray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\bin\IPS\IPSBHO.DLL O2 - BHO: WeCareReminder - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\Documents and Settings\All Users\Application Data\WeCareReminder\IEHelperv2.5.0.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: SEP - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Symantec Endpoint Protection (SepMasterService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe -- End of file - 7149 bytes Thanks in advance.
  8. Hello Borislav, The condition of the PC has improved greatly but the user still experiences random pop ups when the a web browser is not in use. Attached are some logs from scans. Thanks, mbam_log_2010_04_30__11_01_41_.zip
  9. c:\documents and settings\All Users\Application Data\peLkFog0.exe File 346SvTHf.bak received on 2010.04.28 06:48:36 (UTC) Current status: finished Result: 18/40 (45.00%) Compact Print results Antivirus Version Last Update Result a-squared 4.5.0.50 2010.04.28 Trojan.Win32.Powp!IK AhnLab-V3 5.0.0.2 2010.04.28 - AntiVir 8.2.1.224 2010.04.27 TR/Dldr.Stration.Gen Antiy-AVL 2.0.3.7 2010.04.27 - Authentium 5.2.0.5 2010.04.28 - Avast 4.8.1351.0 2010.04.27 Win32:Malware-gen Avast5 5.0.332.0 2010.04.27 Win32:Malware-gen AVG 9.0.0.787 2010.04.27 Dropper.Generic2.DJP BitDefender 7.2 2010.04.28 - CAT-QuickHeal 10.00 2010.04.28 - ClamAV 0.96.0.3-git 2010.04.28 - Comodo 4696 2010.04.28 TrojWare.Win32.Trojan.Agent.Gen DrWeb 5.0.2.03300 2010.04.28 - eSafe 7.0.17.0 2010.04.26 - eTrust-Vet 35.2.7454 2010.04.27 - F-Prot 4.5.1.85 2010.04.27 - F-Secure 9.0.15370.0 2010.04.28 Suspicious:W32/Malware!Gemini Fortinet 4.0.14.0 2010.04.27 - GData 21 2010.04.28 Win32:Malware-gen Ikarus T3.1.1.80.0 2010.04.28 Trojan.Win32.Powp Jiangmin 13.0.900 2010.04.28 Trojan/Powp.f Kaspersky 7.0.0.125 2010.04.28 Trojan.Win32.Powp.afb McAfee 5.400.0.1158 2010.04.28 Generic.dx!sei McAfee-GW-Edition 6.8.5 2010.04.27 Trojan.Dldr.Stration.Gen Microsoft 1.5703 2010.04.28 VirTool:Win32/CeeInject.gen!J NOD32 5066 2010.04.27 - Norman 6.04.11 2010.04.27 - nProtect 2010-04-28.01 2010.04.28 - Panda 10.0.2.7 2010.04.27 - PCTools 7.0.3.5 2010.04.28 - Prevx 3.0 2010.04.28 - Rising 22.45.02.03 2010.04.28 Trojan.Win32.Generic.52012B3C Sophos 4.53.0 2010.04.28 Sus/UnkPack-C Sunbelt 6230 2010.04.28 Trojan.Win32.Generic!BT Symantec 20091.2.0.41 2010.04.28 - TheHacker 6.5.2.0.272 2010.04.28 - TrendMicro 9.120.0.1004 2010.04.28 - VBA32 3.12.12.4 2010.04.27 SScope.Injector.MY ViRobot 2010.4.27.2295 2010.04.27 - VirusBuster 5.0.27.0 2010.04.27 - Additional information File size: 66564 bytes MD5 : c29433f88d015dc86f3a799f9604df33 SHA1 : 7284eedcfd2653914fa6328fc6fad43143471d2a SHA256: 3f69d90cab1973f19d120787e2f95314b67f02d94dff4b7294e250cbcd85b881 PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x2CD0 timedatestamp.....: 0x4BD4D546 (Mon Apr 26 01:50:30 2010) machinetype.......: 0x14C (Intel I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x1D10 0x1E00 5.92 71c068cfa08f02c11cb8c9cab12f5b2f .rdata 0x3000 0x1A6 0x200 3.90 d677d94d5fbd63e20284a04ceb3b5e5c .data 0x4000 0xDD98 0xDE00 7.96 d4f7bd306f0cca2fa9afa11426a6c76d .rsrc 0x12000 0x10 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b ( 2 imports ) > kernel32.dll: HeapAlloc, GetProcessHeap, GetProcAddress, GetModuleHandleA, ExitProcess > user32.dll: InvalidateRect, OpenClipboard, EmptyClipboard, CloseClipboard, SetClipboardData, GetClientRect, LockWindowUpdate, GetDC ( 0 exports ) TrID : File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) Symantec reputation: Suspicious.Insight http://www.symantec.com/security_response/...-021223-0550-99 ssdeep: 1536:Ls07Wk/QgG3M8+ZiI8W+VgV1TJaASOvt1FsqyTiWqpMFID:A0NQbQiI6q1T8AlnFsdTSiU sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned Prevx Info: http://info.prevx.com/aboutprogramtext.asp...7EF9E00C8F21669 PEiD : - RDS : NSRL Reference Data Set c:\windows\system32\mfc45.dll File DF2CAF0CCF20C52723E101CA35B1930086D6CABB.dll received on 2010.03.28 17:09:30 (UTC) Current status: finished Result: 6/42 (14.29%) Compact Print results Antivirus Version Last Update Result a-squared 4.5.0.50 2010.03.28 - AhnLab-V3 5.0.0.2 2010.03.27 - AntiVir 7.10.5.241 2010.03.26 - Antiy-AVL 2.0.3.7 2010.03.26 - Authentium 5.2.0.5 2010.03.28 W32/Damaged_File.B.gen!Eldorado Avast 4.8.1351.0 2010.03.28 - Avast5 5.0.332.0 2010.03.28 - AVG 9.0.0.787 2010.03.28 - BitDefender 7.2 2010.03.28 - CAT-QuickHeal 10.00 2010.03.27 - ClamAV 0.96.0.0-git 2010.03.28 - Comodo 4417 2010.03.28 UnclassifiedMalware DrWeb 5.0.1.12222 2010.03.28 - eSafe 7.0.17.0 2010.03.28 - eTrust-Vet 35.2.7391 2010.03.26 - F-Prot 4.5.1.85 2010.03.27 W32/Damaged_File.B.gen!Eldorado F-Secure 9.0.15370.0 2010.03.28 - Fortinet 4.0.14.0 2010.03.27 - GData 19 2010.03.28 - Ikarus T3.1.1.80.0 2010.03.28 - Jiangmin 13.0.900 2010.03.28 - K7AntiVirus 7.10.1004 2010.03.22 - Kaspersky 7.0.0.125 2010.03.28 - McAfee 5933 2010.03.27 potentially unwanted program Corrupt-EP McAfee+Artemis 5933 2010.03.27 potentially unwanted program Corrupt-EP McAfee-GW-Edition 6.8.5 2010.03.27 - Microsoft 1.5605 2010.03.28 - NOD32 4980 2010.03.28 - Norman 6.04.10 2010.03.28 - nProtect 2009.1.8.0 2010.03.28 - Panda 10.0.2.2 2010.03.28 - PCTools 7.0.3.5 2010.03.28 - Prevx 3.0 2010.03.28 - Rising 22.40.06.04 2010.03.28 - Sophos 4.52.0 2010.03.28 - Sunbelt 6101 2010.03.26 - Symantec 20091.2.0.41 2010.03.28 - TheHacker 6.5.2.0.246 2010.03.28 W32/Behav-Heuristic-CorruptFile-EP TrendMicro 9.120.0.1004 2010.03.28 - VBA32 3.12.12.2 2010.03.27 - ViRobot 2010.3.27.2248 2010.03.27 - VirusBuster 5.0.27.0 2010.03.27 - Additional information File size: 74703 bytes MD5 : 417947a05249710306f26f1850756529 SHA1 : c786864f3ef236677e3b97eedaba76b203e046d4 