Jump to content

Personal Guard 2009 Has Got me Bad

bobsmg

By bobsmg
in Resolved Malware Removal Logs

 Share

Recommended Posts

bobsmg

bobsmg

Posted
Posted

Personal Guard is having it's way with me. I can't get Malware to run (and I can't get Safe Mode to run either), but have the Hijack this log:

Please help!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:10:08 PM, on 11/3/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\WINDOWS\System32\alg.exe

C:\windows\system\hpsysdrv.exe

C:\Program Files\Personal Guard 2009\personalguard.exe

C:\WINDOWS\system32\winsc.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Electronic Arts\EADM\Core.exe

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe

C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE

C:\Program Files\Qlock\qlock.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

F2 - REG:system.ini: Shell=Explorer.exe logon.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [kujavefik] Rundll32.exe "c:\windows\system32\yaveyayu.dll",a

O4 - HKLM\..\Run: [personalguard] C:\Program Files\Personal Guard 2009\personalguard.exe

O4 - HKCU\..\Run: [jobexec] C:\WINDOWS\System32\jobexec.exe

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcStd7_0_8 -reboot 1

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll (file missing)

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.brownpapertickets.com

O15 - Trusted Zone: *.intuit.com

O15 - Trusted Zone: http://*.turbotax.com

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe

O16 - DPF: {53C9A69F-A62B-4A09-9B04-F7395682B3AF} (WebTransferCtrl Class) - https://worksite.pillsburylaw.com/WorkSite/...es/iManFile.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab

O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsweb.haas.berkeley.edu/msrdp.cab

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://tsweb.haas.berkeley.edu/msrdp.cab

O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pillsburylaw.webex.com/client/T26L/webex/ieatgpc.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL liferazi.dll c:\windows\system32\yaveyayu.dll

O21 - SSODL: SysNet - {235AAC05-FA55-4646-A2CA-82397C8CD6D8} - C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll

O21 - SSODL: zozusopoh - {4d9dd172-9ffd-4fdb-b2e1-6236136b3fcf} - c:\windows\system32\yaveyayu.dll

O22 - SharedTaskScheduler: jugezatag - {4d9dd172-9ffd-4fdb-b2e1-6236136b3fcf} - c:\windows\system32\yaveyayu.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate1c9106f549cdb70) (gupdate1c9106f549cdb70) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--

End of file - 18189 bytes

Link to post
Share on other sites
chamber

chamber

Posted
Posted

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Link to post
Share on other sites
bobsmg

bobsmg

Posted
  • Author
Posted

Hello!

Thanks..below is the log from Combofix:

ComboFix 09-11-03.03 - Administrator 11/04/2009 7:40.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1118 [GMT -8:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Desktop\Personal Guard 2009.lnk

c:\documents and settings\Administrator\Start Menu\Programs\Personal Guard 2009

c:\documents and settings\Administrator\Start Menu\Programs\Personal Guard 2009\Personal Guard 2009.lnk

c:\documents and settings\Administrator\Start Menu\Programs\Personal Guard 2009\Uninstall.lnk

c:\documents and settings\All Users\Microsoft AData

c:\documents and settings\All Users\Microsoft AData\setup.exe

c:\documents and settings\All Users\Microsoft AData\sysnet.dll

c:\documents and settings\All Users\Microsoft AData\t.sid

c:\program files\INSTALL.LOG

c:\program files\Personal Guard 2009

c:\program files\Personal Guard 2009\config.scf

c:\program files\Personal Guard 2009\mmbase.sdb

c:\program files\Personal Guard 2009\personalguard.exe

c:\program files\Personal Guard 2009\q.sdb

c:\program files\Personal Guard 2009\queue.sdb

c:\program files\Personal Guard 2009\uninstalls.exe

c:\program files\Personal Guard 2009\vvbase.sdb

c:\windows\Downloaded Program Files\setup.dll

c:\windows\Fonts\acrsec.fon

c:\windows\Fonts\acrsecB.fon

c:\windows\Fonts\acrsecI.fon

c:\windows\microsoftdef.dll

c:\windows\system32\dagetowa.dll

c:\windows\system32\demozela.dll.tmp

c:\windows\system32\fodedozu.dll

c:\windows\system32\fopiyora.dll

c:\windows\system32\gayiloba.dll

c:\windows\system32\hasabasi.dll

c:\windows\system32\hiduvudi.dll

c:\windows\system32\iAlmcoin.dll

c:\windows\system32\jupabone.dll

c:\windows\system32\liferazi.dll

c:\windows\system32\logon.exe

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\pibijego.dll.tmp

c:\windows\system32\ps2.bat

c:\windows\system32\sdra64.exe

c:\windows\system32\sokolofi.dll.tmp

c:\windows\system32\tanovivo.dll

c:\windows\system32\tijayefe.dll

c:\windows\system32\vabewuze.dll

c:\windows\system32\wogeyabo.dll

c:\windows\system32\zarojeho.dll

c:\windows\Tasks\oyallxvz.job

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))

.

2009-11-04 04:04 . 2009-11-04 04:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

2009-11-04 00:49 . 2009-11-04 00:49 -------- d-----w- c:\program files\Trend Micro

2009-11-03 23:36 . 2009-11-04 00:46 -------- d-----w- c:\program files\Malwarebytes AntiMalware

2009-11-03 22:58 . 2009-11-03 22:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-11-03 16:19 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-03 16:19 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-03 14:50 . 2009-11-03 14:50 114 ---ha-w- C:\aaw7boot.cmd

2009-11-03 07:02 . 2009-11-03 07:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-11-03 06:57 . 2009-11-04 00:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-03 06:57 . 2009-11-03 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-03 06:06 . 2008-12-11 16:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-11-03 06:05 . 2009-08-24 22:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-11-03 06:05 . 2009-08-19 19:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-11-03 06:05 . 2009-11-03 06:09 -------- d-----w- c:\program files\Common Files\PC Tools

2009-11-03 06:04 . 2008-12-10 19:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-11-03 06:04 . 2009-11-03 06:51 -------- d-----w- c:\program files\Spyware Doctor

2009-11-03 06:04 . 2009-11-03 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-11-03 06:04 . 2009-11-03 06:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools

2009-11-03 06:04 . 2009-11-03 06:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-11-03 05:53 . 2009-11-03 05:53 -------- d-----w- c:\program files\Windows Defender

2009-11-03 01:09 . 2009-11-03 15:16 38352 ----a-w- c:\windows\regred.exe

2009-11-03 01:09 . 2009-11-03 15:16 33149 ----a-w- c:\windows\usexplorer.exe

2009-11-03 01:09 . 2009-11-03 15:16 47872 ----a-w- c:\windows\certsystem.exe

2009-11-03 01:09 . 2009-11-03 15:16 51197 ----a-w- c:\windows\spoov.exe

2009-11-02 15:56 . 2009-11-02 15:56 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2009-11-02 15:52 . 2009-11-03 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-11-02 06:11 . 2009-11-04 01:19 -------- d-----w- c:\program files\Norton Internet Security

2009-11-02 06:06 . 2009-11-02 14:58 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-11-02 06:06 . 2009-11-02 14:58 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-11-02 06:02 . 2009-11-02 14:58 -------- d-----w- c:\program files\Symantec

2009-11-01 01:45 . 2009-11-01 01:45 382976 ----a-w- c:\windows\system32\winsc.exe

2009-11-01 01:45 . 2009-11-03 15:16 28320 ----a-w- c:\windows\securits.com

2009-10-26 16:00 . 2009-10-26 16:00 -------- d-----w- c:\windows\system32\scripting

2009-10-26 16:00 . 2009-10-26 16:00 -------- d-----w- c:\windows\l2schemas

2009-10-26 16:00 . 2009-10-26 16:00 -------- d-----w- c:\windows\system32\en

2009-10-23 17:10 . 2009-10-23 17:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-10-23 16:40 . 2009-10-23 16:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2009-10-23 16:40 . 2009-10-23 16:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-10-23 16:40 . 2009-10-23 16:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-10-23 16:21 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-10-23 16:21 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-10-23 16:20 . 2009-10-24 10:01 -------- d-----w- c:\windows\ie8updates

2009-10-23 16:19 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-10-23 16:17 . 2009-10-23 16:18 -------- dc-h--w- c:\windows\ie8

2009-10-19 01:39 . 2009-10-19 01:39 -------- d--h--w- c:\windows\PIF

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-04 16:10 . 2007-05-21 00:38 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-11-04 04:08 . 2003-09-24 01:57 -------- d-----w- c:\program files\Google

2009-11-04 01:26 . 2003-04-24 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-11-02 14:58 . 2009-11-02 14:49 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-11-02 14:58 . 2009-11-02 14:49 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-10-22 10:11 . 2004-12-30 05:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2009-10-21 23:00 . 2007-12-02 18:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2009-10-19 02:08 . 2009-05-13 03:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-09-26 22:07 . 2009-09-26 22:05 -------- d-----w- c:\program files\iTunes

