Jump to content

Infected; MBAM Being Deleted


ent

Recommended Posts

Here you go.

DDS (Ver_09-10-26.01) - NTFSx86

Run by Bill Entwistle at 19:09:19.84 on Thu 11/19/2009

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.254 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\RCrawler\RCrawler.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\PROGRA~1\SYMANT~1\vptray.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

C:\Program Files\CapsUnlock\CapsUnlock.exe

C:\Program Files\FlashTray Pro\FlashTray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Putty\Putty.exe

C:\WINDOWS\system32\mstsc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Bill Entwistle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = 127.0.0.1

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: {826e7566-fc8a-4294-a7f9-3025321aa7d8} - beyofaji.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe

mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Registry Crawler] c:\progra~1\rcrawler\RCrawler.exe -TRAYONLY

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [vptray] c:\progra~1\symant~1\\vptray.exe

StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\alarm.lnk - c:\program files\alarm\Alarm.exe

StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\capsun~1.lnk - c:\program files\capsunlock\CapsUnlock.exe

StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\flasht~1.lnk - c:\program files\flashtray pro\FlashTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: internet

Trusted Zone: netflix.com\www

Trusted Zone: pandora.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177138576847

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177467272937

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: pirovebob - {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll

SSODL: toyufibod - {57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll

STS: gahurihor: {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll

STS: jugezatag: {57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\eudora\EuShlExt.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

LSA: Notification Packages = scecli diwunawo.dll

mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billen~1\applic~1\mozilla\firefox\profiles\6xnqpoll.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-7-30 161064]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-4 102448]

S2 0258161238559076mcinstcleanup;0258161238559076mcinstcleanup; [x]

S2 0327391238561196mcinstcleanup;0327391238561196mcinstcleanup; [x]

S3 LW;LW;c:\docume~1\billen~1\locals~1\temp\lw.exe --> c:\docume~1\billen~1\locals~1\temp\LW.exe [?]

S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]

=============== Created Last 30 ================

2009-11-15 05:38:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-15 05:38:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-14 23:10:57 304920 ------w- c:\windows\system32\drivers\iastor.sys

2009-11-08 23:54:32 98816 ----a-w- c:\windows\sed.exe

2009-11-08 23:54:32 77312 ----a-w- c:\windows\MBR.exe

2009-11-08 23:54:32 267264 ----a-w- c:\windows\PEV.exe

2009-11-08 23:54:32 161792 ----a-w- c:\windows\SWREG.exe

2009-11-08 23:54:08 0 d-s---w- C:\ComboFix

2009-11-08 14:48:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-19 23:53:44 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll

2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll

2009-09-25 05:37:11 667136 ------w- c:\windows\system32\dllcache\wininet.dll

2009-09-25 05:37:11 627712 ------w- c:\windows\system32\dllcache\urlmon.dll

2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll

2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll

2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll

2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll

2008-11-28 08:08:22 88 --sh--r- c:\windows\system32\3EEC6A8C6D.sys

2008-11-27 07:59:36 88 --sh--r- c:\windows\system32\736179D2E2.sys

2008-11-28 08:08:24 5174 --sh--w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:10:12.15 ===============

Attach.zip

Link to post
Share on other sites

  • Replies 71
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Vundo is still present. Doesn't look like it's hooking Winlogon anymore though. What do you get after running MBAM? Still finding anything?

I would really like to try combofix again here. I don't believe that your iastor.sys is infected so there should not be an issue with that. I've used and seen combofix used thousands of times with an extremely small percentage of issues like you had. But I'll understand if you don't want to run it.

We may be able to take care of the rest of this manually. DDS does not provide any options for fixing things, so we'd need to run another tool that will. If you want to go that way then download and run the following tool, then post the logs.

OTLI.gifOTL - Download

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5
    %SYSTEMDRIVE%\nvatabus.sys /s /md5
    CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Link to post
Share on other sites

Malwarebytes turns up no infections on a full scan.

I ran combofix and it did a long scan, then started to reboot and put up the following dialog box:

-----

Unable to create a backup of the current registry file

C:\WINDOWS\system32\config\SOFTWARE

Continue restoration of the file?

| Yes | | No |

-----

Should I confirm?

Link to post
Share on other sites

Just a wild guess. Could this be because it's trying to overwrite a read-only backup from the previous time I ran combofix?

That's what I was thinking...I've never seen that one before but I'll look into it. Did you continue? I would just advise continuing with Yes. Hopefully you will get a log and we can move forward.

Link to post
Share on other sites

I clicked Yes and got the following dialog box:

-----

Error restoring

C:\WINDOWS\erdnt\subs\SOFTWARE

Continue with the next file?

[ RegReplacekey: 1450 - Insufficient system resources

to complete the requested service. ]

| Yes | | No |

-----

Keep going?

Link to post
Share on other sites

I clicked "Yes" and it finished booting. During the boot up process. it displayed a brief message about checking drive J:, said it was "dirty", and displayed a chkdsk-like message before proceeding, fwiw.

Here's the log:

ComboFix 09-11-19.05 - Bill Entwistle 11/19/2009 20:13.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.376 [GMT -6:00]

Running from: c:\documents and settings\Bill Entwistle\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected

Restored copy from - Kitty ate it :)

.

((((((((((((((((((((((((( Files Created from 2009-10-20 to 2009-11-20 )))))))))))))))))))))))))))))))

.

2009-11-15 07:07 . 2009-11-15 07:07 -------- d-----w- c:\program files\Windows Defender

2009-11-15 05:38 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-11-15 05:38 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-14 23:10 . 2009-11-14 23:10 304920 ------w- c:\windows\system32\drivers\iastor.sys

2009-11-08 14:48 . 2009-11-15 05:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-07 16:03 . 2009-11-15 14:42 79488 ----a-w- c:\documents and settings\Bill Entwistle\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-20 07:09 . 2009-04-04 17:50 -------- d-----w- c:\program files\Symantec AntiVirus

2009-11-20 00:53 . 2007-04-27 06:01 -------- d-----w- c:\program files\Firefox

2009-11-19 07:10 . 2009-01-11 08:54 -------- d-----w- c:\program files\Thunderbird

2009-11-17 02:33 . 2007-04-26 04:52 -------- d-----w- c:\program files\TextPad 4

2009-11-17 02:02 . 2007-04-27 01:17 -------- d-----w- c:\program files\LView

2009-11-15 05:15 . 2009-04-01 04:51 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-11-12 23:55 . 2007-05-11 03:22 -------- d-----w- c:\program files\Common Files\Motive

2009-11-03 02:42 . 2009-10-02 22:36 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-31 17:41 . 2009-05-12 14:19 1324 ------w- c:\windows\system32\d3d9caps.dat

2009-09-25 05:37 . 2004-08-11 21:00 667136 ----a-w- c:\windows\system32\wininet.dll