SHA256: 64eeb3ccde302109c7445ac0ac152a63cdbe55e361aef337369b5befb8a89d91 PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x932B8 timedatestamp.....: 0x2A425E19 (Sat Jun 20 00:22:17 1992) machinetype.......: 0x14C (Intel I386) ( 8 sections ) name viradd virsiz rawdsiz ntrpy md5 CODE 0x1000 0x924F0 0x92600 6.54 7a15fe1d4b49cb81c32c63fbdb7f6a37 DATA 0x94000 0x103C 0x1200 0.00 d41d8cd98f00b204e9800998ecf8427e BSS 0x96000 0x1488 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .idata 0x98000 0x25A4 0x2600 0.00 d41d8cd98f00b204e9800998ecf8427e .tls 0x9B000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .rdata 0x9C000 0x18 0x200 0.00 d41d8cd98f00b204e9800998ecf8427e .reloc 0x9D000 0x8714 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .rsrc 0xA6000 0x13E00 0x13E00 0.00 d41d8cd98f00b204e9800998ecf8427e ( 0 imports ) ( 0 exports ) TrID : File type identification Win16/32 Executable Delphi generic (34.0%) Generic Win/DOS Executable (32.9%) DOS Executable Generic (32.8%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%) ssdeep: 1536:WcqtK7S9K2JVpIrWSnToU9IGJBTBqsYgOU8xOjLcj4UKsKNum:+1KCVFScU9LJ14sYeAOjLdUKs KEm sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned PEiD : - RDS : NSRL Reference Data Set - c:\windows\Fonts\sHWMb.com File a.exe received on 2010.04.23 12:35:57 (UTC) Current status: finished Result: 9/40 (22.50%) Compact Print results Antivirus Version Last Update Result a-squared 4.5.0.50 2010.04.23 - AhnLab-V3 5.0.0.2 2010.04.23 - AntiVir 8.2.1.220 2010.04.23 - Antiy-AVL 2.0.3.7 2010.04.23 - Authentium 5.2.0.5 2010.04.23 - Avast 4.8.1351.0 2010.04.23 - Avast5 5.0.332.0 2010.04.23 - AVG 9.0.0.787 2010.04.23 - BitDefender 7.2 2010.04.23 Gen:Win32.ProcessHijack.cqW@a8II8Jn CAT-QuickHeal 10.00 2010.04.23 - ClamAV 0.96.0.3-git 2010.04.23 - Comodo 4669 2010.04.23 - DrWeb 5.0.2.03300 2010.04.23 Win32.HLLC.Asdas.7 eSafe 7.0.17.0 2010.04.22 - eTrust-Vet 35.2.7445 2010.04.23 - F-Prot 4.5.1.85 2010.04.23 - F-Secure 9.0.15370.0 2010.04.23 Gen:Win32.ProcessHijack.cqW@a8II8Jn Fortinet 4.0.14.0 2010.04.21 - GData 21 2010.04.23 Gen:Win32.ProcessHijack.cqW@a8II8Jn Ikarus T3.1.1.80.0 2010.04.23 - Jiangmin 13.0.900 2010.04.23 - Kaspersky 7.0.0.125 2010.04.23 - McAfee 5.400.0.1158 2010.04.23 - McAfee-GW-Edition 6.8.5 2010.04.23 - Microsoft 1.5703 2010.04.23 TrojanDownloader:Win32/Unruy.H NOD32 5052 2010.04.23 a variant of Win32/TrojanDownloader.Unruy.BN Norman 6.04.11 2010.04.23 - nProtect 2010-04-23.01 2010.04.23 Gen:Win32.ProcessHijack.cqW@a8II8Jn Panda 10.0.2.7 2010.04.22 - PCTools 7.0.3.5 2010.04.23 - Prevx 3.0 2010.04.23 High Risk Cloaked Malware Rising 22.44.04.03 2010.04.23 - Sophos 4.53.0 2010.04.23 - Sunbelt 6212 2010.04.23 - Symantec 20091.2.0.41 2010.04.23 - TheHacker 6.5.2.0.267 2010.04.22 - TrendMicro 9.120.0.1004 2010.04.23 - VBA32 3.12.12.4 2010.04.23 SScope.Injector.MY ViRobot 2010.4.23.2291 2010.04.23 - VirusBuster 5.0.27.0 2010.04.23 - Additional information File size: 37376 bytes MD5 : e85826969e3131db0550f4ef1e2f2091 SHA1 : fe5e77761580af728b8ce87c30b532197ad33b33 SHA256: 8f45cfb872d4435f05cfa2ad5fc4ab169b950adddf24a5fcdaf3086dfdbee56a PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x35C0 timedatestamp.....: 0x4BD07149 (Thu Apr 22 17:54:49 2010) machinetype.......: 0x14C (Intel I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x25F0 0x2600 6.09 8b9093afc5d90dc0928a1942baca3a06 .rdata 0x4000 0x132 0x200 2.86 c654d702be3b2c9ff9ca9fa5df77e4a2 .data 0x5000 0x6360 0x6400 7.73 1236df7c5ba5523499c2012579a3d569 .rsrc 0xC000 0x10 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b ( 2 imports ) > kernel32.dll: GetProcAddress, GetModuleHandleA, ExitProcess, GetLastError > user32.dll: CloseClipboard, GetClipboardData, OpenClipboard, GetActiveWindow ( 0 exports ) TrID : File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) Symantec reputation: Suspicious.Insight http://www.symantec.com/security_response/...-021223-0550-99 ssdeep: 768:wci80wSxv8OZqv9wskUaaOLyH8aW/698y:bi80rEOAv9w1UaUJUe sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned Prevx Info: http://info.prevx.com/aboutprogramtext.asp...BD5B6004F94EA68 PEiD : - RDS : NSRL Reference Data Set -
  10. Hello Combo Fix sucessfully ran but I don't believe it removed it because the user still has pop ups. Attached is the log.
  11. Hello, DDS: DDS (Ver_10-03-17.01) - NTFSx86 Run by bill at 13:49:30.23 on Tue 04/27/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2078 [GMT -5:00] AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} ============== Running Processes =============== C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Symantec Shared\ccApp .exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Documents and Settings\All Users\Application Data\peLkFog0.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\bill.HUGHES\Desktop\dds.pif C:\Program Files\Internet Explorer\IEXPLORE.EXE ============== Pseudo HJT Report =============== uStart Page = hxxp://news.google.com/news?pz=1&ned=us uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch mWinlogon: Userinit=c:\windows\system32\Userinit.exe BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll mRun: [<NO NAME>] mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mPolicies-explorer: NoWelcomeScreen = 1 (0x1) IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab ============= SERVICES / DRIVERS =============== R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-3-28 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-3-28 108392] R2 k;k;c:\windows\system32\o.sys [2010-4-23 4736] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-3-28 2477304] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-5 