2009-09-26 22:05 . 2004-05-01 06:29 -------- d-----w- c:\program files\iPod

2009-09-26 22:05 . 2007-07-27 04:54 -------- d-----w- c:\program files\Common Files\Apple

2009-09-18 04:56 . 2009-09-18 04:56 51580 ---ha-w- c:\windows\system32\mlfcache.dat

2009-09-16 04:30 . 2003-12-20 22:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer

2009-09-15 05:31 . 2009-09-15 05:31 -------- d-----w- c:\program files\iPhone Configuration Utility

2009-09-15 05:29 . 2009-09-15 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-09-15 05:25 . 2006-01-23 06:28 -------- d-----w- c:\program files\QuickTime

2009-09-15 03:24 . 2009-09-15 03:24 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-09-15 03:24 . 2009-09-15 03:24 -------- d-----w- c:\program files\Linksys Wireless-G PCI Wireless Network Monitor

2009-09-15 03:24 . 2003-04-24 15:18 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-11 14:18 . 2003-07-15 21:23 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-11 03:35 . 2009-09-11 03:35 -------- d-----w- c:\program files\Telltale Games

2009-09-04 21:03 . 2003-07-15 21:23 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-29 02:42 . 2008-09-11 22:11 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-08-29 02:42 . 2007-09-15 03:36 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-08-26 08:00 . 2003-07-15 20:58 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-07 02:24 . 2006-08-08 05:39 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-07 02:24 . 2006-08-08 05:39 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-07 02:24 . 2006-08-08 05:39 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-07 02:24 . 2003-07-15 20:59 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-07 02:24 . 2003-07-15 21:17 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-07 02:23 . 2006-08-08 05:39 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-07 02:23 . 2003-07-15 20:59 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2008-09-03 14:51 . 2007-05-16 04:53 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

2009-08-02 13:50 . 2009-08-02 13:50 60928 --sha-w- c:\windows\system32\guyetisu.dll

2009-08-01 13:49 . 2009-08-01 13:49 52224 --sha-w- c:\windows\system32\naveriju.dll

2009-08-01 13:50 . 2009-08-01 13:50 52224 --sha-w- c:\windows\system32\povehana.dll

2009-08-04 01:50 . 2009-08-04 01:50 89088 --sha-w- c:\windows\system32\wahewozi.dll

2009-08-03 13:50 . 2009-08-03 13:50 89088 --sha-w- c:\windows\system32\yaveyayu.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87cfbaa5-068c-4f4c-9888-872ef576b65f}]

2009-08-01 13:50 52224 --sha-w- c:\windows\system32\povehana.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 196608]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 68856]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-10 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-12 114688]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]

"YBrowser"="c:\program files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 57344]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-03 29744]

"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-16 69705]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 84640]

"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-06 26248]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

qlock.lnk - c:\program files\Qlock\qlock.exe [2005-3-14 1468928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2005-10-22 25214]

EPSON SMART PANEL for Scanner.lnk - c:\program files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE [2003-11-22 180224]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"=

"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/2/2009 10:05 PM 206256]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]

R2 RioPNP;RioPNP;c:\windows\system32\drivers\RioPnP.sys [10/21/2003 7:31 AM 6736]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/1/2009 10:20 PM 99176]

S0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]

S2 gupdate1c9106f549cdb70;Google Update Service (gupdate1c9106f549cdb70);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2008 2:24 PM 133104]

S2 RIOUSB;RioPort.Com Rio500 USB Driver;c:\windows\system32\drivers\RioUsb.sys [10/21/2003 7:18 AM 10020]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/10/2006 8:27 AM 29744]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/2/2009 10:04 PM 348752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

*NewlyCreated* - MBR

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-06 22:23]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-06 22:23]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2812118526-93401058-2379829806-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-30 23:13]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2812118526-93401058-2379829806-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-30 23:13]

2009-11-02 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Administrator.job

- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-07 05:38]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://srch-qus8.hpwis.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = localhost;*.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm

Trusted Zone: brownpapertickets.com\www

Trusted Zone: intuit.com

Trusted Zone: turbotax.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {53C9A69F-A62B-4A09-9B04-F7395682B3AF} - hxxps://worksite.pillsburylaw.com/WorkSite/includes/iManFile.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\kodak-companion@mozilla.com\platform\WINNT_x86-msvc\components\mozFotofox.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-jobexec - c:\windows\System32\jobexec.exe

HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe

HKCU-Run-ATI Launchpad - (no file)

HKLM-Run-PRISMSVR.EXE - c:\windows\System32\PRISMSVR.EXE

HKLM-Run-kujavefik - c:\windows\system32\fodedozu.dll

HKLM-Run-nidadoyudi - hiduvudi.dll

SharedTaskScheduler-{b80c7ef4-a34d-47f6-b20e-15ccfb30ee0d} - c:\windows\system32\fodedozu.dll

SSODL-SysNet-{235AAC05-FA55-4646-A2CA-82397C8CD6D8} - c:\documents and settings\All Users\Microsoft AData\sysnet.dll

SSODL-zeyuwawir-{b80c7ef4-a34d-47f6-b20e-15ccfb30ee0d} - c:\windows\system32\fodedozu.dll

AddRemove-Malwarebytes' Anti-Malware_is1 - c:\program files\dave\unins000.exe

AddRemove-SBC Yahoo! UMUninstaller - c:\program files\SBC Yahoo!\umuninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-04 08:11

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2812118526-93401058-2379829806-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,1d,eb,4c,0c,48,ac,44,ba,7b,99,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,1d,eb,4c,0c,48,ac,44,ba,7b,99,\

[HKEY_USERS\S-1-5-21-2812118526-93401058-2379829806-500\Software\SecuROM\License information*]

"datasecu"=hex:49,ec,ea,a4,0e,09,50,56,63,22,98,6e,90,50,1d,f0,23,c3,40,a7,21,

f4,1a,55,9b,2c,21,b8,8b,0e,32,df,29,2f,af,39,8b,f0,8a,bd,66,5f,14,ff,ca,e3,\

"rkeysecu"=hex:fa,de,aa,8d,fd,91,9b,db,ef,64,66,f1,8c,35,40,be

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2112)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\progra~1\Yahoo!\browser\ycommon.exe

c:\program files\ATI Technologies\ATI.ACE\CLI.EXE

c:\windows\System32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\ATI Technologies\ATI.ACE\cli.exe

c:\program files\ATI Technologies\ATI.ACE\cli.exe

.

**************************************************************************

.

Completion time: 2009-11-04 8:27 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-04 16:27

Pre-Run: 2,385,465,344 bytes free

Post-Run: 4,527,882,240 bytes free

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Link to post
Share on other sites
chamber

chamber

Posted
Posted

Hi,

1) CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

c:\windows\system32\guyetisu.dll

c:\windows\system32\naveriju.dll

c:\windows\system32\povehana.dll

c:\windows\system32\wahewozi.dll

c:\windows\system32\yaveyayu.dll

Folder::

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87cfbaa5-068c-4f4c-9888-872ef576b65f}]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\DNA\\btdna.exe"=-

"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2) OTL

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

In your reply I would like to see copied and pasted,

1) ComboFix log

2) OTL logs

Link to post
Share on other sites
bobsmg

bobsmg

Posted
  • Author
Posted

Ok, here is the 2nd ComboFix log; next post will include the OTL logs.

ComboFix 09-11-03.03 - Administrator 11/04/2009 20:12.2.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.985 [GMT -8:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::

"c:\windows\system32\guyetisu.dll"

"c:\windows\system32\naveriju.dll"

"c:\windows\system32\povehana.dll"

"c:\windows\system32\wahewozi.dll"

"c:\windows\system32\yaveyayu.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\guyetisu.dll

c:\windows\system32\naveriju.dll

c:\windows\system32\povehana.dll

c:\windows\system32\wahewozi.dll

c:\windows\system32\yaveyayu.dll

.

((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))

.