2009-09-25 05:37 . 2004-08-11 21:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-09-11 14:18 . 2004-08-11 21:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2004-08-11 21:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-26 08:00 . 2004-08-11 21:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2008-11-28 08:08 . 2007-05-07 06:28 88 --sh--r- c:\windows\system32\3EEC6A8C6D.sys

2008-11-27 07:59 . 2007-04-24 04:52 88 --sh--r- c:\windows\system32\736179D2E2.sys

2008-11-28 08:08 . 2007-04-24 04:52 5174 --sh--w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]

"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]

"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]

"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-07-30 177448]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"Registry Crawler"="c:\progra~1\RCrawler\RCrawler.exe" [2004-02-03 454656]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2006-09-28 125168]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

c:\documents and settings\Bill Entwistle\Start Menu\Programs\Startup\

Alarm.lnk - c:\program files\Alarm\Alarm.exe [2007-6-28 167936]

CapsUnlock.lnk - c:\program files\CapsUnlock\CapsUnlock.exe [2007-4-24 13312]

FlashTray.lnk - c:\program files\FlashTray Pro\FlashTray.exe [2007-5-7 555520]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-1-14 344064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"g:\\WS FTP\\WS_FTP95.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\TeraTerm\\ttermpro.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

"c:\\Program Files\\Seagate\\SeagateManager\\FreeAgent Status\\stxmenumgr.exe"=

"c:\\Program Files\\Dell Support\\DSAgnt.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [7/30/2008 2:23 PM 161064]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/4/2009 7:03 PM 102448]

S2 0258161238559076mcinstcleanup;0258161238559076mcinstcleanup; [x]

S2 0327391238561196mcinstcleanup;0327391238561196mcinstcleanup; [x]

S3 LW;LW;c:\docume~1\BILLEN~1\LOCALS~1\Temp\LW.exe --> c:\docume~1\BILLEN~1\LOCALS~1\Temp\LW.exe [?]

S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]

c:\program files\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

2009-11-20 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]

2009-11-20 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = 127.0.0.1

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: internet

Trusted Zone: netflix.com\www

Trusted Zone: pandora.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

- - - - ORPHANS REMOVED - - - -

BHO-{826e7566-fc8a-4294-a7f9-3025321aa7d8} - beyofaji.dll

SharedTaskScheduler-{04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll

SharedTaskScheduler-{57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll

SSODL-pirovebob-{04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll

SSODL-toyufibod-{57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-20 01:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1208)

c:\progra~1\SBCLIG~1\SMARTB~1\SBHook.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\program files\FlashTray Pro\BSFTHOOK.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\progra~1\SYMANT~1\vptray.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-11-20 01:23 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-20 07:23

ComboFix2.txt 2008-11-30 16:59

Pre-Run: 45,873,872,896 bytes free

Post-Run: 45,545,304,064 bytes free

- - End Of File - - 3ED94EFF952BA2D6659CEF95D37E63EF

Link to post
Share on other sites

Well it looks like iastor.sys had been re-infected.

Some of the errors may have been due to the fact Symantec was still running during cf.

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

How is it running?

I would like to see an OTL scan done. Can you run that as instructed earlier, with the switches.

Link to post
Share on other sites

It seems to be running fine. Nothing showing up on full scans.

Here are the two logs:

--------------------------------------------

OTL logfile created on: 11/21/2009 5:35:16 PM - Run 1

OTL by OldTimer - Version 3.1.6.2 Folder = C:\Documents and Settings\Bill Entwistle\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.84 Mb Total Physical Memory | 110.82 Mb Available Physical Memory | 10.93% Memory free

2.38 Gb Paging File | 1.57 Gb Available in Paging File | 65.90% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 68.36 Gb Total Space | 42.44 Gb Free Space | 62.08% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 68.36 Gb Total Space | 37.28 Gb Free Space | 54.53% Space Free | Partition Type: NTFS

Drive G: | 2.93 Gb Total Space | 1.13 Gb Free Space | 38.52% Space Free | Partition Type: NTFS

Drive H: | 6.31 Gb Total Space | 5.17 Gb Free Space | 81.96% Space Free | Partition Type: NTFS

I: Drive not present or media not loaded

Computer Name: TUCKER

Current User Name: Bill Entwistle

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/21 17:34:15 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bill Entwistle\Desktop\OTL.exe

PRC - [2009/09/10 14:53:56 | 01,312,080 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

PRC - [2009/08/20 21:13:33 | 08,318,056 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Thunderbird\thunderbird.exe

PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

PRC - [2009/01/26 14:31:12 | 05,365,592 | ---- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

PRC - [2008/11/10 05:43:42 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe

PRC - [2008/11/10 05:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe

PRC - [2008/07/30 14:23:26 | 00,161,064 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

PRC - [2008/07/30 14:23:02 | 00,177,448 | ---- | M] (Seagate LLC) -- C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

PRC - [2008/04/13 18:12:37 | 00,135,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\taskmgr.exe

PRC - [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe

PRC - [2008/04/13 18:12:23 | 00,677,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mstsc.exe

PRC - [2008/04/13 18:12:22 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe

PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2008/04/13 18:12:14 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe

PRC - [2007/11/08 09:20:22 | 00,344,064 | ---- | M] () -- C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

PRC - [2007/09/26 13:42:04 | 00,267,064 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe

PRC - [2007/09/26 13:41:56 | 00,503,608 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe

PRC - [2007/09/06 12:28:18 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

PRC - [2007/06/13 06:17:45 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

PRC - [2007/04/24 23:12:13 | 00,013,312 | ---- | M] (BrainSystems) -- C:\Program Files\CapsUnlock\CapsUnlock.exe

PRC - [2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe

PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe

PRC - [2006/09/27 19:33:44 | 00,125,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe

PRC - [2006/09/27 19:33:42 | 00,280,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPC32.exe

PRC - [2006/09/27 19:33:32 | 01,813,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe

PRC - [2006/09/27 19:33:22 | 00,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe

PRC - [2006/08/28 19:57:12 | 00,395,776 | ---- | M] (Gteko Ltd.) -- C:\Program Files\Dell Support\DSAgnt.exe

PRC - [2006/08/14 12:20:26 | 00,462,336 | ---- | M] (Corel, Inc.) -- C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

PRC - [2006/07/24 08:20:00 | 00,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe

PRC - [2006/07/21 14:50:10 | 00,086,016 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe

PRC - [2006/07/21 14:47:00 | 00,081,920 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe

PRC - [2006/07/19 18:26:12 | 00,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

PRC - [2006/07/19 18:26:06 | 00,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

PRC - [2006/07/19 18:26:04 | 00,052,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe

PRC - [2006/07/06 05:15:00 | 00,151,552 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

PRC - [2006/07/06 05:14:30 | 00,090,112 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

PRC - [2006/05/29 15:37:53 | 00,421,888 | ---- | M] () -- C:\Program Files\Putty\Putty.exe

PRC - [2006/04/11 16:13:38 | 01,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