102448] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100427.002\NAVENG.SYS [2010-4-27 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100427.002\NAVEX15.SYS [2010-4-27 1324720] ============== File Associations =============== .scr=AutoCADScriptFile =============== Created Last 30 ================ 2010-04-27 14:39:15 0 d--h--w- c:\windows\PIF 2010-04-27 04:41:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-27 04:41:13 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-27 04:41:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-25 20:23:56 66564 ----a-w- c:\docume~1\alluse~1\applic~1\peLkFog0.exe 2010-04-23 13:46:35 4736 ----a-w- c:\windows\system32\o.sys 2010-04-23 13:46:29 112 ----a-w- c:\docume~1\alluse~1\applic~1\sQ1j44BhD.dat 2010-04-22 12:59:32 0 d-----w- c:\program files\iolo 2010-04-22 12:58:17 74703 ----a-w- c:\windows\system32\mfc45.dll 2010-04-22 12:57:51 0 d-----w- c:\docume~1\bill~1.hug\applic~1\iolo 2010-04-22 12:57:51 0 d-----w- c:\docume~1\alluse~1\applic~1\iolo 2010-04-21 14:28:58 0 d-----w- C:\flats 2010-04-05 16:12:43 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2010-04-05 16:12:43 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2010-04-05 16:12:43 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL 2010-04-05 16:12:43 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2010-04-05 16:12:13 0 d-----w- c:\program files\Symantec ==================== Find3M ==================== 2010-04-26 00:24:38 247808 ----a-w- c:\windows\system32\drivers\iaStor.sys 2010-04-23 13:45:42 37376 ----a-w- c:\windows\fonts\sHWMb.com 2010-04-21 14:29:14 3550592 ----a-w- c:\windows\system32\procexp.exe ============= FINISH: 13:50:39.41 =============== Attach: UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-03-17.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume2 Install Date: 7/20/2009 10:28:38 AM System Uptime: 4/27/2010 9:37:10 AM (4 hours ago) Motherboard: Dell Inc. | | 0DN075 Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 74 GiB total, 38.369 GiB free. D: is CDROM () H: is NetworkDisk (NTFS) - 249 GiB total, 68.417 GiB free. S: is NetworkDisk (NTFS) - 249 GiB total, 68.417 GiB free. T: is NetworkDisk (NTFS) - 249 GiB total, 68.417 GiB free. V: is NetworkDisk (NTFS) - 249 GiB total, 68.417 GiB free. W: is NetworkDisk (NTFS) - 129 GiB total, 54.523 GiB free. Z: is NetworkDisk (NTFS) - 249 GiB total, 68.417 GiB free. ==== Disabled Device Manager Items ============= Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Broadcom NetXtreme Gigabit Ethernet Device ID: PCI\VEN_14E4&DEV_1659&SUBSYS_165914E4&REV_21\4&31DB9AC9&0&00E4 Manufacturer: Broadcom Name: Broadcom NetXtreme Gigabit Ethernet PNP Device ID: PCI\VEN_14E4&DEV_1659&SUBSYS_165914E4&REV_21\4&31DB9AC9&0&00E4 Service: b57w2k Class GUID: Description: SM Bus Controller Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01DE1028&REV_01\3&172E68DD&0&FB Manufacturer: Name: SM Bus Controller PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01DE1028&REV_01\3&172E68DD&0&FB Service: ==== System Restore Points =================== No restore point in system. ==== Installed Programs ====================== Adobe Acrobat 8 Standard Adobe Flash Player 10 ActiveX AutoCAD Mechanical 2010 AutoCAD Mechanical 2010 Language Pack - English AutoCAD Mechanical 2010 Version 2 Broadcom Gigabit Integrated Controller CCleaner Compatibility Pack for the 2007 Office system Crystal Reports XI R2 .Net 3.0 Runtime (03_05_2008) Dell Resource CD HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows XP (KB942288-v3) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) LiveUpdate 3.3 (Symantec Corporation) Malwarebytes' Anti-Malware Manufacturing Systems client Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Office Basic Edition 2003 Microsoft Office PowerPoint Viewer 2007 (English) Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft WSE 3.0 Runtime MSXML 6.0 Parser (KB933579) NVIDIA Drivers Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Internet Explorer 8 (KB978207) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969897) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165-v2) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978706) SigmaTel Audio SolidWorks viewer Symantec Endpoint Protection System Requirements Lab Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB976662) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) VBA (2627.01) WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Imaging Component Windows Internet Explorer 8 Windows XP Service Pack 3 XML Paper Specification Shared Components Pack 1.0 ==== Event Viewer Messages From Past Week ======== 4/27/2010 12:24:20 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Symantec AntiVirus service. 4/26/2010 10:54:52 PM, error: TermServDevices [1111] - Driver Snagit 9 Printer required for printer Snagit 9 is unknown. Contact the administrator to install the driver before you log in again. 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At88.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At64.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At520.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At496.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At472.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At448.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At424.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At400.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At376.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At352.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At328.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At304.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At280.