2009-11-04 04:04 . 2009-11-04 04:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

2009-11-04 00:49 . 2009-11-04 00:49 -------- d-----w- c:\program files\Trend Micro

2009-11-03 23:36 . 2009-11-04 00:46 -------- d-----w- c:\program files\Malwarebytes AntiMalware

2009-11-03 22:58 . 2009-11-03 22:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-11-03 16:19 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-03 16:19 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-03 14:50 . 2009-11-03 14:50 114 ---ha-w- C:\aaw7boot.cmd

2009-11-03 07:02 . 2009-11-03 07:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-11-03 06:57 . 2009-11-04 00:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-03 06:57 . 2009-11-03 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-03 06:06 . 2008-12-11 16:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-11-03 06:05 . 2009-08-24 22:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-11-03 06:05 . 2009-08-19 19:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-11-03 06:05 . 2009-11-03 06:09 -------- d-----w- c:\program files\Common Files\PC Tools

2009-11-03 06:04 . 2008-12-10 19:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-11-03 06:04 . 2009-11-03 06:51 -------- d-----w- c:\program files\Spyware Doctor

2009-11-03 06:04 . 2009-11-03 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-11-03 06:04 . 2009-11-03 06:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools

2009-11-03 06:04 . 2009-11-03 06:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-11-03 05:53 . 2009-11-03 05:53 -------- d-----w- c:\program files\Windows Defender

2009-11-03 01:09 . 2009-11-03 15:16 38352 ----a-w- c:\windows\regred.exe

2009-11-03 01:09 . 2009-11-03 15:16 33149 ----a-w- c:\windows\usexplorer.exe

2009-11-03 01:09 . 2009-11-03 15:16 47872 ----a-w- c:\windows\certsystem.exe

2009-11-03 01:09 . 2009-11-03 15:16 51197 ----a-w- c:\windows\spoov.exe

2009-11-02 15:56 . 2009-11-02 15:56 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2009-11-02 15:52 . 2009-11-03 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-11-02 06:11 . 2009-11-04 01:19 -------- d-----w- c:\program files\Norton Internet Security

2009-11-02 06:06 . 2009-11-02 14:58 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-11-02 06:06 . 2009-11-02 14:58 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-11-02 06:02 . 2009-11-02 14:58 -------- d-----w- c:\program files\Symantec

2009-11-01 01:45 . 2009-11-01 01:45 382976 ----a-w- c:\windows\system32\winsc.exe

2009-11-01 01:45 . 2009-11-03 15:16 28320 ----a-w- c:\windows\securits.com

2009-10-26 16:00 . 2009-10-26 16:00 -------- d-----w- c:\windows\system32\scripting

2009-10-26 16:00 . 2009-10-26 16:00 -------- d-----w- c:\windows\l2schemas

2009-10-26 16:00 . 2009-10-26 16:00 -------- d-----w- c:\windows\system32\en

2009-10-23 17:10 . 2009-10-23 17:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-10-23 16:40 . 2009-10-23 16:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2009-10-23 16:40 . 2009-10-23 16:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-10-23 16:40 . 2009-10-23 16:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-10-23 16:21 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-10-23 16:21 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-10-23 16:20 . 2009-10-24 10:01 -------- d-----w- c:\windows\ie8updates

2009-10-23 16:19 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-10-23 16:17 . 2009-10-23 16:18 -------- dc-h--w- c:\windows\ie8

2009-10-19 01:39 . 2009-10-19 01:39 -------- d--h--w- c:\windows\PIF

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-04 16:10 . 2007-05-21 00:38 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-11-04 04:08 . 2003-09-24 01:57 -------- d-----w- c:\program files\Google

2009-11-04 01:26 . 2003-04-24 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-11-02 14:58 . 2009-11-02 14:49 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2009-11-02 14:58 . 2009-11-02 14:49 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2009-10-22 10:11 . 2004-12-30 05:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2009-10-21 23:00 . 2007-12-02 18:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2009-10-19 02:08 . 2009-05-13 03:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2009-09-26 22:07 . 2009-09-26 22:05 -------- d-----w- c:\program files\iTunes

2009-09-26 22:05 . 2004-05-01 06:29 -------- d-----w- c:\program files\iPod

2009-09-26 22:05 . 2007-07-27 04:54 -------- d-----w- c:\program files\Common Files\Apple

2009-09-18 04:56 . 2009-09-18 04:56 51580 ---ha-w- c:\windows\system32\mlfcache.dat

2009-09-16 04:30 . 2003-12-20 22:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer

2009-09-15 05:31 . 2009-09-15 05:31 -------- d-----w- c:\program files\iPhone Configuration Utility

2009-09-15 05:29 . 2009-09-15 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-09-15 05:25 . 2006-01-23 06:28 -------- d-----w- c:\program files\QuickTime

2009-09-15 03:24 . 2009-09-15 03:24 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-09-15 03:24 . 2009-09-15 03:24 -------- d-----w- c:\program files\Linksys Wireless-G PCI Wireless Network Monitor

2009-09-15 03:24 . 2003-04-24 15:18 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-11 14:18 . 2003-07-15 21:23 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-11 03:35 . 2009-09-11 03:35 -------- d-----w- c:\program files\Telltale Games

2009-09-04 21:03 . 2003-07-15 21:23 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2006-06-23 19:33 916480 ------w- c:\windows\system32\wininet.dll

2009-08-29 02:42 . 2008-09-11 22:11 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-08-29 02:42 . 2007-09-15 03:36 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-08-26 08:00 . 2003-07-15 20:58 247326 ----a-w- c:\windows\system32\strmdll.dll

2008-09-03 14:51 . 2007-05-16 04:53 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-11-04_16.11.31 )))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 196608]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 68856]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]

"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]

"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-10 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-12 114688]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]

"YBrowser"="c:\program files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 57344]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-03 29744]

"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-16 69705]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 84640]

"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-06 26248]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

qlock.lnk - c:\program files\Qlock\qlock.exe [2005-3-14 1468928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [2005-10-22 25214]

EPSON SMART PANEL for Scanner.lnk - c:\program files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE [2003-11-22 180224]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"=

"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/2/2009 10:05 PM 206256]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]

R2 RioPNP;RioPNP;c:\windows\system32\drivers\RioPnP.sys [10/21/2003 7:31 AM 6736]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/1/2009 10:20 PM 99176]

S0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]

S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]

S2 gupdate1c9106f549cdb70;Google Update Service (gupdate1c9106f549cdb70);c:\program files\Google\Update\GoogleUpdate.exe [9/6/2008 2:24 PM 133104]

S2 RIOUSB;RioPort.Com Rio500 USB Driver;c:\windows\system32\drivers\RioUsb.sys [10/21/2003 7:18 AM 10020]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/10/2006 8:27 AM 29744]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

*NewlyCreated* - MBR

*Deregistered* - mbr

*Deregistered* - PROCEXP113

.

Contents of the 'Scheduled Tasks' folder

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-06 22:23]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-06 22:23]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2812118526-93401058-2379829806-500Core.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-30 23:13]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2812118526-93401058-2379829806-500UA.job

- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-30 23:13]

2009-11-02 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Administrator.job

- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-07 05:38]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://srch-qus8.hpwis.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = localhost;*.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm

Trusted Zone: brownpapertickets.com\www

Trusted Zone: intuit.com

Trusted Zone: turbotax.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {53C9A69F-A62B-4A09-9B04-F7395682B3AF} - hxxps://worksite.pillsburylaw.com/WorkSite/includes/iManFile.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\kodak-companion@mozilla.com\platform\WINNT_x86-msvc\components\mozFotofox.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll

FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-04 20:26

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2812118526-93401058-2379829806-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,1d,eb,4c,0c,48,ac,44,ba,7b,99,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ba,1d,eb,4c,0c,48,ac,44,ba,7b,99,\

[HKEY_USERS\S-1-5-21-2812118526-93401058-2379829806-500\Software\SecuROM\License information*]

"datasecu"=hex:49,ec,ea,a4,0e,09,50,56,63,22,98,6e,90,50,1d,f0,23,c3,40,a7,21,

f4,1a,55,9b,2c,21,b8,8b,0e,32,df,29,2f,af,39,8b,f0,8a,bd,66,5f,14,ff,ca,e3,\

"rkeysecu"=hex:fa,de,aa,8d,fd,91,9b,db,ef,64,66,f1,8c,35,40,be

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2009-11-05 20:31

ComboFix-quarantined-files.txt 2009-11-05 04:30

ComboFix2.txt 2009-11-04 16:27

Pre-Run: 4,572,827,648 bytes free

Post-Run: 4,548,648,960 bytes free

Hi,

1) CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2) OTL

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

In your reply I would like to see copied and pasted,

1) ComboFix log

2) OTL logs

Link to post
Share on other sites
bobsmg

bobsmg

Posted
  • Author
Posted

and here is the first of the 2 OTL logs:

OTL Extras logfile created on: 11/4/2009 8:41:19 PM - Run 1

OTL by OldTimer - Version 3.1.3.3 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.94 Gb Available Physical Memory | 62.59% Memory free

2.01 Gb Paging File | 1.55 Gb Available in Paging File | 76.97% Paging File free

Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 68.77 Gb Total Space | 4.27 Gb Free Space | 6.21% Space Free | Partition Type: NTFS

Drive D: | 5.73 Gb Total Space | 2.26 Gb Free Space | 39.33% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: MACHINEOLOVE

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE File not found

.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE File not found

.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found

batfile [open] -- "%1" %* File not found

batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found

chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 File not found

cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found

cmdfile [open] -- "%1" %* File not found

cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found

comfile [open] -- "%1" %* File not found

exefile [open] -- "%1" %* File not found

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found

inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found

inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found

inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found

jsfile [edit] -- "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1" (Macromedia, Inc.)

jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found

jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found

jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found

piffile [open] -- "%1" %* File not found

regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 File not found

regfile [merge] -- Reg Error: Key error.

regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 File not found

scrfile [config] -- "%1" File not found

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S File not found

txtfile [edit] -- Reg Error: Key error.

txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 File not found

txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 File not found

txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" File not found

vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found

vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found

vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found

vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found

wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found

wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 1

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" = C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe:*:Enabled:Yahoo! Messenger -- ()

"C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe" = C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)

"C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)

"C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)

"C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)

"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- (Electronic Arts)

"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)

"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath -- (Skype Technologies S.A.)