PRC - [2005/10/05 01:12:00 | 00,094,208 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe

PRC - [2005/09/08 03:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE

PRC - [2004/08/03 21:11:46 | 00,555,520 | ---- | M] (BlackSun Software) -- C:\Program Files\FlashTray Pro\FlashTray.exe

PRC - [2004/07/27 14:50:18 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

PRC - [2004/02/03 08:06:00 | 00,454,656 | ---- | M] (4Developers LLC) -- C:\Program Files\RCrawler\rcrawler.exe

PRC - [2003/12/10 03:52:40 | 00,380,928 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\MotiveSB.exe

========== Modules (SafeList) ==========

MOD - [2009/11/21 17:34:15 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bill Entwistle\Desktop\OTL.exe

MOD - [2008/04/13 18:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

MOD - [2008/04/13 18:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll

MOD - [2007/04/24 23:12:13 | 00,003,072 | ---- | M] () -- C:\Program Files\CapsUnlock\CapsUnlock.dll

MOD - [2004/04/16 09:04:58 | 00,126,976 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\SBHook.dll

MOD - [2002/11/09 19:28:16 | 00,041,984 | ---- | M] () -- C:\Program Files\FlashTray Pro\BSFThook.dll

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (McNASvc)

SRV - File not found -- -- (mcmscsvc)

SRV - File not found -- -- (LW)

SRV - File not found -- -- (0327391238561196mcinstcleanup)

SRV - File not found -- -- (0258161238559076mcinstcleanup)

SRV - [2009/04/22 18:52:55 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)

SRV - [2008/11/10 05:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)

SRV - [2008/07/30 14:23:26 | 00,161,064 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)

SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)

SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)

SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)

SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)

SRV - [2008/04/13 18:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)

SRV - [2007/09/26 13:41:56 | 00,503,608 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)

SRV - [2007/09/06 12:28:18 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)

SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)

SRV - [2006/09/27 19:33:38 | 00,116,464 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)

SRV - [2006/09/27 19:33:32 | 01,813,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)

SRV - [2006/09/27 19:33:22 | 00,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)

SRV - [2006/08/25 12:00:38 | 02,528,960 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)

SRV - [2006/08/07 15:03:02 | 00,214,720 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)

SRV - [2006/07/19 18:26:12 | 00,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)

SRV - [2006/07/19 18:26:06 | 00,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)

SRV - [2006/07/06 05:14:30 | 00,090,112 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®

SRV - [2006/04/11 16:13:38 | 01,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "about:blank"

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/11/09 22:23:16 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 02:01:01 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Firefox\components [2009/11/14 23:36:40 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Firefox\plugins [2009/11/14 23:36:34 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Thunderbird\components [2009/08/20 21:13:36 | 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Thunderbird\plugins

[2009/11/14 23:34:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Extensions

[2009/11/14 23:34:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[2009/11/15 01:17:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions

[2009/09/09 21:27:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)

O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)

O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)

O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe (Corel, Inc.)

O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)

O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()

O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)

O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)

O4 - HKLM..\Run: [iSUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)

O4 - HKLM..\Run: [iSUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)

O4 - HKLM..\Run: [Motive SmartBridge] C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\MotiveSB.exe (Motive Communications, Inc.)

O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)

O4 - HKLM..\Run: [Registry Crawler] C:\Program Files\RCrawler\rcrawler.exe (4Developers LLC)

O4 - HKLM..\Run: [sigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)

O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe ()

O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKCU..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)

O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe ()

O4 - Startup: C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Startup\Alarm.lnk = C:\Program Files\Alarm\Alarm.exe (Bluefive software)

O4 - Startup: C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Startup\CapsUnlock.lnk = C:\Program Files\CapsUnlock\CapsUnlock.exe (BrainSystems)

O4 - Startup: C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Startup\FlashTray.lnk = C:\Program Files\FlashTray Pro\FlashTray.exe (BlackSun Software)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O15 - HKLM\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)

O15 - HKCU\..Trusted Domains: netflix.com ([www] http in Trusted sites)

O15 - HKCU\..Trusted Domains: netflix.com ([www] https in Trusted sites)

O15 - HKCU\..Trusted Domains: pandora.com ([]* in Trusted sites)

O15 - HKCU\..Trusted Domains: 55 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1177138576847 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1177467272937 (MUWebControl Class)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} Reg Error: Value error. (McFreeScan Class)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)

O24 - Desktop Components:0 (My Current Home Page) - About:Home

O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Eudora\EuShlExt.dll (Qualcomm Inc.)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2004/08/11 15:15:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2004/02/25 23:03:54 | 00,000,194 | ---- | M] () - G:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck) - File not found

O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)

O34 - HKLM BootExecute: (*) - File not found

O35 - comfile [open] -- "%1" %* File not found

O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/11 15:02:12 | 00,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: helpsvc - C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (16892114965102592)

========== Files/Folders - Created Within 14 Days ==========

[2009/11/21 17:34:15 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bill Entwistle\Desktop\OTL.exe

[2009/11/15 01:07:15 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender

[2009/11/15 01:03:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Bill Entwistle\My Documents\Downloads

[2009/11/14 23:38:43 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2009/11/14 23:38:40 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2009/11/14 17:10:57 | 00,304,920 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\drivers\iastor.sys

[2009/11/08 17:54:32 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2009/11/08 17:54:32 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2009/11/08 17:54:32 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2009/11/08 17:54:32 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2009/11/08 17:53:26 | 00,000,000 | ---D | C] -- C:\Qoobox

[2009/11/08 08:49:35 | 03,550,592 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Bill Entwistle\Desktop\winlogin.exe

[2009/11/08 08:48:18 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[6 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/11/21 17:34:15 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bill Entwistle\Desktop\OTL.exe

[2009/11/21 02:06:00 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2009/11/21 01:00:31 | 00,000,655 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Windows Defender.lnk

[2009/11/21 00:57:36 | 00,000,246 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Security Center.lnk

[2009/11/21 00:50:09 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Spybot.lnk

[2009/11/21 00:47:59 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2009/11/21 00:47:43 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn

[2009/11/21 00:47:33 | 00,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job

[2009/11/21 00:47:24 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2009/11/21 00:47:20 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2009/11/21 00:47:18 | 10,631,65952 | -HS- | M] () -- C:\hiberfil.sys

[2009/11/21 00:46:23 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Bill Entwistle\ntuser.ini

[2009/11/21 00:46:22 | 08,650,752 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\ntuser.dat

[2009/11/20 01:25:32 | 00,001,491 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\C Drive.lnk

[2009/11/20 01:12:01 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2009/11/20 01:11:07 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2009/11/19 20:11:07 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\PUTTY.RND

[2009/11/19 20:10:53 | 00,001,784 | -H-- | M] () -- C:\Documents and Settings\Bill Entwistle\My Documents\Default.rdp

[2009/11/19 19:42:38 | 03,568,341 | R--- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\ComboFix.exe