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At256.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At232.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At208.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At184.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At160.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At136.job command failed to start due to the following error: %%2147942402 4/25/2010 3:00:00 PM, error: Schedule [7901] - The At112.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At87.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At63.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At519.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At495.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At471.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At447.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At423.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At399.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At375.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At351.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At327.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At303.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At279.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At255.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At231.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At207.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At183.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At159.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At135.job command failed to start due to the following error: %%2147942402 4/25/2010 2:00:00 PM, error: Schedule [7901] - The At111.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At86.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At62.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At518.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At494.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At470.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At446.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At422.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At398.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At374.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At350.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At326.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At302.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At278.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At254.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At230.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At206.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At182.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At158.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At134.job command failed to start due to the following error: %%2147942402 4/25/2010 1:00:00 PM, error: Schedule [7901] - The At110.job command failed to start due to the following error: %%2147942402 4/21/2010 9:33:49 AM, error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service. 4/21/2010 9:33:42 AM, error: Service Control Manager [7034] - The FLEXnet Licensing Service service terminated unexpectedly. It has done this 1 time(s). ==== End Of File =========================== GMER would not run unfortunately. The first attempt produced an error causing the program to crash. The subsequent attempts caused windows to bluescreen due to iastor.sys Any advice? Thanks
  12. Hello Borislav, I've followed your instructions but it still found nothing. I know it is infected because of symantec endpoint alerts, browser hijacking, and intermittent application window deselection. Any other suggestions? Thanks in advance. Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4042 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/27/2010 10:11:06 AM mbam-log-2010-04-27 (10-11-06).txt Scan type: Quick scan Objects scanned: 160071 Time elapsed: 31 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  13. Hello, I have a user that is infected with a variety of malware/viruses. Symantec Endpoint is detecting the following to name only a few: Backdoor.Tidserv.I!inf Bloodhound.Exploit.289 Bloodhound.PDF!gen Trojan.FakeAV Oddly Malwarebytes doesn't detect any of these. The user is experiencing terribly slow PC performance and his application windows are being deselected randomly. Rendering the PC useless. I suspect the malwarebytes may be corrupt but I fear if I uninstall it use the clean utility and then attempt to reinstall it will fail due to the malware probably trying to block it. Any advice would be greatly appreciated. Hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:12:40 PM, on 4/26/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\rdpclip.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Symantec Shared\ccApp .exe C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe C:\WINDOWS\system32\logon.scr C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Documents and Settings\All Users\Application Data\peLkFog0.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?pz=1&ned=us R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hughescompany.local O17 - HKLM\Software\..\Telephony: DomainName = hughescompany.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hughescompany.local O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Eraser Service (EraserSvc10923) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- End of file - 5802 bytes
  14. I just ghosted the factory image back on to the machine. Purchased the full MBAM for realtime protection. Thanks for the advice.