"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:firefox -- (Mozilla Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{0837A661-FEC3-48B3-876C-91E7D32048A9}" = Macromedia Dreamweaver 8

"{083F79E4-6FE9-46FB-A6C6-4F8862742947}" = ATI HYDRAVISION

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support

"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR

"{199FC15D-2E06-47BE-B3EA-CA086FCB94CF}" = Adobe Integrated Runtime (AIR)

"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation

"{2A267BC6-F77F-4DD4-825F-7AEB1F68B4B1}" = HpSdpAppCoreApp

"{2BD5C305-1B27-4D41-B690-7A61172D2FEB}" = Macromedia Flash 8

"{2C164906-E68F-462A-9010-70DD022223EF}" = RemoteCapture Task 1.0.2

"{2E7B6B00-5ECD-49A1-8FD4-4B647C5D8027}" = Adobe Captivate 3

"{3248F0A8-6813-11D6-A77B-00B0D0150030}" = J2SE Runtime Environment 5.0 Update 3

"{3347F781-9C89-4C9B-B471-B1FFC3BC4A84}" = ATIRW2

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{366FFC89-C800-4366-B903-B9C4314109A5}" = Garmin WebUpdater

"{3B0F52AC-EF5C-4831-B221-06C782E41280}" = Quicken 2008

"{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}" = ccCommon

"{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}" = Adobe Premiere Elements 4.0

"{48185814-A224-447a-81DA-71BD20580E1B}" = Norton Internet Security

"{4843B611-8FCB-4428-8C23-31D0A5EAE164}" = Norton Confidential Browser Component

"{48BD24F5-13DE-493A-A7CE-28A85113FF0C}" = HP Deskjet printer preloaded drivers

"{4DDC3BED-CC68-44AA-B435-D727B620CA5B}" = Linksys Wireless-G PCI Adapter

"{510D7787-C1B3-472C-86DF-C06273DAE60B}" = iPod Updater 2004-10-20

"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager

"{55937F00-A69B-4049-8D3A-1C7729742B6F}" = BUM

"{57DC8980-73DA-481E-AFD4-5E2D44B7F1AD}" = StuffIt Expander 2009

"{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}" = Norton Internet Security

"{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper

"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7

"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype

Link to post
Share on other sites
bobsmg

bobsmg

Posted
  • Author
Posted

and the 2nd of the 2 OTL logs:

OTL logfile created on: 11/4/2009 8:41:19 PM - Run 1

OTL by OldTimer - Version 3.1.3.3 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.94 Gb Available Physical Memory | 62.59% Memory free

2.01 Gb Paging File | 1.55 Gb Available in Paging File | 76.97% Paging File free

Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 68.77 Gb Total Space | 4.27 Gb Free Space | 6.21% Space Free | Partition Type: NTFS

Drive D: | 5.73 Gb Total Space | 2.26 Gb Free Space | 39.33% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: MACHINEOLOVE

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ()

PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)

PRC - C:\Program Files\Electronic Arts\EADM\Core.exe (Electronic Arts)

PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)

PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)

PRC - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)

PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)

PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

PRC - C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)

PRC - C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)

PRC - C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)

PRC - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe (ATI Technologies Inc.)

PRC - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe (ATI Technologies Inc.)

PRC - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe (ATI Technologies Inc.)

PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

PRC - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation)

PRC - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (Symantec Corporation)

PRC - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe (Linksys)

PRC - C:\Program Files\ATI Multimedia\main\atidtct.exe (ATI Technologies Inc.)

PRC - C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE (ATI Technologies Inc.)

PRC - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe (GEMTEKS)

PRC - C:\Program Files\Yahoo!\browser\ycommon.exe (Yahoo!, Inc.)

PRC - C:\Program Files\Yahoo!\browser\ybrwicon.exe (Yahoo!, Inc.)

PRC - C:\hp\KBD\kbd.exe (Hewlett-Packard Company)

PRC - C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE (NewSoft)

PRC - C:\WINDOWS\system\hpsysdrv.exe (Hewlett-Packard Company)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\wbem\framedyn.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (x10nets) -- File not found

SRV - (WMP54Gv4SVC) -- File not found

SRV - (Symantec Core LC) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ()

SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)

SRV - (sdCoreService) -- C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)

SRV - (sdAuxService) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)

SRV - (gusvc) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)

SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)

SRV - (IntuitUpdateService) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)

SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)

SRV - (AdobeActiveFileMonitor7.0) -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe (Adobe Systems Incorporated)

SRV - (gupdate1c9106f549cdb70) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)

SRV - (GoogleDesktopManager-061008-081103) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)

SRV - (FontCache3.0.0.0) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)

SRV - (idsvc) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)

SRV - (NetTcpPortSharing) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)

SRV - (clr_optimization_v2.0.50727_32) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)

SRV - (helpsvc) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

SRV - (LiveUpdate Notice Service) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)

SRV - (ATI Smart) -- C:\WINDOWS\system32\ati2sgag.exe ()

SRV - (Ati HotKey Poller) -- C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)

SRV - (WMPNetworkSvc) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

SRV - (ISPwdSvc) -- C:\Program Files\Norton Internet Security\isPwdSvc.exe (Symantec Corporation)

SRV - (comHost) -- C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (Symantec Corporation)

SRV - (LiveUpdate Notice Ex) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

SRV - (CLTNetCnService) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE (Symantec Corporation)

SRV - (Automatic LiveUpdate Scheduler) -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (Symantec Corporation)

SRV - (SymAppCore) -- C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (Symantec Corporation)

SRV - (Adobe LM Service) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)

SRV - (IDriverT) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)

SRV - (NVSvc) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)

========== Driver Services (SafeList) ==========

DRV - (catchme) -- File not found

DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)

DRV - (AegisP) -- C:\WINDOWS\system32\drivers\AegisP.sys (Meetinghouse Data Communications)

DRV - (USBAAPL) -- C:\WINDOWS\system32\drivers\usbaapl.sys (Apple, Inc.)

DRV - (PCTCore) -- C:\WINDOWS\system32\drivers\PCTCore.sys (PC Tools)

DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)

DRV - (SYMFW) -- C:\WINDOWS\System32\Drivers\SYMFW.SYS (Symantec Corporation)

DRV - (SYMIDS) -- C:\WINDOWS\System32\Drivers\SYMIDS.SYS (Symantec Corporation)

DRV - (SYMNDIS) -- C:\WINDOWS\System32\Drivers\SYMNDIS.SYS (Symantec Corporation)

DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)

DRV - (SYMDNS) -- C:\WINDOWS\System32\Drivers\SYMDNS.SYS (Symantec Corporation)

DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)

DRV - (usbaudio) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)

DRV - (PxHelp20) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys (Sonic Solutions)

DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)

DRV - (SYMIDSCO) -- C:\Program Files\Common Files\Symantec Shared\SymcData\idsdefs\20060901.084\SymIDSCo.sys (Symantec Corporation)

DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060823.066\NAVEX15.SYS (Symantec Corporation)

DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)

DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)

DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060823.066\NAVENG.SYS (Symantec Corporation)

DRV - (SRTSPL) -- C:\WINDOWS\system32\drivers\srtspl.sys (Symantec Corporation)

DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\srtsp.sys (Symantec Corporation)

DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\srtspx.sys (Symantec Corporation)

DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)

DRV - (RimUsb) -- C:\WINDOWS\system32\drivers\RimUsb.sys (Research In Motion Limited)

DRV - (RIOUNIV) -- C:\WINDOWS\system32\drivers\RIOUNIV.SYS (Digital Networks North America, Inc.)

DRV - (RT61) -- C:\WINDOWS\system32\drivers\rt61.sys (Ralink Technology Inc.)

DRV - (MCSTRM) -- C:\WINDOWS\system32\drivers\mcstrm.sys (RealNetworks, Inc.)

DRV - (ALCXWDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)

DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\rtl8139.sys (Realtek Semiconductor Corporation)

DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)

DRV - (S3Psddr) -- C:\WINDOWS\system32\drivers\s3gnbm.sys (S3 Graphics, Inc.)