[2009/11/17 16:48:39 | 00,003,782 | ---- | M] () -- C:\WINDOWS\SDTAR861.BMP

[2009/11/17 16:48:39 | 00,003,782 | ---- | M] () -- C:\WINDOWS\SDTAR860.BMP

[2009/11/17 16:48:39 | 00,002,678 | ---- | M] () -- C:\WINDOWS\SDTAR863.BMP

[2009/11/17 16:48:39 | 00,001,334 | ---- | M] () -- C:\WINDOWS\SDTAR862.BMP

[2009/11/16 20:03:22 | 00,008,500 | ---- | M] () -- C:\WINDOWS\lviewpro.ini

[2009/11/15 12:10:21 | 00,000,259 | ---- | M] () -- C:\WINDOWS\wininit.ini

[2009/11/15 03:05:36 | 00,000,118 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Infected; MBAM Being Deleted - Malwarebytes Forum.URL

[2009/11/15 02:27:37 | 00,139,648 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2009/11/14 23:42:10 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk

[2009/11/14 23:36:45 | 00,001,528 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Firefox.lnk

[2009/11/14 17:10:57 | 00,304,920 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\iastor.sys

[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\WINDOWS\PEV.exe

[2009/11/08 11:39:39 | 00,000,182 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\November 8th, 2009 1138 am #10.URL

[2009/11/08 08:49:35 | 03,550,592 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Bill Entwistle\Desktop\winlogin.exe

[2009/11/07 17:52:44 | 00,000,076 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\CMS - State Employee Services.URL

[2009/11/07 17:52:10 | 00,000,075 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\SURS - Insurance.URL

[6 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/21 01:00:31 | 00,000,655 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Windows Defender.lnk

[2009/11/21 00:57:36 | 00,000,246 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Security Center.lnk

[2009/11/21 00:50:09 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Spybot.lnk

[2009/11/19 20:09:53 | 03,568,341 | R--- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\ComboFix.exe

[2009/11/15 01:10:20 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2009/11/14 23:38:48 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk

[2009/11/08 17:54:32 | 00,260,608 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2009/11/08 17:54:32 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2009/11/08 17:54:32 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2009/11/08 17:54:32 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2009/11/08 17:54:32 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2009/11/08 11:39:39 | 00,000,182 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\November 8th, 2009 1138 am #10.URL

[2009/11/08 09:13:35 | 00,000,118 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Infected; MBAM Being Deleted - Malwarebytes Forum.URL

[2009/11/07 17:52:44 | 00,000,076 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\CMS - State Employee Services.URL

[2009/11/07 17:52:10 | 00,000,075 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\SURS - Insurance.URL

[2009/10/01 15:35:58 | 00,000,061 | ---- | C] () -- C:\WINDOWS\TaxACT09.ini

[2009/08/08 00:52:03 | 00,005,632 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/12/04 22:12:20 | 00,000,075 | ---- | C] () -- C:\WINDOWS\TaxACT08.ini

[2008/11/25 20:01:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI

[2008/01/14 01:02:51 | 00,044,491 | ---- | C] () -- C:\WINDOWS\System32\MiiIniFile13.ini

[2008/01/14 01:02:48 | 00,285,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\Onsio.sys

[2008/01/14 01:02:48 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\drivers\Onsreged.sys

[2007/10/18 21:56:34 | 00,001,377 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

[2007/10/03 21:43:36 | 00,000,088 | ---- | C] () -- C:\WINDOWS\TaxACT07.ini

[2007/08/23 19:30:00 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll

[2007/08/02 01:00:03 | 00,093,696 | ---- | C] () -- C:\WINDOWS\System32\hpgt42.dll

[2007/05/16 00:02:15 | 00,000,225 | ---- | C] () -- C:\WINDOWS\acdsee.ini

[2007/05/15 23:48:11 | 00,000,141 | ---- | C] () -- C:\WINDOWS\TaxACT06.ini

[2007/05/15 23:45:43 | 00,000,128 | ---- | C] () -- C:\WINDOWS\TaxACT05.ini

[2007/05/15 23:35:57 | 00,000,128 | ---- | C] () -- C:\WINDOWS\TaxACT04.ini

[2007/05/15 22:44:02 | 00,000,128 | ---- | C] () -- C:\WINDOWS\TaxACT03.ini

[2007/05/15 22:39:23 | 00,000,103 | ---- | C] () -- C:\WINDOWS\TaxACT02.ini

[2007/05/15 22:25:12 | 00,000,090 | ---- | C] () -- C:\WINDOWS\TAXACT01.INI

[2007/05/15 22:17:50 | 00,000,073 | ---- | C] () -- C:\WINDOWS\TaxAct00.ini

[2007/05/15 22:13:34 | 00,000,078 | ---- | C] () -- C:\WINDOWS\TaxAct99.ini

[2007/05/09 00:33:39 | 00,000,087 | ---- | C] () -- C:\WINDOWS\OPHCW.INI

[2007/05/07 00:28:48 | 00,000,088 | RHS- | C] () -- C:\WINDOWS\System32\3EEC6A8C6D.sys

[2007/04/28 20:26:12 | 00,000,042 | ---- | C] () -- C:\WINDOWS\entpack.ini

[2007/04/26 23:52:58 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2007/04/26 19:40:28 | 00,000,868 | ---- | C] () -- C:\WINDOWS\ULEAD32.INI

[2007/04/26 19:18:20 | 00,008,500 | ---- | C] () -- C:\WINDOWS\lviewpro.ini

[2007/04/23 22:52:15 | 00,005,174 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys

[2007/04/23 22:52:15 | 00,000,088 | RHS- | C] () -- C:\WINDOWS\System32\736179D2E2.sys

[2007/04/21 11:45:43 | 00,005,120 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Application Data\dvd.bmk

[2007/04/21 11:39:12 | 00,000,137 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Local Settings\Application Data\fusioncache.dat

[2007/04/20 23:40:53 | 04,836,936 | -H-- | C] () -- C:\Documents and Settings\Bill Entwistle\Local Settings\Application Data\IconCache.db

[2007/04/20 23:40:53 | 00,018,520 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2007/04/20 23:40:53 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Bill Entwistle\Application Data\desktop.ini

[2007/04/17 23:10:53 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2007/04/17 23:06:50 | 00,000,259 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2007/04/17 22:41:31 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4642.dll

[2007/04/17 22:40:06 | 00,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont

[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont

[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont

[2005/11/09 23:56:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2004/08/11 15:24:19 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2004/08/11 15:14:58 | 00,000,000 | ---- | C] () -- C:\WINDOWS\control.ini

[2004/08/11 15:12:00 | 00,000,037 | ---- | C] () -- C:\WINDOWS\vbaddin.ini

[2004/08/11 15:12:00 | 00,000,036 | ---- | C] () -- C:\WINDOWS\vb.ini

[2004/08/11 15:11:31 | 00,013,223 | ---- | C] () -- C:\WINDOWS\System32\tslabels.ini