  15. I couple of nights ago I was infected with Antivirus Live malware. The computer is basically inoperable. I cannot run any exe in both safemode and normal mode. I've read through the "I am infected pinned item" but none of those operations are possible. I'm thinking I am just going to have to format the machine. Any advice?
  16. Thanks for all your help! I'll be sure to check out those links. I've already received corporate pricing and have advised management to purchase PRO licenses. Cheers, TrepidatioN
  17. Hello, Attached are the clean logfiles from malwarebytes and hijackthis. Anything else? Thanks again! Malwarebytes' Anti-Malware 1.39 Database version: 2428 Windows 5.1.2600 Service Pack 3 7/14/2009 1:35:26 PM mbam-log-2009-07-14 (13-35-26).txt Scan type: Full Scan (C:\|) Objects scanned: 217077 Time elapsed: 58 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:36:51 PM, on 7/14/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\Program Files\Wave Systems Corp\Common\DataServer.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe c:\client803\client\sysmonsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~2\VPTray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070202 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = hughes01:8080 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\ppt\Office10\OSA.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.runaware.com O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1247585493639 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1247585460825 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hughescompany.local O17 - HKLM\Software\..\Telephony: DomainName = hughescompany.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hughescompany.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hughescompany.local O20 - AppInit_DLLs: C:\WINDOWS\system32\wxvault.dll O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Manufacturing System Monitor - Epicor - c:\client803\client\sysmonsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe -- End of file - 9427 bytes
  18. Hello, Thanks for the all clear. These rootkits are certainly alarming. Is the risk posed by these rootkits only to the user or all the users on the entire network? After posting those 3 files I did another full scan and it revealed the following: Malwarebytes' Anti-Malware 1.39 Database version: 2421 Windows 5.1.2600 Service Pack 3 7/13/2009 6:03:43 PM mbam-log-2009-07-13 (18-03-43).txt Scan type: Full Scan (C:\|) Objects scanned: 219108 Time elapsed: 1 hour(s), 1 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\qoobox\quarantine\c\windows\system32\hjgruiobrnwpfn.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully. C:\Qoobox\quarantine\C\WINDOWS\system32\hjgruiyiohgcjn.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully. C:\Qoobox\quarantine\C\WINDOWS\system32\drivers\hjgruivatnbehv.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully. C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP892\A0105026.sys (Trojan.TDSS) -> Quarantined and deleted successfully. C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP892\A0105027.dll (Trojan.TDSS) -> Quarantined and deleted successfully. c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp892\A0105028.dll (Trojan.TDSS) -> Quarantined and deleted successfully. I am doing another full scan with a new database. I think I've updated my database 3 times today. So hopefully that scan will be clean. Thanks again for all your help and the quick turnaround on the responses. So Greatly Appreciated!
  19. Hello, Attached are the requested files. Thanks in advance. suspects.zip suspects.zip
  20. Hello, After my last post I updated the database again as a new version must have been released in the past couple of hours. I returned to safe mode and a quick scan revealed: Malwarebytes' Anti-Malware 1.38 Database version: 2420 Windows 5.1.2600 Service Pack 3 7/13/2009 3:23:11 PM mbam-log-2009-07-13 (15-23-08).txt Scan type: Quick Scan Objects scanned: 154317 Time elapsed: 13 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 23 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pcmstub (Rootkit.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pcmstub (Rootkit.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcmstub (Rootkit.Agent) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\pcmstub.sys (Rootkit.Agent) -> No action taken. C:\WINDOWS\system32\wiwow64.exe (Trojan.Agent) -> No action taken. C:\documents and settings\bill\local settings\Temp\502.exe (Trojan.FakeAlert) -> No action taken. C:\documents and settings\bill\local settings\Temp\a.exe (Trojan.Dropper) -> No action taken. C:\documents and settings\bill\local settings\Temp\b.exe (Trojan.Downloader) -> No action taken. C:\documents and settings\bill\local settings\Temp\db.exe (Trojan.Dropper) -> No action taken. C:\documents and settings\bill\local settings\Temp\f.exe (Trojan.Agent) -> No action taken. C:\documents and settings\bill\local settings\Temp\incosnet.tmp (Trojan.TDSS) -> No action taken. C:\documents and settings\bill\local settings\Temp\install.48349.exe (Trojan.Downloader) -> No action taken. C:\documents and settings\bill\local settings\Temp\lemu.exe (Trojan.FakeAlert) -> No action taken. C:\documents and settings\bill\local settings\Temp\maccsnet.tmp (Trojan.Downloader) -> No action taken. C:\documents and settings\bill\local settings\Temp\msxml71.dll (Trojan.FakeAlert) -> No action taken. C:\documents and settings\bill\local settings\Temp\nsxwmcaeor.tmp (Trojan.FakeAlert) -> No action taken. C:\documents and settings\bill\local settings\Temp\rasvsnet.tmp (Trojan.FakeAlert) -> No action taken. C:\documents and settings\bill\local settings\Temp\tmp11AB.tmp (Trojan.Piverb) -> No action taken. C:\documents and settings\bill\local settings\Temp\xcweosnamr.tmp (Trojan.Downloader) -> No action taken. C:\WINDOWS\Temp\tmp0_267339233481.bk.old (Trojan.Agent) -> No action taken. C:\WINDOWS\Temp\tmp0_34745212949.bk.old (Trojan.Agent) -> No action taken. C:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\12IHYFNX\w[1].bin (Trojan.Agent) -> No action taken. C:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\EBYTJ1HY\w[1].bin (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken. C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> No action taken. I elected to remove the threats: Malwarebytes' Anti-Malware 1.38 Database version: 2420 Windows 5.1.2600 Service Pack 3 7/13/2009 3:23:14 PM mbam-log-2009-07-13 (15-23-14).txt Scan type: Quick Scan Objects scanned: 154317 Time elapsed: 13 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 4 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 23 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pcmstub (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pcmstub (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcmstub (Rootkit.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\pcmstub.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wiwow64.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\502.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\a.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\b.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\db.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\f.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\incosnet.tmp (Trojan.TDSS) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\install.48349.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\lemu.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\maccsnet.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\nsxwmcaeor.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\rasvsnet.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\tmp11AB.tmp (Trojan.Piverb) -> Quarantined and deleted successfully. C:\documents and settings\bill\local settings\Temp\xcweosnamr.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\tmp0_267339233481.bk.old (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\tmp0_34745212949.bk.old (Trojan.Agent) -> Quarantined and deleted successfully. C:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\12IHYFNX\w[1].bin (Trojan.Agent) -> Quarantined and deleted successfully. C:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\EBYTJ1HY\w[1].bin (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Quarantined and deleted successfully. Returned to the forums to find your post. Ran combo fix to reveal the following which as I suspected was a rootkit: ComboFix 09-07-13.01 - bill 07/13/2009 16:19.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2624 [GMT -5:00] Running from: c:\documents and settings\bill\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\Install.txt c:\windows\system32\drivers\hjgruivatnbehv.sys c:\windows\system32\drivers\mjhnwrlajwafd.sys c:\windows\system32\drivers\str.sys c:\windows\system32\hjgruimcslmxos.dat c:\windows\system32\hjgruiobrnwpfn.dll c:\windows\system32\hjgruiybsnnwqo.dat c:\windows\system32\hjgruiyiohgcjn.dll c:\windows\system32\Install.txt ----- BITS: Possible infected sites ----- hxxp://hughes03:8530 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_hjgruiympewrbe -------\Legacy_6TO4 -------\Legacy_MSNCACHE -------\Legacy_PCMSTUB -------\Legacy_QYTHF -------\Legacy_SOPIDKC ((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 ))))))))))))))))))))))))))))))) . 2009-07-13 20:26 . 2009-07-13 20:26 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-07-13 19:08 . 2009-07-13 19:08 -------- d-----w- c:\program files\SystemRequirementsLab 2009-07-13 17:54 . 2009-07-13 17:54 -------- d-----w- c:\documents and settings\bill\Application Data\Malwarebytes 2009-07-13 16:07 . 2009-07-13 16:07 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2009-07-13 16:07 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-13 16:07 . 2009-07-13 20:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-07-13 16:07 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-13 16:07 . 2009-07-13 16:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-07-13 16:06 . 2009-07-13 16:06 -------- d-----w- c:\program files\Trend Micro 2009-07-13 15:16 . 2009-07-13 15:16 -------- d--h--w- c:\windows\system32\GroupPolicy 2009-07-10 22:06 . 2009-07-10 22:06 56492 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.sys 2009-07-10 00:08 . 2009-07-05 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dca03.vdb\ECMSVR32.DLL 2009-07-10 00:08 . 2009-02-18 19:41 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dca03.vdb\CCERASER.DLL 2009-07-10 00:08 . 2009-02-12 23:04 876144 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dca03.vdb\NAVEX15.SYS 2009-07-10 00:08 . 2009-02-12 23:04 89104 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dca03.vdb\NAVENG.SYS 2009-07-10 00:08 . 2009-02-12 23:03 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dca03.vdb\NAVEX32A.DLL 2009-07-10 00:08 . 2009-02-12 23:03 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dca03.vdb\NAVENG32.DLL 2009-07-10 00:08 . 2009-02-06 19:26 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dca03.vdb\ERASER.SYS 2009-07-10 00:08 . 2009-02-06 19:26 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dca03.vdb\EECTRL.SYS 2009-07-10 00:07 . 2009-02-12 23:04 876144 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dd203.vdb\NAVEX15.SYS 2009-07-10 00:07 . 2009-02-12 23:04 89104 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dd203.vdb\NAVENG.SYS 2009-07-10 00:07 . 2009-02-12 23:03 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dd203.vdb\NAVEX32A.DLL 2009-07-10 00:07 . 2009-02-12 23:03 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dd203.vdb\NAVENG32.DLL 2009-07-10 00:07 . 2009-07-09 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dd203.vdb\ECMSVR32.DLL 2009-07-10 00:07 . 