DRV - (MDC8021X) -- C:\WINDOWS\system32\drivers\mdc8021x.sys (Meetinghouse Data Communications)

DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura Ltd)

DRV - (ATI Remote Wonder II) -- C:\WINDOWS\system32\drivers\atirwvd.sys (Jungo)

DRV - ({6080A529-897E-4629-A488-ABA0C29B635E}) -- C:\WINDOWS\system32\drivers\ialmsbw.sys (Intel Corporation)

DRV - ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91}) -- C:\WINDOWS\system32\drivers\ialmkchw.sys (Intel Corporation)

DRV - (ialm) -- C:\WINDOWS\system32\drivers\ialmnt5.sys (Intel Corporation)

DRV - (ltmodem5) -- C:\WINDOWS\system32\drivers\ltmdmnt.sys (LT)

DRV - (SiS315) -- C:\WINDOWS\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)

DRV - (fasttx2k) -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys (Promise Technology, Inc.)

DRV - (viaagp1) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)

DRV - (SISAGP) -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys (Silicon Integrated Systems Corporation)

DRV - (NVENET) -- C:\WINDOWS\system32\drivers\NVENET.sys (NVIDIA Corporation)

DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)

DRV - (nv_agp) -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys (NVIDIA Corporation)

DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company)

DRV - (PhilCam8116) -- C:\WINDOWS\system32\drivers\CamDrO21.sys (Microsoft Corporation)

DRV - (QCDonner) -- C:\WINDOWS\system32\drivers\OVCD.sys (Microsoft Corporation)

DRV - (RIOUSB) -- C:\WINDOWS\system32\drivers\RioUsb.sys (RioPort.Com)

DRV - (RioPNP) -- C:\WINDOWS\system32\drivers\RioPnP.sys (RioPort.com)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;*.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"

FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="

FF - prefs.js..browser.search.selectedEngine: "Google"

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1

FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.5

FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.6.2

FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.4

FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe41}:1.0.9

FF - prefs.js..extensions.enabledItems: {000a9d1c-beef-4f90-9363-039d445309b8}:0.5.33.0

FF - prefs.js..extensions.enabledItems: kodak-companion@mozilla.com:1.4

FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1

FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:2.2.0.2

FF - prefs.js..extensions.enabledItems: {64161300-e22b-11db-8314-0800200c9a66}:0.9.1

FF - prefs.js..extensions.enabledItems: sxipper@sxip.com:2.2.2

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.4

FF - prefs.js..extensions.enabledItems: {dd30bf68-268a-4815-ad48-8740b774c764}:4.2.4

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/07 02:01:21 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2009/11/03 20:08:20 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.4\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/30 07:26:42 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.4\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/30 07:26:42 | 00,000,000 | ---D | M]

[2009/03/07 10:19:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions

[2009/03/07 10:19:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[2009/11/04 08:39:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions

[2009/05/29 19:17:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe41}

[2009/08/07 19:13:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2009/05/29 19:18:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}

[2009/07/15 18:54:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\{64161300-e22b-11db-8314-0800200c9a66}

[2009/03/07 15:43:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}

[2009/08/20 18:59:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

[2009/08/20 18:59:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

[2009/05/08 22:09:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

[2009/07/15 18:53:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\{dd30bf68-268a-4815-ad48-8740b774c764}

[2009/06/20 15:15:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\kodak-companion@mozilla.com

[2009/05/29 19:17:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zyml2zxq.default\extensions\sxipper@sxip.com

[2009/03/07 10:19:27 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2009/10/30 07:26:42 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

[2009/10/30 07:26:31 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll

[2009/10/30 07:26:31 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll

[2008/09/03 06:51:30 | 00,122,880 | ---- | M] (Google) -- C:\Program Files\Mozilla Firefox\components\GoogleDesktopMozilla.dll

[2009/08/20 08:04:02 | 00,060,824 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll

[2007/12/19 04:57:38 | 00,310,272 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

[2009/10/30 07:26:35 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll

[2009/09/14 21:25:09 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll

[2009/09/14 21:25:10 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll

[2009/09/14 21:25:10 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll

[2009/09/14 21:25:10 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll

[2009/09/14 21:25:10 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll

[2009/09/14 21:25:10 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll

[2009/09/14 21:25:10 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

[2009/08/31 18:24:33 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml

[2009/08/31 18:24:33 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml

[2009/08/31 18:24:33 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml

[2009/08/31 18:24:33 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml

[2009/08/31 18:24:33 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml

[2009/08/31 18:24:33 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml

[2009/08/31 18:24:33 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBHO.dll (Symantec Corporation)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll (Google Inc.)

O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)

O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (Show Norton Toolbar) - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll (Symantec Corporation)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKCU\..\Toolbar\ShellBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

O3 - HKCU\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKCU\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()

O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)

O4 - HKLM..\Run: [AlcxMonitor] C:\WINDOWS\ALCXMNTR.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\atidtct.exe (ATI Technologies Inc.)

O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()

O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)

O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)

O4 - HKLM..\Run: [hpsysdrv] c:\WINDOWS\system\hpsysdrv.exe (Hewlett-Packard Company)

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [KBD] C:\hp\KBD\kbd.exe (Hewlett-Packard Company)

O4 - HKLM..\Run: [osCheck] C:\Program Files\Norton Internet Security\osCheck.exe (Symantec Corporation)

O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.EXE (Hewlett-Packard Company)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)

O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()

O4 - HKLM..\Run: [symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKLM..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe (Yahoo!, Inc.)

O4 - HKCU..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE (ATI Technologies Inc.)

O4 - HKCU..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe (Electronic Arts)

O4 - HKCU..\Run: [Google Update] C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)

O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe (Adobe Systems Incorporated)

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\qlock.lnk = C:\Program Files\Qlock\qlock.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE (NewSoft)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2007/11/30 08:13:40 | 00,000,000 | ---D | M]

O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2007/11/30 08:13:40 | 00,000,000 | ---D | M]

O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2007/11/30 08:13:40 | 00,000,000 | ---D | M]

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll File not found

O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll (Google Inc.)

O9 - Extra Button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (Yahoo! Inc.)

O9 - Extra 'Tools' menuitem : Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (Yahoo! Inc.)

O9 - Extra Button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (Yahoo! Inc.)

O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (Yahoo! Inc.)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKCU\..Trusted Domains: brownpapertickets.com ([www] http in Trusted sites)

O15 - HKCU\..Trusted Domains: intuit.com ([]* in Trusted sites)

O15 - HKCU\..Trusted Domains: turbotax.com ([]http in Trusted sites)

O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)

O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/templates/ieawsdc.cab (Microsoft Office Template and Media Control)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7.../OGAControl.cab (Office Genuine Advantage Validation Tool)

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/download/ipixx.cab (iPIX ActiveX Control)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} C:\Program Files\Yahoo!\common\yinsthelper.dll (YInstStarter Class)

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} http://www.ipswitch.com/_installs/wsftp_le/setup.exe (InstallShield Setup Player 2K2)

O16 - DPF: {53C9A69F-A62B-4A09-9B04-F7395682B3AF} https://worksite.pillsburylaw.com/WorkSite/...es/iManFile.cab (WebTransferCtrl Class)

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe (Reg Error: Key error.)

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab (Ofoto Upload Manager Class)

O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)

O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} http://tsweb.haas.berkeley.edu/msrdp.cab (Microsoft RDP Client Control (redist))

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_03)

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} http://tsweb.haas.berkeley.edu/msrdp.cab (Microsoft RDP Client Control (redist))

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...7885.3684143519 (Reg Error: Key error.)