[2004/08/11 15:11:31 | 00,001,931 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.ini

[2004/08/11 15:11:31 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2004/08/11 15:07:25 | 00,524,016 | ---- | C] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2004/08/11 15:07:24 | 00,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2004/08/11 15:07:11 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini

[2004/08/11 15:00:52 | 00,498,742 | ---- | C] () -- C:\WINDOWS\System32\dxmasf.dll

[2004/08/11 15:00:52 | 00,004,126 | ---- | C] () -- C:\WINDOWS\System32\msdxmlc.dll

[2004/08/11 15:00:37 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\win87em.dll

[2004/08/11 15:00:37 | 00,001,121 | ---- | C] () -- C:\WINDOWS\win.ini

[2004/08/11 15:00:35 | 00,053,478 | ---- | C] () -- C:\WINDOWS\System32\tcpmon.ini

[2004/08/11 15:00:35 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\tsd32.dll

[2004/08/11 15:00:35 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

[2004/08/11 15:00:30 | 00,270,848 | ---- | C] () -- C:\WINDOWS\System32\sbe.dll

[2004/08/11 15:00:30 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\scriptpw.dll

[2004/08/11 15:00:29 | 01,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz.dll

[2004/08/11 15:00:29 | 01,287,168 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll

[2004/08/11 15:00:29 | 00,733,696 | ---- | C] () -- C:\WINDOWS\System32\qedwipes.dll

[2004/08/11 15:00:29 | 00,562,176 | ---- | C] () -- C:\WINDOWS\System32\qedit.dll

[2004/08/11 15:00:29 | 00,386,048 | ---- | C] () -- C:\WINDOWS\System32\qdvd.dll

[2004/08/11 15:00:29 | 00,279,040 | ---- | C] () -- C:\WINDOWS\System32\qdv.dll

[2004/08/11 15:00:29 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\qcap.dll

[2004/08/11 15:00:29 | 00,012,082 | ---- | C] () -- C:\WINDOWS\System32\rsvp.ini

[2004/08/11 15:00:29 | 00,003,458 | ---- | C] () -- C:\WINDOWS\System32\rasctrs.ini

[2004/08/11 15:00:28 | 00,006,877 | ---- | C] () -- C:\WINDOWS\System32\pschdprf.ini

[2004/08/11 15:00:28 | 00,002,891 | ---- | C] () -- C:\WINDOWS\System32\perfci.ini

[2004/08/11 15:00:28 | 00,002,732 | ---- | C] () -- C:\WINDOWS\System32\perfwci.ini

[2004/08/11 15:00:28 | 00,001,152 | ---- | C] () -- C:\WINDOWS\System32\perffilt.ini

[2004/08/11 15:00:28 | 00,000,343 | ---- | C] () -- C:\WINDOWS\System32\prodspec.ini

[2004/08/11 15:00:25 | 00,035,648 | ---- | C] () -- C:\WINDOWS\System32\ntio411.sys

[2004/08/11 15:00:25 | 00,035,424 | ---- | C] () -- C:\WINDOWS\System32\ntio412.sys

[2004/08/11 15:00:25 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio804.sys

[2004/08/11 15:00:25 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio404.sys

[2004/08/11 15:00:25 | 00,033,840 | ---- | C] () -- C:\WINDOWS\System32\ntio.sys

[2004/08/11 15:00:25 | 00,029,370 | ---- | C] () -- C:\WINDOWS\System32\ntdos411.sys

[2004/08/11 15:00:25 | 00,029,274 | ---- | C] () -- C:\WINDOWS\System32\ntdos412.sys

[2004/08/11 15:00:25 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos804.sys

[2004/08/11 15:00:25 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos404.sys

[2004/08/11 15:00:25 | 00,027,866 | ---- | C] () -- C:\WINDOWS\System32\ntdos.sys

[2004/08/11 15:00:24 | 00,002,656 | ---- | C] () -- C:\WINDOWS\System32\netware.drv

[2004/08/11 15:00:21 | 00,094,282 | ---- | C] () -- C:\WINDOWS\System32\msencode.dll

[2004/08/11 15:00:21 | 00,014,336 | ---- | C] () -- C:\WINDOWS\System32\msdmo.dll

[2004/08/11 15:00:21 | 00,001,405 | ---- | C] () -- C:\WINDOWS\msdfmap.ini

[2004/08/11 15:00:20 | 00,010,110 | ---- | C] () -- C:\WINDOWS\System32\mqperf.ini

[2004/08/11 15:00:18 | 00,042,809 | ---- | C] () -- C:\WINDOWS\System32\key01.sys

[2004/08/11 15:00:18 | 00,042,537 | ---- | C] () -- C:\WINDOWS\System32\keyboard.sys

[2004/08/11 15:00:18 | 00,035,328 | ---- | C] () -- C:\WINDOWS\System32\mciqtz32.dll

[2004/08/11 15:00:17 | 00,199,168 | ---- | C] () -- C:\WINDOWS\System32\ir32_32.dll

[2004/08/11 15:00:15 | 00,004,768 | ---- | C] () -- C:\WINDOWS\System32\himem.sys

[2004/08/11 15:00:13 | 01,015,477 | ---- | C] () -- C:\WINDOWS\System32\esentprf.ini

[2004/08/11 15:00:13 | 00,186,880 | ---- | C] () -- C:\WINDOWS\System32\encdec.dll

[2004/08/11 15:00:04 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\devenum.dll

[2004/08/11 15:00:04 | 00,027,097 | ---- | C] () -- C:\WINDOWS\System32\country.sys

[2004/08/11 15:00:03 | 00,252,928 | ---- | C] () -- C:\WINDOWS\System32\compatui.dll

[2004/08/11 15:00:02 | 00,355,112 | ---- | C] () -- C:\WINDOWS\System32\msjetoledb40.dll

[2004/08/11 15:00:01 | 00,070,656 | ---- | C] () -- C:\WINDOWS\System32\amstream.dll

[2004/08/11 15:00:01 | 00,009,029 | ---- | C] () -- C:\WINDOWS\System32\ansi.sys

[2001/09/11 15:06:50 | 00,001,787 | ---- | C] () -- C:\WINDOWS\SDDM.INI

[2001/08/17 20:36:28 | 00,157,696 | ---- | C] () -- C:\WINDOWS\System32\paqsp.dll

[1999/01/22 12:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

[1996/07/30 23:00:00 | 00,041,472 | ---- | C] () -- C:\WINDOWS\System32\WOSAXRT.DLL

[1996/07/30 23:00:00 | 00,006,656 | ---- | C] () -- C:\WINDOWS\System32\MSNWEBQT.DLL

========== LOP Check ==========

[2007/04/17 23:08:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe

[2007/08/28 19:06:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple

[2007/08/28 19:07:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer

[2009/03/29 15:27:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix

[2007/04/17 23:02:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Corel

[2008/01/29 10:17:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dell

[2009/01/15 02:57:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google

[2007/04/17 23:09:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GTek

[2007/04/17 23:07:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield

[2008/11/30 14:16:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2009/03/31 22:09:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee

[2008/12/03 21:39:02 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft

[2007/05/10 21:22:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motive

[2008/01/18 21:49:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RapidSolution

[2004/08/11 15:25:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI

[2008/12/03 20:00:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate

[2007/04/17 23:07:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sonic

[2009/11/21 00:50:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2009/04/04 11:50:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec

[2007/04/21 01:00:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

[2009/03/14 20:28:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Adobe

[2007/04/21 11:50:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\AdobeUM

[2008/03/15 17:02:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Amazon

[2007/09/27 00:28:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Apple Computer

[2008/11/22 18:39:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Corel

[2007/04/20 23:59:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Google

[2007/04/17 23:09:10 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Gtek

[2007/04/22 18:52:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Help

[2004/08/11 15:20:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Identities

[2007/08/26 22:04:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\lalacollection

[2007/08/25 20:40:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\lalaplayer

[2007/04/24 23:23:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Leadertech

[2007/04/21 01:21:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Macromedia

[2008/11/30 14:16:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Malwarebytes

[2009/03/31 20:59:03 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Microsoft

[2007/04/26 23:50:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Microsoft Web Folders

[2007/05/10 21:27:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Motive

[2009/11/14 23:34:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla

[2008/01/18 20:59:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\NoteCable

[2008/01/18 21:53:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\RTPlayer

[2007/04/29 23:49:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Sonic

[2007/04/28 22:58:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Sun

[2007/04/27 00:03:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Talkback

[2009/01/11 02:56:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Thunderbird

[2008/01/18 22:23:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Tunebite

[2009/10/30 01:29:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\WinRAR

[2004/08/04 03:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini

[2009/11/21 02:06:00 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

[2009/11/21 00:47:24 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

[2009/11/21 00:47:33 | 00,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >

[2004/08/04 03:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll

[1 C:\i386\*.tmp files -> C:\i386\*.tmp -> ]

[2004/08/04 03:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll

[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\scecli.dll /s /md5 >

[2004/08/04 03:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll

[1 C:\i386\*.tmp files -> C:\i386\*.tmp -> ]

[2004/08/04 03:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll

[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll

[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >

[2004/08/04 03:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll

[1 C:\i386\*.tmp files -> C:\i386\*.tmp -> ]

[2004/08/04 03:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll

[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

[2006/10/10 11:03:48 | 00,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\drivers\storage\R130118\iastor.sys

[2006/07/06 04:59:42 | 00,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\i386\iaStor.sys

[1 C:\i386\*.tmp files -> C:\i386\*.tmp -> ]

[2006/07/06 04:59:42 | 00,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys

[2006/07/06 05:01:32 | 00,484,864 | ---- | M] (Intel Corporation) MD5=6A3C354BFC163B81F6EF2FC421280DB5 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys

[2009/11/14 17:10:57 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\system32\drivers\iastor.sys

[2006/10/10 11:03:48 | 00,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >

[2004/08/03 20:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys

[1 C:\i386\*.tmp files -> C:\i386\*.tmp -> ]

[2004/08/03 20:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys

[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >

[2004/08/03 21:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS

[1 C:\i386\*.tmp files -> C:\i386\*.tmp -> ]

[2004/08/03 21:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys

[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

< End of report >

--------------------------------------------

OTL Extras logfile created on: 11/21/2009 5:35:16 PM - Run 1

OTL by OldTimer - Version 3.1.6.2 Folder = C:\Documents and Settings\Bill Entwistle\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.5512)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.84 Mb Total Physical Memory | 110.82 Mb Available Physical Memory | 10.93% Memory free

2.38 Gb Paging File | 1.57 Gb Available in Paging File | 65.90% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 68.36 Gb Total Space | 42.44 Gb Free Space | 62.08% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

Drive F: | 68.36 Gb Total Space | 37.28 Gb Free Space | 54.53% Space Free | Partition Type: NTFS

Drive G: | 2.93 Gb Total Space | 1.13 Gb Free Space | 38.52% Space Free | Partition Type: NTFS

Drive H: | 6.31 Gb Total Space | 5.17 Gb Free Space | 81.96% Space Free | Partition Type: NTFS

I: Drive not present or media not loaded

Computer Name: TUCKER

Current User Name: Bill Entwistle

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1

.html [@ = FirefoxHTML] -- C:\Program Files\Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %* File not found

chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 File not found

cmdfile [open] -- "%1" %* File not found

comfile [open] -- "%1" %* File not found

exefile [open] -- "%1" %* File not found

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)

https [open] -- "C:\Program Files\Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

piffile [open] -- "%1" %* File not found

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1" File not found

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S File not found

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"FirewallDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"G:\WS FTP\WS_FTP95.exe" = G:\WS FTP\WS_FTP95.exe:*:Enabled:WS_FTP 95 -- (Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA 02173)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\Program Files\TeraTerm\ttermpro.exe" = C:\Program Files\TeraTerm\ttermpro.exe:*:Enabled:Tera Term -- (TeraTerm Project T. Teranishi)

"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe:*:Enabled:AppleMobileDeviceService -- (Apple, Inc.)

"C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe" = C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe:*:Enabled:StxMenuMgr -- (Seagate LLC)

"C:\Program Files\Dell Support\DSAgnt.exe" = C:\Program Files\Dell Support\DSAgnt.exe:*:Enabled:DSAgnt -- (Gteko Ltd.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional

"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data

"{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}" = Intel® PRO Network Connections

"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA

"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{238B8820-011B-11D6-9C28-0080C85A0C2D}" = Microtek LightLid 35 Calibrator

"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java 6 Update 11

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager

"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10

"{33CFCF98-F8D6-4549-B469-6F4295676D83}" = Symantec AntiVirus

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3EBD3749-304E-4A4C-9575-C00E5F015217}" = Apple Mobile Device Support

"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant

"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer

"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool

"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module

"{621FCD24-4498-4324-A81E-07D331376EDF}" = PixiePack Codec Pack

"{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PartitionMagic

"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7ADE3A47-B425-45E9-8FF6-11BE2B775645}" = Corel Snapfire Plus

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{902C002A-60F8-45BD-9EFF-4DE38C99C51B}" = Eudora

"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager

"{93A1B09E-BAFA-4628-A5B6-921CB026955A}" = Corel Paint Shop Pro Photo XI

"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime

"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio

"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8

"{B045B608-4A47-4C77-9EAD-06C394503306}" = iTunes

"{B08D262E-D902-11D5-9C28-0080C85A0C2D}" = ScanWizard 5

"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy

"{B1D89E54-08B1-4542-A69B-E634AEF10A40}" = Seagate Manager Installer

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{B702CCCE-3176-4DBF-B932-D1B8F402F330}" = Digital Content Portal