2009-02-18 19:41 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dd203.vdb\CCERASER.DLL 2009-07-10 00:07 . 2009-02-06 19:26 101936 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dd203.vdb\ERASER.SYS 2009-07-10 00:07 . 2009-02-06 19:26 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2dd203.vdb\EECTRL.SYS 2009-07-06 14:04 . 2009-07-06 14:04 -------- d-----w- c:\windows\Sun 2009-07-01 15:24 . 2009-07-01 15:24 -------- d-----w- c:\program files\SolidWorks Viewer 2009-06-24 15:51 . 2009-07-02 13:26 -------- d-----w- c:\documents and settings\bill\Local Settings\Application Data\Glance 2009-06-24 15:51 . 2009-06-24 15:51 -------- d-----w- c:\program files\Glance24 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-13 17:55 . 2007-02-08 22:07 -------- d-----w- c:\documents and settings\bill\Application Data\Wave Systems Corp 2009-07-10 22:19 . 2009-07-10 22:07 1007 ---h--w- c:\windows\Fonts\mlog 2009-07-10 22:01 . 2007-10-03 19:09 -------- d-----w- c:\program files\Symantec AntiVirus 2009-07-10 17:57 . 2009-02-20 14:43 11264 ----a-w- c:\documents and settings\All Users\Application Data\Epicor\Vista\8.03.407\HUGHES\CustomDLLs\QuoteLineSearch.6afd07ea-2b84-40f1-b1fb-2cb2f4225ed6.DBTracker.CustomCode.dll 2009-06-01 12:28 . 2008-06-02 15:23 368768 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-05-29 17:52 . 2009-05-29 17:52 9216 ----a-w- c:\documents and settings\All Users\Application Data\Epicor\Vista\8.03.407\HUGHES\CustomDLLs\SOLineSearch.f6332aed-0396-42fd-b6e9-84a0ec047b7a.DBTracker.CustomCode.dll 2009-05-26 21:38 . 2009-05-26 21:38 28672 ----a-w- c:\documents and settings\All Users\Application Data\Epicor\Vista\8.03.407\HUGHES\CustomDLLs\App.ARInvoiceUpdtEntry.ARInvoiceUpdtForm.BE.BaseExtension.ARInvoiceTracker. CustomCode.dll 2009-05-13 21:08 . 2009-05-13 21:08 12800 ----a-w- c:\documents and settings\All Users\Application Data\Epicor\Vista\8.03.407\HUGHES\CustomDLLs\App.ReceiptEntry.ReceiptEntryForm.BE.BaseExtension.ReceiptTracker.CustomCod e.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-21 7204864] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-05-16 102400] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896] "vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2006-09-28 125168] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-20 282624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801] "TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000003}\_SC_Acrobat.exe [2007-2-8 295606] Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872] AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-23 11000] EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-1-30 192512] Microsoft Office.lnk - c:\program files\Microsoft Office\ppt\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\wxvault.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 wvauth [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [3/17/2006 6:25 PM 65536] R2 Manufacturing System Monitor;Manufacturing System Monitor;c:\client803\Client\SysmonSvc.exe [2/8/2007 6:47 PM 20480] R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/26/2009 8:06 PM 101936] S2 qythf;qythf;\??\c:\windows\system32\drivers\mjhnwrlajwafd.sys --> c:\windows\system32\drivers\mjhnwrlajwafd.sys [?] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/13/2009 11:07 AM 38160] . Contents of the 'Scheduled Tasks' folder 2009-07-08 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 18:42] . - - - - ORPHANS REMOVED - - - - HKLM-Run-nwiz - nwiz.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://news.google.com/ uInternet Settings,ProxyServer = hughes01:8080 uInternet Settings,ProxyOverride = <local> IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: runaware.com\www DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-13 16:32 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'lsass.exe'(812) c:\windows\system32\wvauth.dll c:\windows\system32\biolsp.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\program files\Wave Systems Corp\common\DataServer.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe c:\windows\system32\wdfmgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe . ************************************************************************** . Completion time: 2009-07-13 16:40 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-13 21:40 Pre-Run: 46,963,757,056 bytes free Post-Run: 49,290,022,912 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 192 --- E O F --- 2009-04-17 08:04 Then ran HiJackthis to reveal: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:43:28 PM, on 7/13/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\Program Files\Wave Systems Corp\Common\DataServer.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe c:\client803\client\sysmonsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~2\VPTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\WINDOWS\explorer.exe C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070202 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = hughes01:8080 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\ppt\Office10\OSA.EXE O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.runaware.com O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170963002218 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170962991048 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hughescompany.local O17 - HKLM\Software\..\Telephony: DomainName = hughescompany.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hughescompany.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hughescompany.local O20 - AppInit_DLLs: C:\WINDOWS\system32\wxvault.dll O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Manufacturing System Monitor - Epicor - c:\client803\client\sysmonsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe -- End of file - 10625 bytes Now I am hoping malwarebytes will finish a scan in normal mode. Any further suggestions? Thanks!