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} http://download.yahoo.com/dl/installs/yab_af.cab (YAddBook Class)

O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab (Yahoo! Photos Easy Upload Tool Class)

O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_03)

O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (PhotosCtrl Class)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://pillsburylaw.webex.com/client/T26L/webex/ieatgpc.cab (GpcContainer Class)

O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/08/08 20:02:40 | 00,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2001/07/28 06:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]

O34 - HKLM BootExecute: (autocheck) - File not found

O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)

O34 - HKLM BootExecute: (*) - File not found

O35 - comfile [open] -- "%1" %* File not found

O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2003/07/15 13:47:58 | 00,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2009/11/04 20:34:05 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp

[2009/11/04 20:09:14 | 00,000,000 | ---D | C] -- C:\ComboFix

[2009/11/04 20:06:39 | 00,528,384 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2009/11/04 07:14:22 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2009/11/04 07:14:21 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2009/11/04 07:14:21 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2009/11/04 07:14:21 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2009/11/04 07:10:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2009/11/04 07:02:17 | 00,000,000 | ---D | C] -- C:\Qoobox

[2009/11/03 16:49:03 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2009/11/03 16:48:43 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe

[2009/11/03 15:43:18 | 03,550,592 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Administrator\Desktop\winlogon.exe

[2009/11/03 15:36:43 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes AntiMalware

[2009/11/03 08:19:55 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2009/11/03 08:19:53 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2009/11/03 07:22:57 | 00,000,000 | ---D | C] -- C:\Config.Msi

[2009/11/03 07:15:18 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\dave.exe

[2009/11/02 23:02:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

[2009/11/02 22:57:33 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2009/11/02 22:57:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2009/11/02 22:06:02 | 00,159,600 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys

[2009/11/02 22:05:20 | 00,206,256 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys

[2009/11/02 22:05:19 | 00,086,888 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys

[2009/11/02 22:05:00 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools

[2009/11/02 22:04:59 | 00,064,392 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys

[2009/11/02 22:04:49 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor

[2009/11/02 22:04:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools

[2009/11/02 22:04:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\PC Tools

[2009/11/02 22:04:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2009/11/02 21:53:37 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender

[2009/11/02 21:47:50 | 00,390,656 | ---- | C] (iS3, Inc.) -- C:\Documents and Settings\Administrator\Desktop\STOPzilla_Setup.exe

[2009/11/02 07:56:59 | 00,093,360 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2009/11/02 07:52:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft

[2009/11/01 22:11:06 | 00,000,000 | ---D | C] -- C:\Program Files\Norton Internet Security

[2009/11/01 22:06:37 | 00,124,464 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS

[2009/11/01 22:06:37 | 00,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL

[2009/11/01 22:02:07 | 00,000,000 | ---D | C] -- C:\Program Files\Symantec

[2009/10/26 08:00:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting

[2009/10/26 08:00:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas

[2009/10/26 08:00:41 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en

[2009/10/26 08:00:41 | 00,000,000 | ---D | C] -- C:\Program Files\msn

[2009/10/23 09:10:21 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE

[2009/10/23 08:40:14 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache

[2009/10/23 08:21:02 | 00,246,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieproxy.dll

[2009/10/23 08:21:02 | 00,012,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpshims.dll

[2009/10/23 08:20:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates

[2009/10/23 08:19:43 | 00,100,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll

[2009/10/23 08:17:17 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8

[2009/10/18 17:39:27 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF

[2009/10/06 05:35:47 | 00,267,597 | ---- | C] (Natl. Inst.of Stand.and Tech.) -- C:\Documents and Settings\Administrator\Desktop\nistime-32bit.exe

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2049/12/31 15:00:00 | 00,095,885 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Ben Month 4_06 15 08_0017.jpg

[2009/11/04 20:32:01 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2009/11/04 20:26:25 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2009/11/04 20:06:47 | 00,528,384 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

[2009/11/04 20:05:39 | 07,602,176 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT

[2009/11/04 20:04:00 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2009/11/04 20:01:00 | 00,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2812118526-93401058-2379829806-500UA.job

[2009/11/04 08:13:20 | 00,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

[2009/11/04 08:12:05 | 00,000,187 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT

[2009/11/04 08:11:03 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2009/11/04 08:10:34 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2009/11/04 08:10:19 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2009/11/04 08:10:03 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2009/11/04 08:09:54 | 16,101,41696 | -HS- | M] () -- C:\hiberfil.sys

[2009/11/04 08:04:18 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\sukusuwa

[2009/11/04 06:57:23 | 03,533,737 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

[2009/11/03 16:49:09 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe

[2009/11/03 16:49:04 | 00,001,742 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk

[2009/11/03 16:15:48 | 00,000,590 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/11/03 15:43:36 | 03,550,592 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Administrator\Desktop\winlogon.exe

[2009/11/03 15:33:31 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\dave.exe

[2009/11/03 07:16:02 | 00,047,872 | ---- | M] () -- C:\WINDOWS\certsystem.exe

[2009/11/03 07:16:02 | 00,038,352 | ---- | M] () -- C:\WINDOWS\regred.exe

[2009/11/03 07:16:02 | 00,033,149 | ---- | M] () -- C:\WINDOWS\usexplorer.exe

[2009/11/03 07:16:01 | 00,051,197 | ---- | M] () -- C:\WINDOWS\spoov.exe

[2009/11/03 07:16:01 | 00,028,320 | ---- | M] () -- C:\WINDOWS\securits.com

[2009/11/03 06:50:40 | 00,000,114 | -H-- | M] () -- C:\aaw7boot.cmd

[2009/11/02 23:03:02 | 00,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI

[2009/11/02 22:05:04 | 00,001,645 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk

[2009/11/02 21:47:53 | 00,390,656 | ---- | M] (iS3, Inc.) -- C:\Documents and Settings\Administrator\Desktop\STOPzilla_Setup.exe

[2009/11/02 08:01:03 | 00,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2812118526-93401058-2379829806-500Core.job

[2009/11/02 07:58:42 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini

[2009/11/02 07:56:42 | 00,093,360 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2009/11/02 06:58:04 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS

[2009/11/02 06:58:04 | 00,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL

[2009/11/02 06:58:04 | 00,010,635 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT

[2009/11/02 06:58:04 | 00,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF

[2009/11/02 06:45:38 | 00,000,580 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Administrator.job

[2009/11/01 22:23:30 | 00,001,954 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.lnk

[2009/11/01 14:58:35 | 00,200,192 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/11/01 14:12:21 | 00,004,566 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2009/11/01 14:12:13 | 00,510,494 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2009/11/01 14:12:13 | 00,434,138 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2009/11/01 14:12:13 | 00,068,042 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2009/11/01 10:27:53 | 00,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EA Download Manager.lnk

[2009/11/01 10:07:40 | 00,000,595 | ---- | M] () -- C:\Personal Guard 2009.lnk

[2009/10/31 17:45:08 | 00,382,976 | ---- | M] () -- C:\WINDOWS\System32\winsc.exe

[2009/10/26 09:46:58 | 00,433,328 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2009/10/26 07:53:29 | 00,250,048 | RHS- | M] () -- C:\ntldr

[2009/10/25 06:11:34 | 00,077,312 | ---- | M] () -- C:\WINDOWS\MBR.exe

[2009/10/18 07:31:37 | 00,002,257 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk

[2009/10/16 09:39:24 | 00,155,045 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\jessica-gift.jpg

[2009/10/11 08:10:09 | 00,236,544 | ---- | M] () -- C:\WINDOWS\PEV.exe

[2009/10/07 14:56:18 | 00,109,009 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\maddie-1.jpg

[2009/10/07 10:41:49 | 00,104,363 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\10 02 09 Tobys Birth_0113.jpg

[2009/10/07 10:40:31 | 00,064,880 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\10 02 09 Tobys Birth_0097.jpg

[2009/10/06 05:35:47 | 00,267,597 | ---- | M] (Natl. Inst.of Stand.and Tech.) -- C:\Documents and Settings\Administrator\Desktop\nistime-32bit.exe

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/04 07:14:22 | 00,236,544 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2009/11/04 07:14:22 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2009/11/04 07:14:21 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2009/11/04 07:14:21 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2009/11/04 07:14:21 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2009/11/04 06:56:17 | 03,533,737 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

[2009/11/03 16:49:04 | 00,001,742 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk

[2009/11/03 08:19:59 | 00,000,590 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2009/11/03 06:50:40 | 00,000,114 | -H-- | C] () -- C:\aaw7boot.cmd

[2009/11/02 23:03:02 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI

[2009/11/02 22:05:20 | 00,007,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat

[2009/11/02 22:05:04 | 00,001,645 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk

[2009/11/02 17:09:01 | 00,038,352 | ---- | C] () -- C:\WINDOWS\regred.exe

[2009/11/02 17:09:01 | 00,033,149 | ---- | C] () -- C:\WINDOWS\usexplorer.exe

[2009/11/02 17:09:00 | 00,051,197 | ---- | C] () -- C:\WINDOWS\spoov.exe

[2009/11/02 17:09:00 | 00,047,872 | ---- | C] () -- C:\WINDOWS\certsystem.exe

[2009/11/02 06:49:59 | 00,010,635 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT

[2009/11/02 06:49:59 | 00,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF

[2009/11/02 06:45:38 | 00,000,580 | ---- | C] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Administrator.job

[2009/11/01 22:23:30 | 00,001,954 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.lnk

[2009/11/01 10:07:40 | 00,000,595 | ---- | C] () -- C:\Personal Guard 2009.lnk

[2009/10/31 17:45:08 | 00,382,976 | ---- | C] () -- C:\WINDOWS\System32\winsc.exe

[2009/10/31 17:45:07 | 00,028,320 | ---- | C] () -- C:\WINDOWS\securits.com

[2009/10/16 09:39:24 | 00,155,045 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\jessica-gift.jpg

[2009/10/07 14:56:16 | 00,109,009 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\maddie-1.jpg