"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update

"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CEE2252C-4035-4B27-8EC6-0B085DD3A413}" = Dell Support 3.2.1

"{F51251E6-FF62-48D0-9F87-149F48CDE46C}" = OKI C5100 Digitally Signed Driver

"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Alarm_is1" = Alarm 2.0.1

"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3

"ColorMania_is1" = ColorMania 2.4

"DVD Identifier_is1" = DVD Identifier

"HDMI" = Intel® Graphics Media Accelerator Driver

"HijackThis" = HijackThis 2.0.2

"InstallShield_{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PowerQuest PartitionMagic 8.0

"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)

"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"MSMONEYV50" = Microsoft Money 5.0

"Multimedia Xplorer 2" = Multimedia Xplorer 2

"MyEntunnel" = MyEntunnel (remove only)

"Registry Crawler" = Registry Crawler

"SBC.MCCInstall" = SBC Self Support Tool

"SearchAssist" = SearchAssist

"TaxACT 2000" = TaxACT 2000

"TaxACT 2001" = TaxACT 2001

"TaxACT 2002" = TaxACT 2002

"TaxACT 2003" = TaxACT 2003

"TaxACT 2004" = TaxACT 2004

"TaxACT 2005" = TaxACT 2005

"TaxACT 2006" = TaxACT 2006

"TaxACT 2007" = TaxACT 2007

"TaxACT 2008" = TaxACT 2008

"TaxACT 2008 Illinois" = TaxACT 2008 Illinois

"TaxACT 2009" = TaxACT 2009

"TaxACT Illinois 2003" = TaxACT Illinois 2003

"TaxACT Illinois 2004" = TaxACT Illinois 2004

"TaxACT Illinois 2005" = TaxACT Illinois 2005

"TaxACT Illinois 2006" = TaxACT Illinois 2006

"TaxACT Illinois 2007" = TaxACT Illinois 2007

"Tera Term Pro" = Tera Term Pro

"Tera Term_is1" = Tera Term 4.62

"TextPad 4" = TextPad 4

"Ulead iPhoto Express 1.1" = Ulead iPhoto Express 1.1

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinRAR archiver" = WinRAR archiver

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"GoToMeeting" = GoToMeeting/GoToWebinar 3.0.0.198

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 11/19/2009 2:28:06 AM | Computer Name = TUCKER | Source = WinDefendRtp | ID = 3003

Description = %%827 Real-Time Protection checkpoint has encountered an error and

failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x8000ffff

Error

description: Catastrophic failure

Error - 11/19/2009 2:45:31 AM | Computer Name = TUCKER | Source = Symantec AntiVirus | ID = 16711726

Description = Security Risk Found!Risk: Downloader.MisleadApp in File: C:\Documents

and Settings\Bill Entwistle\Local Settings\Temporary Internet Files\Content.IE5\YH16FMXW\op[1].exe

by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

Error - 11/19/2009 2:45:31 AM | Computer Name = TUCKER | Source = Symantec AntiVirus | ID = 16711685

Description = Risk Found!Risk: Downloader.MisleadApp in File: C:\Documents and Settings\Bill

Entwistle\Local Settings\Temporary Internet Files\Content.IE5\YH16FMXW\op[1].exe

by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

Error - 11/19/2009 2:45:45 AM | Computer Name = TUCKER | Source = Symantec AntiVirus | ID = 16711731

Description = Security Risk Found!Risk: Downloader.MisleadApp in File: C:\Documents

and Settings\Bill Entwistle\Local Settings\Temporary Internet Files\Content.IE5\YH16FMXW\op[1].exe

by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

Error - 11/19/2009 3:38:19 AM | Computer Name = TUCKER | Source = WinDefendRtp | ID = 3003

Description = %%827 Real-Time Protection checkpoint has encountered an error and

failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x80070005

Error

description: Access is denied.

Error - 11/19/2009 3:38:19 AM | Computer Name = TUCKER | Source = WinDefendRtp | ID = 3003

Description = %%827 Real-Time Protection checkpoint has encountered an error and

failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x8000ffff

Error

description: Catastrophic failure

Error - 11/20/2009 3:11:18 AM | Computer Name = TUCKER | Source = WinDefendRtp | ID = 3003

Description = %%827 Real-Time Protection checkpoint has encountered an error and

failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x80070005

Error

description: Access is denied.

Error - 11/20/2009 3:11:18 AM | Computer Name = TUCKER | Source = WinDefendRtp | ID = 3003

Description = %%827 Real-Time Protection checkpoint has encountered an error and

failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x8000ffff

Error

description: Catastrophic failure

Error - 11/20/2009 10:48:38 AM | Computer Name = TUCKER | Source = MPSampleSubmission | ID = 5000

Description = EventType avsubmit, P1 windefend, P2 1.1.5302.0, P3 unspecified, P4

1.71.26.0, P5 trojan_win32_vundo.gen!g, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

Error - 11/21/2009 2:45:54 AM | Computer Name = TUCKER | Source = Application Error | ID = 1000

Description = Faulting application , version 0.0.0.0, faulting module unknown, version

0.0.0.0, fault address 0x00000000.

[ System Events ]

Error - 11/19/2009 12:43:49 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000

Description = The mcmscsvc service failed to start due to the following error: %%3

Error - 11/19/2009 12:43:49 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000

Description = The McNASvc service failed to start due to the following error: %%3

Error - 11/19/2009 3:38:37 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000

Description = The mcmscsvc service failed to start due to the following error: %%3

Error - 11/19/2009 3:38:37 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000

Description = The McNASvc service failed to start due to the following error: %%3

Error - 11/19/2009 8:52:27 PM | Computer Name = TUCKER | Source = iaStor | ID = 262153

Description = The device, \Device\Ide\iaStor0, did not respond within the timeout

period.

Error - 11/20/2009 3:11:08 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000

Description = The mcmscsvc service failed to start due to the following error: %%3

Error - 11/20/2009 3:11:08 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000

Description = The McNASvc service failed to start due to the following error: %%3

Error - 11/20/2009 3:11:18 AM | Computer Name = TUCKER | Source = ipnathlp | ID = 32003

Description = The Network Address Translator (NAT) was unable to request an operation

of

the kernel-mode translation module. This may indicate misconfiguration, insufficient

resources, or an internal error. The data is the error code.

Error - 11/21/2009 2:47:55 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000

Description = The mcmscsvc service failed to start due to the following error: %%3

Error - 11/21/2009 2:47:55 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000

Description = The McNASvc service failed to start due to the following error: %%3

< End of report >

Link to post
Share on other sites

I would suggest maybe one more scan if all is well, then you should be good to go.

The below scan can take up to an hour or longer, please be patient.

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Please do a scan with Kaspersky Online Scanner or from here

http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition
    files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:

Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in

your reply.

Animated tutorial

http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:

If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

In your next reply post:

Kaspersky log

Link to post
Share on other sites

I'm having trouble getting it to run. It downloaded all of the virus definitions, then I clicked My Computer, and it started the scan but it went nowhere. After 50-some minutes, the progress was still at 0% and the number of files scanned at 0. I reloaded the page and tried again. After 30 minutes, no action.

I've completely turned off Symantec, killed the teatimer.exe process that is the active component of Spybot, and turned off the real-time component of Windows Defender. My fourth malware product is Malwarebytes and it doesn't have an active component.

How important do you think this scan is?

Link to post
Share on other sites

The Kaspersky Online Scanner is known to "hiccup" on some machines. We can try another.

Eset Online Scanner

Run with Internet Explorer

  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button, or click the notification bar at the top of the window and choose to install.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Link to post
Share on other sites

Can you tell me if the 80+ meg of files that Kaspersky downloaded would be lying around somewhere? If so, I would like to delete them but I have no idea where they're stored. I had to kill the session with task manager to get rid of it (clicking the Stop Scanning link didn't work), so I don't know what state things were left in.

Also, I tried to uninstall combofix by running "combofix /u" from the command line, but instead of uninstalling, it updated itself and ran a new scan. I can post the log here if you're interested. Is there a way to uninstall combofix?

Regarding Eset, it requires Internet Explorer. I had IE6 installed but wasn't using it. I thought I would do the right thing and upgrade to IE7 or IE8 for better security before installing Eset. But for some reason, I can't get that to install. It goes through all the motions of installing IE8, reboots the computer, etc., but there is no icon, or start menu item, or even the executable in Program Files\Internet Explorer. There's only a small number of files in the IE folder. I am now stuck in limbo where IE6 is gone and I can't get any version of IE installed and running. Argh. So until I get that sorted out, I won't be able to run Eres.

Link to post
Share on other sites

Can you tell me if the 80+ meg of files that Kaspersky downloaded would be lying around somewhere? If so, I would like to delete them but I have no idea where they're stored. I had to kill the session with task manager to get rid of it (clicking the Stop Scanning link didn't work), so I don't know what state things were left in.

I believe they are only stored in a temp folder, so that should clean them out. But I'll look into it to make sure.

Also, I tried to uninstall combofix by running "combofix /u" from the command line, but instead of uninstalling, it updated itself and ran a new scan. I can post the log here if you're interested. Is there a way to uninstall combofix?

That was changed by sUBs some time ago. The new switch is.... Combofix /Uninstall

Regarding Eset, it requires Internet Explorer. I had IE6 installed but wasn't using it. I thought I would do the right thing and upgrade to IE7 or IE8 for better security before installing Eset. But for some reason, I can't get that to install. It goes through all the motions of installing IE8, reboots the computer, etc., but there is no icon, or start menu item, or even the executable in Program Files\Internet Explorer. There's only a small number of files in the IE folder. I am now stuck in limbo where IE6 is gone and I can't get any version of IE installed and running. Argh. So until I get that sorted out, I won't be able to run Eres.

Did you try going to IE7 first, or straight to IE8? There could be many reasons why these updates could fail... :(

Link to post
Share on other sites

It was a bit torturous, but I finally got IE7 installed (and functioning). I haven't run Eset yet. But I did run the combofix uninstall option that you suggested and it said that it uninstalled itself. But now, when I look at my disk system, I see a directory called Combofix, which appears to contain my entire disk system within it, recursively. It acts like a Unix symlink. I've uploaded an image of it. Is it safe to delete this folder??

Also, I'm not sure, but I think combofix might still be loading something at startup. After I log in, I see a small window in the middle of the screen appear and disappear instantly. I can't tell what it is, but it appears to have a green icon in the upper-left corner, which if I'm not mistaken, combofix also had. How would I determine what this is?

post-24416-1259135965_thumb.jpg

Link to post
Share on other sites

I ran ESET and it found two threats -- the Win32/Olmarik.PY virus in two e-mail folders. It turns out that they were two copies of the iastor.sys file that you requested that I send to Bleeping Computer. I deleted the e-mails and compacted my e-mail folders, so that should be that.

By the way, I determined that the little dialog box that pops up and disappears in a blink on bootup is caused by a Seagate driver for my Free Agent external 500g hard drive. I tried disabling various resident programs via msconfig until I found one that made the dialog box go away.

Link to post
Share on other sites

Hi and sorry for the delay in getting back to you here. Busy holidays here...

So how's it running overall?

If all is good we should do some cleanup. You've already uninstalled combofix.

To remove OTL and most of the other tools we used just run it and click on the Cleanup button. You can also delete any other tools we used that OTL doesn't take care of.

Let me know how it's going.

Link to post
Share on other sites

I ran the cleanup. As far as I can tell, everything is working well.

I really appreciate your help and commitment to seeing it through. I'm so glad I didn't have to reinstall all of my applications. Thanks for putting up with my sometimes non-germane questions.

A friend had insisted that I could take my computer to a local venue and they would fix it up in a couple of hours. I really doubted it, and I had many reservations. Even though it took a long time, I'm glad I didn't. I learned a lot about my security tools and how things work. I was only vaguely aware of msconfig, for example. I should be quicker to notice if any of my tools get disabled in the future.

Thanks again. Hope you're enjoying your Thanksgiving holiday.

Link to post
Share on other sites

I'm glad things worked out and we didn't have to re-install Windows and all your apps.

A friend had insisted that I could take my computer to a local venue and they would fix it up in a couple of hours

I doubt it too, unless they were really on top of the new infections out there right now. These new infections are absolutely nasty (as we saw) and for most of the repair shops it is quicker for them to simply re-install Windows (which you could do yourself). For them time is money, and that's their priority.

I would also like to thank the developer of combofix, sUBs, here for his help behind the scenes in getting you up and running again. You may not have seen or known it but you had some of the top people in the world in this area working on your PC.

Before we close out let's do a little security check.

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

Here you go.

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Symantec AntiVirus

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

Spybot - Search & Destroy

Windows Defender

HijackThis 2.0.2

Java 6 Update 11

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader 7.0.8

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Link to post
Share on other sites

As you can see a couple programs need updating.

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 17.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u17-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u17-windows-i586-p.exe and select "Run as an Administrator.")

Also, head over to Adobe to update your reader.

In addition to updating and using what you currently have you may want to consider the following:

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide

better security than the Windows Firewall.

Online-Armor
Outpost Firewall

For a tutorial on Firewalls and a listing of some other available ones see the link below:

Understanding and Using Firewalls

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Install Winpatrol -

Use Winpatrol to take control of your PC and provide another layer of security.

Help file and tutorial can be found Here

Block unwanted parasites with a custom hosts file -

http://www.mvps.org/winhelp2002/hosts.htm

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Keep your applications up to date -

Use Secunia Personal Software Inspector to help stay on top of application updates that could leave your PC vulnerable to attack.

I'll leave the thread open a few days in case you have questions or issues.

Regards,

Dave

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.