  21. Hello Fatdcuk, Well since I posted I managed to figure out the SAFEMODE password. I was able to install malwarebytes as well. A quickscan revealed the following: Malwarebytes' Anti-Malware 1.38 Database version: 2297 Windows 5.1.2600 Service Pack 3 7/13/2009 11:23:46 AM mbam-log-2009-07-13 (11-23-37).txt Scan type: Quick Scan Objects scanned: 147937 Time elapsed: 13 minute(s), 55 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 19 Registry Values Infected: 14 Registry Data Items Infected: 5 Folders Infected: 2 Files Infected: 27 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken. HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msncache (Backdoor.Bot) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msncache (Backdoor.Bot) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msncache (Backdoor.Bot) -> No action taken. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sopidkc (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4 (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\6to4 (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sopidkc (Backdoor.Bot) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sopidkc (Backdoor.Bot) -> No action taken. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11598124 (Rogue.Multiple.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mms (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> No action taken. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken. HKEY_CLASSES_ROOT\.bat\(default) (Hijacked.BatFile) -> Bad: (csfile) Good: (batfile) -> No action taken. HKEY_CLASSES_ROOT\.com\(default) (Hijacked.ComFile) -> Bad: (csfile) Good: (comfile) -> No action taken. Folders Infected: C:\Documents and Settings\All Users\Application Data\11598124 (Rogue.Multiple.H) -> No action taken. C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken. Files Infected: c:\documents and settings\all users\application data\11598124\11598124 (Rogue.Multiple.H) -> No action taken. c:\documents and settings\all users\application data\11598124\11598124.exe (Rogue.Multiple.H) -> No action taken. C:\WINDOWS\system32\net.net (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> No action taken. c:\WINDOWS\system32\msncache.dll (Backdoor.Bot) -> No action taken. c:\documents and settings\bill\local settings\Temp\bucksnet.tmp (Trojan.Dropper) -> No action taken. c:\documents and settings\bill\local settings\Temp\mwxcarenso.tmp (Trojan.Downloader) -> No action taken. c:\documents and settings\bill\local settings\Temp\prun.tmp (Trojan.Downloader) -> No action taken. c:\WINDOWS\Temp\txpxr_213436125608.b1k (Backdoor.Bot) -> No action taken. c:\WINDOWS\Temp\txpxr_230912288549.b1k (Backdoor.Bot) -> No action taken. c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken. c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken. C:\WINDOWS\msa.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\msb.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> No action taken. C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> No action taken. C:\WINDOWS\system32\tpsaxyd.exe (Backdoor.Bot) -> No action taken. c:\documents and settings\bill\Local Settings\Temp\rasesnet.tmp (Trojan.Agent) -> No action taken. c:\documents and settings\bill\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> No action taken. c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> No action taken. C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> No action taken. C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken. C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> No action taken. c:\documents and settings\bill\Local Settings\Temp\defender32.exe (Trojan.Downloader) -> No action taken. I then opted to remove these items: Malwarebytes' Anti-Malware 1.38 Database version: 2297 Windows 5.1.2600 Service Pack 3 7/13/2009 11:25:13 AM mbam-log-2009-07-13 (11-25-13).txt Scan type: Quick Scan Objects scanned: 147937 Time elapsed: 13 minute(s), 55 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 19 Registry Values Infected: 14 Registry Data Items Infected: 5 Folders Infected: 2 Files Infected: 27 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sopidkc (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11598124 (Rogue.Multiple.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mms (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\.bat\(default) (Hijacked.BatFile) -> Bad: (csfile) Good: (batfile) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\.com\(default) (Hijacked.ComFile) -> Bad: (csfile) Good: (comfile) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\All Users\Application Data\11598124 (Rogue.Multiple.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot. Files Infected: c:\documents and settings\all users\application data\11598124\11598124 (Rogue.Multiple.H) -> Quarantined and deleted successfully. c:\documents and settings\all users\application data\11598124\11598124.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\WINDOWS\system32\msncache.dll (Backdoor.Bot) -> Quarantined and deleted successfully. c:\documents and settings\bill\local settings\Temp\bucksnet.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. c:\documents and settings\bill\local settings\Temp\mwxcarenso.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. c:\documents and settings\bill\local settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\txpxr_213436125608.b1k (Backdoor.Bot) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\txpxr_230912288549.b1k (Backdoor.Bot) -> Quarantined and deleted successfully. c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot. c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot. C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tpsaxyd.exe (Backdoor.Bot) -> Quarantined and deleted successfully. c:\documents and settings\bill\Local Settings\Temp\rasesnet.tmp (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\bill\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\bill\Local Settings\Temp\defender32.exe (Trojan.Downloader) -> Quarantined and deleted successfully. I then did a full scan which revealed the following: Malwarebytes' Anti-Malware 1.38 Database version: 2297 Windows 5.1.2600 Service Pack 3 7/13/2009 12:52:36 PM mbam-log-2009-07-13 (12-52-33).txt Scan type: Full Scan (C:\|) Objects scanned: 246995 Time elapsed: 53 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I removed the threats: Malwarebytes' Anti-Malware 1.38 Database version: 2297 Windows 5.1.2600 Service Pack 3 7/13/2009 12:52:38 PM mbam-log-2009-07-13 (12-52-38).txt Scan type: Full Scan (C:\|) Objects scanned: 246995 Time elapsed: 53 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I then rebooted in normal mode with the users normal network login and updated malwarebytes to the current version database and attempted to do a quick and full scan both of which failed as malware bytes would eventually just freeze and not respond. I tried scans multiple times but it will not sucessfully complete a scan in normal mode. A Hijackthis log shows the following: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:57:42 PM, on 7/13/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\Program Files\Wave Systems Corp\Common\DataServer.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe c:\client803\client\sysmonsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe C:\DOCUME~1\bill\LOCALS~1\Temp\b.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~2\VPTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070202 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070202 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = hughes01:8080 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PowerMgr] "C:\WINDOWS\system32\Rundll32.exe" "C:\DOCUME~1\bill\LOCALS~1\Temp\tmp11AB.tmp",Init O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\bill\LOCALS~1\Temp\b.exe O4 - HKCU\..\Run: [defender32.exe] C:\DOCUME~1\bill\LOCALS~1\Temp\defender32.exe O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user') O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\ppt\Office10\OSA.EXE O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.runaware.com O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170963002218 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170962991048 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hughescompany.local O17 - HKLM\Software\..\Telephony: DomainName = hughescompany.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hughescompany.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hughescompany.local O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Manufacturing System Monitor - Epicor - c:\client803\client\sysmonsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe -- End of file - 11181 bytes Thanks!
  22. Hello, I have a machine whose browser is being hijacked. I cannot run HiJackthis.exe or install malware bytes without windows asking me what I want to open this program with. I cannot start the machine in SAFEMODE beacuse the network password for the user is different than the "local" password and no one in the company knows the local passwords. I also cannot access the users section from the control panel. It basically says in cannot be found. This computer has serious problems. In short: .exe files do not run. IE is being hijacked. Safemode is not an option. Any suggestions please? Thanks in adance.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.