[2009/10/07 10:41:48 | 00,104,363 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\10 02 09 Tobys Birth_0113.jpg

[2009/10/07 10:40:31 | 00,064,880 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\10 02 09 Tobys Birth_0097.jpg

[2009/09/14 19:24:34 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll

[2009/09/14 19:24:10 | 00,000,920 | ---- | C] () -- C:\WINDOWS\System32\WLAN.INI

[2008/08/05 16:58:43 | 00,000,088 | ---- | C] () -- C:\WINDOWS\QTW.INI

[2008/08/05 16:58:35 | 00,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll

[2008/08/05 16:58:35 | 00,023,552 | ---- | C] () -- C:\WINDOWS\xobglu32.dll

[2008/02/18 22:33:34 | 00,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll

[2007/12/02 10:45:07 | 00,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat

[2007/03/05 13:34:28 | 00,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL

[2007/01/21 09:39:23 | 00,133,724 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Cosmos Prefs

[2007/01/02 18:33:40 | 00,000,000 | ---- | C] () -- C:\WINDOWS\ATIMMC.INI

[2006/10/24 21:13:14 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont

[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont

[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont

[2006/04/14 07:31:53 | 00,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

[2005/06/22 16:10:51 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll

[2005/03/30 18:37:43 | 00,000,032 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2005/03/07 20:55:50 | 00,014,848 | ---- | C] () -- C:\WINDOWS\System32\samvcumd.dll

[2004/12/12 20:58:26 | 00,000,009 | ---- | C] () -- C:\WINDOWS\sierra.ini

[2004/11/13 15:47:38 | 00,385,024 | ---- | C] () -- C:\WINDOWS\_MWOLTB.DLL

[2004/09/11 09:52:48 | 00,000,035 | ---- | C] () -- C:\WINDOWS\A6W.INI

[2004/06/30 20:16:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI

[2004/05/02 11:08:30 | 00,059,112 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT

[2004/02/24 21:24:24 | 00,000,048 | ---- | C] () -- C:\WINDOWS\PerWin.ini

[2004/01/28 11:42:06 | 00,013,601 | ---- | C] () -- C:\WINDOWS\System32\vctest.ini

[2003/12/18 22:06:56 | 00,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini

[2003/11/22 18:35:59 | 00,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI

[2003/11/22 18:35:20 | 00,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini

[2003/11/22 18:35:19 | 00,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll

[2003/11/22 18:33:55 | 00,000,018 | ---- | C] () -- C:\WINDOWS\Epson1240U.ini

[2003/10/21 07:23:43 | 00,000,278 | ---- | C] () -- C:\WINDOWS\Riorio.INI

[2003/10/19 15:27:38 | 00,059,112 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2003/10/18 09:42:15 | 00,003,674 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini

[2003/10/17 12:41:23 | 00,200,192 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2003/10/10 12:16:09 | 00,000,074 | ---- | C] () -- C:\WINDOWS\eFaxView.ini

[2003/10/05 14:59:16 | 00,000,249 | ---- | C] () -- C:\WINDOWS\qwimp.ini

[2003/09/20 23:12:03 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2003/04/24 08:15:47 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll

[2003/04/24 08:15:47 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll

[2003/04/24 08:01:14 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll

[2003/04/24 07:58:25 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll

[2003/04/24 07:58:24 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll

[2003/04/24 07:49:54 | 00,000,165 | ---- | C] () -- C:\WINDOWS\Quicken.ini

[2003/04/24 07:26:31 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2003/04/24 07:19:18 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2003/04/24 07:02:19 | 06,436,638 | -H-- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db

[2003/04/24 07:00:38 | 00,000,051 | ---- | C] () -- C:\WINDOWS\System32\mshrml.ini

[2003/04/24 06:55:42 | 00,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll

[2003/04/24 06:55:42 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll

[2003/04/24 06:55:17 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll

[2003/04/24 06:43:48 | 00,000,813 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2003/04/24 06:43:09 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini

[2003/04/24 06:27:53 | 00,000,552 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

[2003/04/24 06:27:33 | 00,000,807 | ---- | C] () -- C:\WINDOWS\win.ini

[2003/04/24 06:27:30 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

[2003/04/24 05:41:49 | 00,000,438 | ---- | C] () -- C:\WINDOWS\System32\1_ssetup.ini

[2003/04/24 05:41:49 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\sunistlog.ini

[2003/04/23 23:32:11 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini

[2003/03/19 15:50:18 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2002/05/24 07:00:00 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll

[2002/05/24 07:00:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll

========== LOP Check ==========

[2009/05/03 09:02:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Amazon

[2007/11/23 23:54:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ATI

[2007/01/02 18:33:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ATI MMC

[2007/10/06 16:59:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\BitTorrent

[2008/03/14 06:37:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\BitTorrent DNA

[2007/11/25 11:04:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\com.adobe.amp

[2008/09/03 20:25:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\DNA

[2004/02/15 10:16:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\EPSON

[2005/10/02 20:28:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\interMute

[2003/10/17 12:40:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterVideo

[2006/10/29 10:01:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Opera

[2003/04/24 07:59:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SampleView

[2008/12/14 11:06:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SecondLife

[2008/10/20 20:19:42 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Administrator\Application Data\SecuROM

[2008/10/20 20:21:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SPORE

[2008/08/27 20:37:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SPORE Creature Creator

[2009/10/18 18:08:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\uTorrent

[2003/09/22 16:39:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\VERITAS

[2009/08/20 08:06:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\webex

[2007/05/24 22:12:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\X10 Commander

[2007/07/15 17:09:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ATI MMC

[2006/12/16 12:36:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA

[2009/03/20 08:44:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Electronic Arts

[2006/10/29 08:21:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\espionServerData

[2009/11/02 22:59:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2007/10/03 22:40:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip

[2009/03/14 12:39:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

[2009/09/14 21:29:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2009/05/02 09:11:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

[2002/09/22 17:43:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini

[2009/11/04 20:32:01 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

[2005/10/31 07:56:00 | 00,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >

[2004/08/03 23:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll

[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll

[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\scecli.dll /s /md5 >

[2004/08/03 23:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll

[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll

[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >

[2009/02/06 10:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll

[2009/02/06 10:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll

[2004/08/03 23:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll

[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll

[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >

[2004/08/03 21:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

[2002/09/22 09:55:00 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtUninstallQ331958$\atapi.sys

[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys

[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys

[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >

[2004/08/03 22:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys

[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys

[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

and here is the first of the 2 OTL logs:

OTL Extras logfile created on: 11/4/2009 8:41:19 PM - Run 1

OTL by OldTimer - Version 3.1.3.3 Folder = C:\Documents and Settings\Administrator\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.94 Gb Available Physical Memory | 62.59% Memory free

2.01 Gb Paging File | 1.55 Gb Available in Paging File | 76.97% Paging File free

Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 68.77 Gb Total Space | 4.27 Gb Free Space | 6.21% Space Free | Partition Type: NTFS

Drive D: | 5.73 Gb Total Space | 2.26 Gb Free Space | 39.33% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: MACHINEOLOVE

Current User Name: Administrator

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE File not found

.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE File not found

.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found

batfile [open] -- "%1" %* File not found

batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found

chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 File not found

cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found

cmdfile [open] -- "%1" %* File not found

cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found

comfile [open] -- "%1" %* File not found

exefile [open] -- "%1" %* File not found

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found

inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found

inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 File not found

inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 File not found

jsfile [edit] -- "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1" (Macromedia, Inc.)

jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found

jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found

jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found

piffile [open] -- "%1" %* File not found

regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 File not found

regfile [merge] -- Reg Error: Key error.

regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 File not found

scrfile [config] -- "%1" File not found

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S File not found

txtfile [edit] -- Reg Error: Key error.

txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 File not found

txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 File not found

txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" File not found

vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found

vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found

vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found

vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found

wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 File not found

wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 File not found

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 1

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" = C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe:*:Enabled:Yahoo! Messenger -- ()

"C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe" = C:\PROGRA~1\Yahoo!\MESSEN~1\yserver.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)

"C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)

"C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)

"C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)

"C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- (Electronic Arts)

"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)

"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath -- (Skype Technologies S.A.)

"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:firefox -- (Mozilla Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{0837A661-FEC3-48B3-876C-91E7D32048A9}" = Macromedia Dreamweaver 8

"{083F79E4-6FE9-46FB-A6C6-4F8862742947}" = ATI HYDRAVISION

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support

"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR

"{199FC15D-2E06-47BE-B3EA-CA086FCB94CF}" = Adobe Integrated Runtime (AIR)

"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation

"{2A267BC6-F77F-4DD4-825F-7AEB1F68B4B1}" = HpSdpAppCoreApp

"{2BD5C305-1B27-4D41-B690-7A61172D2FEB}" = Macromedia Flash 8

"{2C164906-E68F-462A-9010-70DD022223EF}" = RemoteCapture Task 1.0.2

"{2E7B6B00-5ECD-49A1-8FD4-4B647C5D8027}" = Adobe Captivate 3

"{3248F0A8-6813-11D6-A77B-00B0D0150030}" = J2SE Runtime Environment 5.0 Update 3

"{3347F781-9C89-4C9B-B471-B1FFC3BC4A84}" = ATIRW2

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{366FFC89-C800-4366-B903-B9C4314109A5}" = Garmin WebUpdater

"{3B0F52AC-EF5C-4831-B221-06C782E41280}" = Quicken 2008

"{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}" = ccCommon

"{3E2C691B-B7E6-4053-B5C3-94B8BC407E7A}" = Adobe Premiere Elements 4.0

"{48185814-A224-447a-81DA-71BD20580E1B}" = Norton Internet Security

"{4843B611-8FCB-4428-8C23-31D0A5EAE164}" = Norton Confidential Browser Component

"{48BD24F5-13DE-493A-A7CE-28A85113FF0C}" = HP Deskjet printer preloaded drivers

"{4DDC3BED-CC68-44AA-B435-D727B620CA5B}" = Linksys Wireless-G PCI Adapter

"{510D7787-C1B3-472C-86DF-C06273DAE60B}" = iPod Updater 2004-10-20

"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager

"{55937F00-A69B-4049-8D3A-1C7729742B6F}" = BUM

"{57DC8980-73DA-481E-AFD4-5E2D44B7F1AD}" = StuffIt Expander 2009

"{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}" = Norton Internet Security

"{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper

"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7

"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype

Link to post
Share on other sites
bobsmg

bobsmg

Posted
  • Author
Posted

Malwarebytes' Anti-Malware 1.41

Database version: 3109

Windows 5.1.2600 Service Pack 3

11/5/2009 5:04:59 PM

mbam-log-2009-11-05 (17-04-59).txt

Scan type: Quick Scan

Objects scanned: 106185

Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\winsc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\securits.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Link to post
Share on other sites
chamber

chamber

Posted
Posted

Hi,

1) OTL

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    [2009/11/04 08:04:18 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\sukusuwa

    :Services

    :Reg

    :Files

    :Commands
    [purity]
    [emptytemp]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

2) JavaRa

Please download JavaRa to your desktop and unzip it to its own folder

  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

3) Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    KasReport.png

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

In your reply I would like to see copied and pasted,

1) OTL log

2) Kaspersky scan

Link to post
Share on other sites
bobsmg

bobsmg

Posted
  • Author
Posted

All processes killed

========== OTL ==========

C:\WINDOWS\system32\sukusuwa moved successfully.

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 32768 bytes

->Temporary Internet Files folder emptied: 3235073 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 76503275 bytes

->Google Chrome cache emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

Windows Temp folder emptied: 18310 bytes

RecycleBin emptied: 664517650 bytes

Total Files Cleaned = 709.92 mb

OTL by OldTimer - Version 3.1.3.3 log created on 11062009_073000

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Friday, November 6, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Friday, November 06, 2009 12:05:43

Records in database: 3156015

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

H:\

Scan statistics:

Objects scanned: 171240

Threats found: 7

Infected objects found: 49

Suspicious objects found: 0

Scan duration: 06:17:50

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Microsoft AData\setup.exe.vir Infected: Packed.Win32.TDSS.aa 1

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Microsoft AData\sysnet.dll.vir Infected: Packed.Win32.TDSS.aa 1

C:\Qoobox\Quarantine\C\Program Files\Personal Guard 2009\personalguard.exe.vir Infected: Packed.Win32.TDSS.aa 1

C:\Qoobox\Quarantine\C\Program Files\Personal Guard 2009\uninstalls.exe.vir Infected: Packed.Win32.TDSS.aa 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\dagetowa.dll.vir Infected: Packed.Win32.Katusha.g 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\demozela.dll.tmp.vir Infected: Packed.Win32.Katusha.g 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\fopiyora.dll.vir Infected: Packed.Win32.Katusha.g 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\jupabone.dll.vir Infected: Trojan.Win32.Monder.cutb 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\logon.exe.vir Infected: Trojan.Win32.Vilsel.lov 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\pibijego.dll.tmp.vir Infected: Packed.Win32.Katusha.g 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\sokolofi.dll.tmp.vir Infected: Packed.Win32.Katusha.g 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\tijayefe.dll.vir Infected: Trojan.Win32.Monder.cuul 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\vabewuze.dll.vir Infected: Packed.Win32.Katusha.g 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\zarojeho.dll.vir Infected: Packed.Win32.Katusha.g 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip Infected: Trojan-Spy.Win32.Zbot.gen 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1765\A0087973.dll Infected: Packed.Win32.Katusha.g 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1765\A0087974.dll Infected: Packed.Win32.Katusha.g 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1765\A0087975.dll Infected: Packed.Win32.Katusha.g 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1765\A0088043.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1765\A0088047.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1765\A0088061.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1767\A0088333.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1767\A0088336.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1767\A0088347.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1767\A0088361.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1768\A0088378.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1768\A0088383.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1768\A0090404.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1768\A0090411.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1768\A0090547.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1769\A0091607.exe Infected: Trojan.Win32.Vilsel.ljz 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1770\A0091659.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1770\A0091662.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1770\A0091704.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1770\A0091705.dll Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1770\A0091707.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1770\A0091710.exe Infected: Packed.Win32.TDSS.aa 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1770\A0091716.dll Infected: Packed.Win32.Katusha.g 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1770\A0091718.dll Infected: Packed.Win32.Katusha.g 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1770\A0091723.dll Infected: Trojan.Win32.Monder.cutb 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1770\A0091725.exe Infected: Trojan.Win32.Vilsel.lov 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1770\A0091730.dll Infected: Trojan.Win32.Monder.cuul 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1770\A0091731.dll Infected: Packed.Win32.Katusha.g 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1770\A0091733.dll Infected: Packed.Win32.Katusha.g 1

C:\System Volume Information\_restore{1BE30868-3275-45DE-9466-5830952CC967}\RP1771\A0092790.exe Infected: Packed.Win32.TDSS.aa 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ACIYLQWN\load-full[1].exe Infected: Packed.Win32.TDSS.aa 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VKA7X3HI\load-full[1].exe Infected: Packed.Win32.TDSS.aa 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VKA7X3HI\main_[1].exe Infected: Trojan.Win32.Vilsel.lov 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VKA7X3HI\Z[1].exe Infected: Trojan-Spy.Win32.Zbot.gen 1

Selected area has been scanned.

Link to post
Share on other sites
chamber

chamber

Posted
Posted

Hi,

Looks better.

Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Processes

    :Services

    :Reg

    :Files
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ACIYLQWN
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VKA7X3HI
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VKA7X3HI
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VKA7X3HI

    :Commands
    [purity]
    [emptytemp]
    [Reboot]


  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites
bobsmg

bobsmg

Posted
  • Author
Posted

Ok, thanks for your help so far. Here are the next two logs:

All processes killed

========== PROCESSES ==========

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ACIYLQWN moved successfully.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VKA7X3HI moved successfully.

File/Folder C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VKA7X3HI not found.

File/Folder C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VKA7X3HI not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 88246559 bytes

->Temporary Internet Files folder emptied: 1083488 bytes

->Java cache emptied: 13817527 bytes

->FireFox cache emptied: 78136127 bytes

->Google Chrome cache emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.

->Temp folder emptied: 66016 bytes

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

Windows Temp folder emptied: 18310 bytes

RecycleBin emptied: 17176670 bytes

Total Files Cleaned = 189.38 mb

OTM by OldTimer - Version 3.0.0.6 log created on 11072009_131106

Files moved on Reboot...

Registry entries deleted on Reboot...

Results of screen317's Security Check version 0.99.0

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Disabled!

Norton AntiVirus

Norton Internet Security (Symantec Corporation)

Norton Internet Security

Norton Internet Security

Norton Internet Security

Norton Internet Security

Antivirus out of date! (On Access scanning disabled!)

``````````````````````````````

Anti-malware/Other Utilities Check:

Spyware Doctor 6.1

Windows Defender

HijackThis 2.0.2

Java 6 Update 17

Out of date Java installed!

Adobe Flash Player 10

``````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

Administrator Desktop malware SecurityCheck.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites
chamber

chamber

Posted
Posted

Good to know.

Now for the good news.

Congratulations your logs appear clean!! :thumbsup:

Clean up

Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

You should have a good anti spyware program - We recommend MalwareBytes Anti-Malware and SUPERAntiSpyware

MVPS Hosts file The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Spring Cleaning

TFC - Temp File Cleaner by OldTimer - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept