Jump to content

Roque.Antivir and othre problems


ghnew1

Recommended Posts

Cought some virus. Sometimes I have to reboot since it gets hung. Symantec did not find anything. Malwarebytes found Roque.Antivir and supposetly got rid of that. But there are strange things going on, like I need to reboot because sometimes it does not do anything anymore.

Also I use remote desktop connection and it can't find mstsc.exe anymore. So I can't use it.

Something is seriously wrong with my PC. Can you help?

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

Thanks for the response

Here are the log files: 2 OTL followed by RKU

OTL logfile created on: 9/5/2010 10:36:40 AM - Run 1

OTL by OldTimer - Version 3.2.11.0 Folder = C:\download\virus\virus

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 75.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files

Drive C: | 232.82 Gb Total Space | 162.22 Gb Free Space | 69.67% Space Free | Partition Type: NTFS

Drive D: | 1.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

Drive G: | 37.24 Gb Total Space | 1.34 Gb Free Space | 3.59% Space Free | Partition Type: NTFS

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: GXH-HOME

Current User Name: gxh

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/05 10:36:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\download\virus\virus\OTL.exe

PRC - [2010/06/16 17:20:50 | 000,624,056 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

PRC - [2010/03/28 15:24:20 | 000,364,544 | ---- | M] (Western Digital Technologies, Inc.) -- C:\WINNT\system32\WDBtnMgr.exe

PRC - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

PRC - [2009/06/22 15:21:40 | 001,044,480 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe

PRC - [2009/04/11 15:04:57 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

PRC - [2009/03/25 10:04:20 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

PRC - [2009/03/12 04:00:26 | 000,233,472 | ---- | M] (AVAYA Communication) -- C:\Program Files\Avaya\Avaya one-X Communicator\QosServM.exe

PRC - [2008/11/13 14:06:30 | 000,541,976 | ---- | M] (PIXELA CORPORATION) -- C:\Program Files\PIXELA\Everio MediaBrowser HD Edition\MBCameraMonitor.exe

PRC - [2008/07/23 09:56:14 | 002,054,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

PRC - [2008/07/23 09:56:12 | 000,174,616 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\LMS.exe

PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe

PRC - [2007/10/26 14:28:06 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

PRC - [2007/06/06 14:25:22 | 000,125,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe

PRC - [2007/06/06 14:23:46 | 001,821,376 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe

PRC - [2007/06/06 14:22:34 | 000,031,424 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe

PRC - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

PRC - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

PRC - [2007/05/29 17:33:22 | 000,052,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe

PRC - [2007/01/10 17:27:38 | 001,160,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

PRC - [2005/04/28 03:22:52 | 000,102,400 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe

PRC - [2005/04/28 03:08:14 | 000,294,912 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe

PRC - [2004/07/27 10:08:22 | 000,262,144 | ---- | M] () -- C:\Program Files\Dell Photo AIO Printer 942\memcard.exe

========== Modules (SafeList) ==========

MOD - [2010/09/05 10:36:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\download\virus\virus\OTL.exe

MOD - [2008/04/14 06:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)

SRV - [2009/10/20 21:52:24 | 000,054,272 | ---- | M] (SolarWinds) [On_Demand | Stopped] -- C:\Program Files\SolarWinds\TFTPServer\SolarWinds TFTP Server.exe -- (SolarWinds TFTP Server)

SRV - [2009/09/29 09:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)

SRV - [2009/03/25 10:04:20 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2009/03/12 04:00:26 | 000,233,472 | ---- | M] (AVAYA Communication) [Auto | Running] -- C:\Program Files\Avaya\Avaya one-X Communicator\QosServM.exe -- (iClarityQoSService)

SRV - [2008/07/23 09:56:14 | 002,054,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS) Intel®

SRV - [2008/07/23 09:56:12 | 000,174,616 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel®

SRV - [2008/05/20 04:00:00 | 000,757,792 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINNT\system32\CCM\CcmExec.exe -- (CcmExec)

SRV - [2008/05/20 04:00:00 | 000,249,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\System32\CCM\TSManager.exe -- (smstsmgr)

SRV - [2007/10/26 14:28:06 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)

SRV - [2007/08/28 20:04:25 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)

SRV - [2007/06/06 14:23:46 | 001,821,376 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)

SRV - [2007/06/06 14:22:34 | 000,031,424 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)

SRV - [2007/05/29 17:33:36 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)

SRV - [2007/05/29 17:33:26 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)

SRV - [2007/01/10 17:27:38 | 001,160,792 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)

SRV - [2005/04/25 17:34:12 | 000,466,944 | ---- | M] (Dell) [On_Demand | Stopped] -- C:\WINNT\System32\dlbucoms.exe -- (dlbu_device)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\gxh\LOCALS~1\Temp\catchme.sys -- (catchme)

DRV - [2010/07/15 01:00:00 | 001,362,608 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100903.004\navex15.sys -- (NAVEX15)

DRV - [2010/07/15 01:00:00 | 000,085,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100903.004\naveng.sys -- (NAVENG)

DRV - [2010/06/11 01:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2010/05/28 01:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)

DRV - [2010/04/15 18:57:19 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\pssdk42.sys -- (PSSDK42)

DRV - [2010/03/02 21:21:08 | 004,630,016 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2010/01/23 19:12:13 | 000,110,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\SYMEVENT.SYS -- (SymEvent)

DRV - [2009/05/18 14:26:54 | 000,339,456 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)

DRV - [2008/09/11 10:52:48 | 006,047,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\igxpmp32.sys -- (ialm)

DRV - [2008/07/23 09:42:30 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\HECI.sys -- (HECI) Intel®

DRV - [2008/07/22 16:14:38 | 000,144,992 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\e1k5132.sys -- (e1kexpress) Intel®

DRV - [2008/07/20 17:44:44 | 000,324,120 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\iaStor.sys -- (iastor)

DRV - [2008/05/20 04:00:00 | 000,023,584 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\CCM\PrepDrv.sys -- (prepdrvr)

DRV - [2008/04/14 00:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\amdagp.sys -- (amdagp)

DRV - [2008/04/14 00:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\sisagp.sys -- (sisagp)

DRV - [2008/04/13 23:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2008/04/08 17:27:04 | 000,012,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\smsmdm.sys -- (smsmdd)

DRV - [2008/03/28 12:14:02 | 000,024,064 | ---- | M] (Sonic Focus, Inc) [Kernel | Boot | Running] -- C:\WINNT\system32\drivers\sfaudio.sys -- (SFAUDIO)

DRV - [2007/10/26 14:27:00 | 000,306,300 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)

DRV - [2007/01/31 13:45:06 | 000,127,376 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\dne2000.sys -- (DNE)

DRV - [2007/01/18 16:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\CVirtA.sys -- (CVirtA)

DRV - [2007/01/10 17:27:26 | 000,390,744 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)

DRV - [2006/09/06 15:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)

DRV - [2006/09/06 15:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)

DRV - [2005/01/26 10:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\vsdatant.sys -- (vsdatant)

DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\sparrow.sys -- (Sparrow)

DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\sym_u3.sys -- (sym_u3)

DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\sym_hi.sys -- (sym_hi)

DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\symc8xx.sys -- (symc8xx)

DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\symc810.sys -- (symc810)

DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\ultra.sys -- (ultra)

DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\ql12160.sys -- (ql12160)

DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\ql1080.sys -- (ql1080)

DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\ql1280.sys -- (ql1280)

DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)

DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\mraid35x.sys -- (mraid35x)

DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\asc.sys -- (asc)

DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\asc3550.sys -- (asc3550)

DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\aliide.sys -- (AliIde)

DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINNT\system32\DRIVERS\cmdide.sys -- (CmdIde)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://today.slac.stanford.edu/

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://today.slac.stanford.edu/

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-395820274-3051342167-180645541-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm

IE - HKU\S-1-5-21-395820274-3051342167-180645541-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

IE - HKU\S-1-5-21-395820274-3051342167-180645541-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-395820274-3051342167-180645541-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/06/27 21:48:30 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/26 21:35:47 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/08 17:36:46 | 000,000,000 | ---D | M]

[2010/01/22 12:59:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\gxh\Application Data\Mozilla\Extensions

[2010/09/02 23:41:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\gxh\Application Data\Mozilla\Firefox\Profiles\3ltmo7p5.default\extensions

[2010/07/26 21:37:43 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\gxh\Application Data\Mozilla\Firefox\Profiles\3ltmo7p5.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/09/02 23:41:42 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/08/08 16:51:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

[2010/08/08 16:50:56 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/07/26 22:21:01 | 000,000,027 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)

O2 - BHO: (AvayaIEHlprObj Class) - {E6DF0B46-7D6F-407A-A6A2-62D17A021A9A} - C:\Program Files\Avaya\Avaya one-X Communicator\AvayaIEHelper.dll (Avaya)

O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-21-395820274-3051342167-180645541-1009\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

O3 - HKU\S-1-5-21-395820274-3051342167-180645541-1009\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)

O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)

O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [Dell Photo AIO Printer 942] C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe ()

O4 - HKLM..\Run: [DellMCM] C:\Program Files\Dell Photo AIO Printer 942\memcard.exe ()

O4 - HKLM..\Run: [DLBUCATS] C:\WINNT\System32\spool\DRIVERS\W32X86\3\DLBUtime.DLL ()

O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation)

O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

O4 - HKLM..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)

O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)

O4 - HKLM..\Run: [WD Button Manager] C:\WINNT\System32\WDBtnMgr.exe (Western Digital Technologies, Inc.)

O4 - HKU\S-1-5-21-395820274-3051342167-180645541-1009..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Camera Monitor HD.lnk = C:\Program Files\PIXELA\Everio MediaBrowser HD Edition\MBCameraMonitor.exe (PIXELA CORPORATION)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINNT\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico ()

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-395820274-3051342167-180645541-1009\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-395820274-3051342167-180645541-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-395820274-3051342167-180645541-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-395820274-3051342167-180645541-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O15 - HKU\.DEFAULT\..Trusted Domains: bis-dev ([]http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: bis-dev ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: exch-mail ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: idoc ([]http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: idoc ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: localhost ([]* in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: mdweb ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: oraweb ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: psoft-fstgren2 ([]http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: psoft-fstgren2 ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([*.slac] * in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([*.slac] http in Trusted sites)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([*.slac] https in Trusted sites)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([*.win.slac] http in Trusted sites)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([*.win.slac] https in Trusted sites)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([bis-dev.slac] http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([bis-dev.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([exch-mail.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([idoc.slac] http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([idoc.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([mdweb.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([oraweb.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([psoft-fstgren2.win.slac] http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([psoft-fstgren2.win.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([today.slac] http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([today.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([webtest.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www2.slac] http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www-bis.slac] http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www-bis.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www-conf.slac] http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www-doc.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www-glast.slac] http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www-glast.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www-internal.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www-mail.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www-project.slac] http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www-public.slac] http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www-remedy2.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www-sslonly.slac] https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([www-user.slac] http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([xweb.slac] http in Trusted sites)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([xweb.slac] https in Trusted sites)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([xweb.win.slac] http in Trusted sites)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([xweb.win.slac] https in Trusted sites)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([xweb2.win.slac] * in Trusted sites)

O15 - HKU\.DEFAULT\..Trusted Domains: stanford.edu ([xweb2.win.slac] https in Trusted sites)

O15 - HKU\.DEFAULT\..Trusted Domains: today ([]http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: today ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: web001 ([]file in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: web002 ([]file in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: web003 ([]file in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: web004 ([]file in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: web005 ([]file in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: web006 ([]file in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: web007 ([]file in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: webtest ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: www-bis ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: www-doc ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: www-glast ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: www-internal ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: www-mail ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: www-remedy2 ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: www-sslonly ([]https in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: xweb ([]http in Trusted sites)

O15 - HKU\.DEFAULT\..Trusted Domains: xweb ([]https in Trusted sites)

O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([*] in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: bis-dev ([]http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: bis-dev ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: exch-mail ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: idoc ([]http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: idoc ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: localhost ([]* in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: mdweb ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: oraweb ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: psoft-fstgren2 ([]http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: psoft-fstgren2 ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([*.slac] * in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([*.slac] http in Trusted sites)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([*.slac] https in Trusted sites)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([*.win.slac] http in Trusted sites)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([*.win.slac] https in Trusted sites)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([bis-dev.slac] http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([bis-dev.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([exch-mail.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([idoc.slac] http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([idoc.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([mdweb.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([oraweb.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([psoft-fstgren2.win.slac] http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([psoft-fstgren2.win.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([today.slac] http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([today.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([webtest.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www2.slac] http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www-bis.slac] http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www-bis.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www-conf.slac] http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www-doc.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www-glast.slac] http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www-glast.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www-internal.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www-mail.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www-project.slac] http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www-public.slac] http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www-remedy2.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www-sslonly.slac] https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([www-user.slac] http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([xweb.slac] http in Trusted sites)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([xweb.slac] https in Trusted sites)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([xweb.win.slac] http in Trusted sites)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([xweb.win.slac] https in Trusted sites)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([xweb2.win.slac] * in Trusted sites)

O15 - HKU\S-1-5-18\..Trusted Domains: stanford.edu ([xweb2.win.slac] https in Trusted sites)

O15 - HKU\S-1-5-18\..Trusted Domains: today ([]http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: today ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: web001 ([]file in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: web002 ([]file in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: web003 ([]file in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: web004 ([]file in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: web005 ([]file in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: web006 ([]file in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: web007 ([]file in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: webtest ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: www-bis ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: www-doc ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: www-glast ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: www-internal ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: www-mail ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: www-remedy2 ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: www-sslonly ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: xweb ([]http in Trusted sites)

O15 - HKU\S-1-5-18\..Trusted Domains: xweb ([]https in Trusted sites)

O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([*] in Local intranet)

O15 - HKU\S-1-5-21-395820274-3051342167-180645541-1009\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab (F-Secure Online Scanner Launcher)

O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1237491250312 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1238002861267 (MUWebControl Class)

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://ilc.webex.com/client/T26L/webex/ieatgpc.cab (GpcContainer Class)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.76.182 68.87.78.134

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINNT\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINNT\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\NavLogon: DllName - C:\WINNT\system32\NavLogon.dll - C:\WINNT\system32\NavLogon.dll (Symantec Corporation)

O20 - Winlogon\Notify\polsumgr: DllName - sdmngr.dll - C:\WINNT\System32\sdmngr.dll (AutoProf

Link to post
Share on other sites

OTL Extras logfile created on: 9/5/2010 10:36:40 AM - Run 1

OTL by OldTimer - Version 3.2.11.0 Folder = C:\download\virus\virus

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 75.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files

Drive C: | 232.82 Gb Total Space | 162.22 Gb Free Space | 69.67% Space Free | Partition Type: NTFS

Drive D: | 1.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

Drive G: | 37.24 Gb Total Space | 1.34 Gb Free Space | 3.59% Space Free | Partition Type: NTFS

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: GXH-HOME

Current User Name: gxh

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-395820274-3051342167-180645541-1009\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"427:TCP" = 427:TCP:LocalSubNet:Enabled:SLP_Port(427)_TCP

"427:UDP" = 427:UDP:LocalSubNet:Enabled:SLP_Port(427)_UDP

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DoNotAllowExceptions" = 0

"EnableFirewall" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

"135:TCP" = 135:TCP:*:Enabled:TCP Port 135

"5000:TCP" = 5000:TCP:*:Enabled:TCP Port 5000

"5001:TCP" = 5001:TCP:*:Enabled:TCP Port 5001

"5002:TCP" = 5002:TCP:*:Enabled:TCP Port 5002

"5003:TCP" = 5003:TCP:*:Enabled:TCP Port 5003

"5004:TCP" = 5004:TCP:*:Enabled:TCP Port 5004

"5005:TCP" = 5005:TCP:*:Enabled:TCP Port 5005

"5006:TCP" = 5006:TCP:*:Enabled:TCP Port 5006

"5007:TCP" = 5007:TCP:*:Enabled:TCP Port 5007

"5008:TCP" = 5008:TCP:*:Enabled:TCP Port 5008

"5009:TCP" = 5009:TCP:*:Enabled:TCP Port 5009

"5010:TCP" = 5010:TCP:*:Enabled:TCP Port 5010

"5011:TCP" = 5011:TCP:*:Enabled:TCP Port 5011

"5012:TCP" = 5012:TCP:*:Enabled:TCP Port 5012

"5013:TCP" = 5013:TCP:*:Enabled:TCP Port 5013

"5014:TCP" = 5014:TCP:*:Enabled:TCP Port 5014

"5015:TCP" = 5015:TCP:*:Enabled:TCP Port 5015

"5016:TCP" = 5016:TCP:*:Enabled:TCP Port 5016

"5017:TCP" = 5017:TCP:*:Enabled:TCP Port 5017

"5018:TCP" = 5018:TCP:*:Enabled:TCP Port 5018

"5019:TCP" = 5019:TCP:*:Enabled:TCP Port 5019

"5020:TCP" = 5020:TCP:*:Enabled:TCP Port 5020

"427:TCP" = 427:TCP:LocalSubNet:Enabled:SLP_Port(427)_TCP

"427:UDP" = 427:UDP:LocalSubNet:Enabled:SLP_Port(427)_UDP

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"D:\setup\hpznui01.exe" = D:\setup\hpznui01.exe:*:Enabled:hpznui01.exe -- File not found

"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe:*:Enabled:hpofxs08.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe:*:Enabled:hpqfxt08.exe -- (TODO: <Company name>)

"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\WINNT\system32\dlbucoms.exe" = C:\WINNT\system32\dlbucoms.exe:*:Enabled:Dell_942 Server -- (Dell)

"C:\WINNT\system32\spool\drivers\w32x86\3\DLBUPSWX.EXE" = C:\WINNT\system32\spool\drivers\w32x86\3\DLBUPSWX.EXE:*:Enabled:Dell_942 Printer Status -- ()

"C:\WINNT\system32\ftp.exe" = C:\WINNT\system32\ftp.exe:*:Enabled:File Transfer Program -- (Microsoft Corporation)

"C:\Program Files\Avaya\Avaya one-X Communicator\SparkEmulator.exe" = C:\Program Files\Avaya\Avaya one-X Communicator\SparkEmulator.exe:*:Enabled:Spark Endpoint Emulator R1.1 (14) -- (Avaya, Inc.)

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)

"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe:*:Enabled:hpofxs08.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe:*:Enabled:hpqfxt08.exe -- (TODO: <Company name>)

"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe -- (Hewlett-Packard Co.)

"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)

"C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{02A3343C-028E-62D3-E193-AC15E8508B64}" = Catalyst Control Center Graphics Light

"{03A7C57A-B2C8-409b-92E5-524A0DFD0DD3}" = Status

"{04D01359-A09C-4E80-A980-0D05FFFFD5B1}" = Avaya one-X Communicator

"{063BD2FA-85DE-0A14-F266-7BD869F719BA}" = Catalyst Control Center Graphics Full New

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis

"{087A66B8-1F0F-4a8d-A649-0CFE276AA7C0}" = WebReg

"{0A516FAD-3AE7-41D0-813D-D3350F8FAA2E}" = ConferenceManager Client Software

"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics

"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{1AA86313-B188-498D-91CF-D017AC5A82A5}" = SolarWinds TFTP Server

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{23E5032B-56CA-4C19-A72E-B50161DB82CA}" = Shadow Copy Client

"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java 6 Update 21

"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com

"{2894C259-B270-EFAA-3131-491B261E894A}" = ccc-utility

"{2A329FB6-389D-4396-A974-29656D6864AE}" = MarketResearch

"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm

"{337240B1-42C2-4384-AAFF-D347A6D2CC5E}" = PolicyMaker

Link to post
Share on other sites

Hi, lets see if we can straighten things out here. :) Please make sure you plug any flash drives/external storage device in before continuing.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Here it is:

ComboFix 10-09-06.01 - gxh 09/06/2010 10:06:47.6.2 - x86

Running from: c:\download\virus\virus\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\gxh\Desktop\Internet Explorer.lnk

.

((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))

.

2010-09-03 07:10 . 2010-09-03 07:14 -------- d-----w- c:\program files\Wise Disk Cleaner

2010-09-03 07:08 . 2010-09-03 07:08 -------- d-----w- c:\program files\Wise Registry Cleaner

2010-08-08 23:53 . 2010-08-08 23:53 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe

2010-08-08 23:50 . 2010-08-08 23:50 -------- d-----w- c:\program files\Java

2010-08-08 23:48 . 2010-08-09 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-06 17:05 . 2010-01-24 02:12 -------- d-----w- c:\program files\Symantec AntiVirus

2010-09-05 17:40 . 2010-03-07 00:07 -------- d-----w- c:\documents and settings\gxh\Application Data\HPAppData

2010-09-04 23:15 . 2010-01-15 18:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-22 02:45 . 2009-04-12 00:53 -------- d-----w- c:\program files\Dl_cats

2010-08-08 23:51 . 2009-03-25 19:47 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-08-08 23:51 . 2010-08-08 23:51 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-08-08 23:51 . 2010-08-08 23:51 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-08-08 23:51 . 2010-08-08 23:51 -------- d-----w- c:\program files\Common Files\Java

2010-08-08 23:51 . 2010-08-08 23:51 503808 ----a-w- c:\documents and settings\gxh\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1e7e8659-n\msvcp71.dll

2010-08-08 23:51 . 2010-08-08 23:51 499712 ----a-w- c:\documents and settings\gxh\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1e7e8659-n\jmc.dll

2010-08-08 23:51 . 2010-08-08 23:51 348160 ----a-w- c:\documents and settings\gxh\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-1e7e8659-n\msvcr71.dll

2010-08-08 23:51 . 2010-08-08 23:51 61440 ----a-w- c:\documents and settings\gxh\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1d962a99-n\decora-sse.dll

2010-08-08 23:51 . 2010-08-08 23:51 12800 ----a-w- c:\documents and settings\gxh\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1d962a99-n\decora-d3d.dll

2010-08-08 23:50 . 2010-08-08 23:51 423656 ----a-w- c:\winnt\system32\deployJava1.dll

2010-08-08 23:46 . 2009-03-25 19:46 -------- d-----w- c:\program files\Common Files\Adobe

2010-08-07 02:40 . 2010-08-07 02:40 -------- d-----w- c:\program files\ESET

2010-08-05 12:13 . 2009-05-09 01:07 1324 ----a-w- c:\winnt\system32\d3d9caps.dat

2010-07-28 23:28 . 2010-01-24 02:12 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-07-25 22:58 . 2010-07-25 22:58 388096 ----a-r- c:\documents and settings\gxh\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-07-14 02:55 . 2009-03-25 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-07-04 04:18 . 2009-04-12 02:39 71504 ----a-w- c:\documents and settings\Lyhn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-28 04:49 . 2010-06-28 04:47 23108 ----a-w- c:\winnt\hpqins15.dat

2010-06-14 14:31 . 2009-03-19 20:39 744448 ----a-w- c:\winnt\pchealth\helpctr\binaries\helpsvc.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-11 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-07-23 773144]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2010-06-17 624056]

"Dell Photo AIO Printer 942"="c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe" [2005-04-28 294912]

"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]

"DLBUCATS"="c:\winnt\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2004-11-10 69632]

"WD Button Manager"="WDBtnMgr.exe" [2010-03-28 364544]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-30 52840]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]

"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2008-09-11 143360]

"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2008-09-11 172032]

"Persistence"="c:\winnt\system32\igfxpers.exe" [2008-09-11 143360]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-03 98304]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Camera Monitor HD.lnk - c:\program files\PIXELA\Everio MediaBrowser HD Edition\MBCameraMonitor.exe [2009-9-19 541976]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

VPN Client.lnk - c:\winnt\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2009-4-11 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\polsumgr]

2005-03-07 23:45 312832 ----a-w- c:\winnt\system32\sdmngr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2109753547-1507289723-1169898988-14116\Scripts\Logon\0\0]

"Script"=\\win.slac.stanford.edu\SysVol\win.slac.stanford.edu\scripts\domainlogon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINNT\\system32\\dlbucoms.exe"=

"c:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\DLBUPSWX.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\WINNT\\system32\\ftp.exe"=

"c:\\Program Files\\Avaya\\Avaya one-X Communicator\\SparkEmulator.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"135:TCP"= 135:TCP:TCP Port 135

"5000:TCP"= 5000:TCP:TCP Port 5000

"5001:TCP"= 5001:TCP:TCP Port 5001

"5002:TCP"= 5002:TCP:TCP Port 5002

"5003:TCP"= 5003:TCP:TCP Port 5003

"5004:TCP"= 5004:TCP:TCP Port 5004

"5005:TCP"= 5005:TCP:TCP Port 5005

"5006:TCP"= 5006:TCP:TCP Port 5006

"5007:TCP"= 5007:TCP:TCP Port 5007

"5008:TCP"= 5008:TCP:TCP Port 5008

"5009:TCP"= 5009:TCP:TCP Port 5009

"5010:TCP"= 5010:TCP:TCP Port 5010

"5011:TCP"= 5011:TCP:TCP Port 5011

"5012:TCP"= 5012:TCP:TCP Port 5012

"5013:TCP"= 5013:TCP:TCP Port 5013

"5014:TCP"= 5014:TCP:TCP Port 5014

"5015:TCP"= 5015:TCP:TCP Port 5015

"5016:TCP"= 5016:TCP:TCP Port 5016

"5017:TCP"= 5017:TCP:TCP Port 5017

"5018:TCP"= 5018:TCP:TCP Port 5018

"5019:TCP"= 5019:TCP:TCP Port 5019

"5020:TCP"= 5020:TCP:TCP Port 5020

R3 PSSDK42;PSSDK42;c:\winnt\system32\Drivers\pssdk42.sys [2010-04-16 38976]

R3 SolarWinds TFTP Server;SolarWinds TFTP Server;c:\program files\SolarWinds\TFTPServer\SolarWinds TFTP Server.exe [2009-10-21 54272]

S0 SFAUDIO;Sonic Focus DSP Driver;c:\winnt\system32\drivers\sfaudio.sys [2008-03-28 24064]

S2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2008-07-23 2054680]

S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\winnt\system32\DRIVERS\e1k5132.sys [2008-07-22 144992]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-11 102448]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY

*NewlyCreated* - NORMANDY

*Deregistered* - MBAMSwissArmy

*Deregistered* - Normandy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-08-31 c:\winnt\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-09-05 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-28 21:17]

2010-09-06 c:\winnt\Tasks\Norton Security Scan for gxh.job

- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-05-30 14:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: intuit.com\ttlc

FF - ProfilePath - c:\documents and settings\gxh\Application Data\Mozilla\Firefox\Profiles\3ltmo7p5.default\

FF - plugin: c:\documents and settings\gxh\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winnt\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-06 10:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLBUCATS = rundll32 c:\winnt\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)

c:\winnt\system32\Ati2evxx.dll

c:\winnt\system32\atiadlxx.dll

c:\winnt\system32\sdmngr.dll

.

Completion time: 2010-09-06 10:10:26

ComboFix-quarantined-files.txt 2010-09-06 17:10

ComboFix2.txt 2010-08-06 22:20

Pre-Run: 174,064,529,408 bytes free

Post-Run: 174,067,687,424 bytes free

- - End Of File - - 5B80A5419104829218C01AA752C8AE05

Link to post
Share on other sites

How are things running now?

Please click Start > Run, type sfc /scannow and press enter. Let the System File checker run unhindered. Note - you may be prompted for you XP CD.

Sorry I was out of town. Probelm is that the one XP prof CD I have does not seem to work. SFC complains that it is not the correct CD so I am stuck. But the Remote Desktop Connection still does not work, it says the system cannot find the file specified C:\\EINNT\system32\<Lang_Name>\mstsc.exe

Any ideas?

Link to post
Share on other sites

Please rerun OTL and copy/paste the following text into the "custom scan/fix" field. Click NONE and then Run Scan. Post me the resulting log.
/md5start
mstsc.exe
/md5stop

wasn't sure which NONE to click so I clicked all 6 on the left side but left file age selected on the right.

OTL logfile created on: 9/11/2010 1:43:57 PM - Run 2

OTL by OldTimer - Version 3.2.11.0 Folder = C:\download\virus\virus

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 77.00% Memory free

5.00 Gb Paging File | 5.00 Gb Available in Paging File | 89.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files

Drive C: | 232.82 Gb Total Space | 161.88 Gb Free Space | 69.53% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

Drive G: | 37.24 Gb Total Space | 1.34 Gb Free Space | 3.59% Space Free | Partition Type: NTFS

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: GXH-HOME

Current User Name: gxh

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Files/Folders - Created Within 30 Days ==========

[2010/09/11 12:10:35 | 000,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\bulltlp3.sys

[2010/09/11 12:10:34 | 000,060,416 | ---- | C] (Brother Industries Ltd.) -- C:\WINNT\System32\dllcache\brserwdm.sys

[2010/09/11 12:10:34 | 000,031,529 | ---- | C] (BreezeCOM) -- C:\WINNT\System32\dllcache\brzwlan.sys

[2010/09/11 12:10:34 | 000,011,008 | ---- | C] (Brother Industries Ltd.) -- C:\WINNT\System32\dllcache\brusbmdm.sys

[2010/09/11 12:10:34 | 000,010,368 | ---- | C] (Brother Industries Ltd.) -- C:\WINNT\System32\dllcache\brusbscn.sys

[2010/09/11 12:10:34 | 000,009,728 | ---- | C] (Brother Industries, Ltd.) -- C:\WINNT\System32\dllcache\brserif.dll

[2010/09/11 12:10:33 | 000,039,552 | ---- | C] (Brother Industries Ltd.) -- C:\WINNT\System32\dllcache\brparwdm.sys

[2010/09/11 12:10:33 | 000,005,120 | ---- | C] (Brother Industries,Ltd.) -- C:\WINNT\System32\dllcache\brscnrsm.dll

[2010/09/11 12:10:33 | 000,003,168 | ---- | C] (Brother Industries Ltd.) -- C:\WINNT\System32\dllcache\brparimg.sys

[2010/09/11 12:10:30 | 000,081,408 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\brmfcwia.dll

[2010/09/11 12:10:30 | 000,041,472 | ---- | C] (Brother Industries, Ltd.) -- C:\WINNT\System32\dllcache\brmfusb.dll

[2010/09/11 12:10:30 | 000,032,256 | ---- | C] (Brother Industries, Ltd.) -- C:\WINNT\System32\dllcache\brmfrsmg.exe

[2010/09/11 12:10:30 | 000,029,696 | ---- | C] (Brother Industries, Ltd.) -- C:\WINNT\System32\dllcache\brmflpt.dll

[2010/09/11 12:10:30 | 000,015,360 | ---- | C] (Brother Industries, Ltd.) -- C:\WINNT\System32\dllcache\brmfbidi.dll

[2010/09/11 12:10:30 | 000,003,968 | ---- | C] (Brother Industries, Ltd.) -- C:\WINNT\System32\dllcache\brfiltup.sys

[2010/09/11 12:10:29 | 000,019,456 | ---- | C] (Brother Industries, Ltd.) -- C:\WINNT\System32\dllcache\brbidiif.dll

[2010/09/11 12:10:29 | 000,012,800 | ---- | C] (Brother Industries, Ltd.) -- C:\WINNT\System32\dllcache\brevif.dll

[2010/09/11 12:10:29 | 000,012,160 | ---- | C] (Brother Industries, Ltd.) -- C:\WINNT\System32\dllcache\brfiltlo.sys

[2010/09/11 12:10:29 | 000,009,728 | ---- | C] (Brother Industries Ltd.) -- C:\WINNT\System32\dllcache\brcoinst.dll

[2010/09/11 12:10:29 | 000,002,944 | ---- | C] (Brother Industries Ltd.) -- C:\WINNT\System32\dllcache\brfilt.sys

[2010/09/11 12:10:27 | 000,102,400 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\binlsvc.dll

[2010/09/11 12:10:24 | 000,871,388 | ---- | C] (BCM) -- C:\WINNT\System32\dllcache\bcmdm.sys

[2010/09/11 12:10:24 | 000,066,557 | ---- | C] (Broadcom Corporation) -- C:\WINNT\System32\dllcache\bcm42u.sys

[2010/09/11 12:10:24 | 000,054,271 | ---- | C] (Broadcom Corporation) -- C:\WINNT\System32\dllcache\bcm42xx5.sys

[2010/09/11 12:10:24 | 000,026,568 | ---- | C] (Broadcom Corporation) -- C:\WINNT\System32\dllcache\bcm4e5.sys

[2010/09/11 12:10:24 | 000,018,432 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\bdaplgin.ax

[2010/09/11 12:10:24 | 000,011,776 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\bdasup.sys

[2010/09/11 12:10:23 | 000,342,336 | ---- | C] (3Dfx Interactive, Inc.) -- C:\WINNT\System32\dllcache\banshee.dll

[2010/09/11 12:10:23 | 000,036,128 | ---- | C] (3Dfx Interactive, Inc.) -- C:\WINNT\System32\dllcache\banshee.sys

[2010/09/11 12:10:23 | 000,014,208 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\battc.sys

[2010/09/11 12:10:22 | 000,144,384 | ---- | C] (AVM GmbH) -- C:\WINNT\System32\dllcache\avmenum.dll

[2010/09/11 12:10:22 | 000,096,640 | ---- | C] (Broadcom Corporation) -- C:\WINNT\System32\dllcache\b57xp32.sys

[2010/09/11 12:10:22 | 000,089,952 | ---- | C] (AVM GmbH) -- C:\WINNT\System32\dllcache\b1cbase.sys

[2010/09/11 12:10:22 | 000,087,552 | ---- | C] (AVM GmbH) -- C:\WINNT\System32\dllcache\avmcoxp.dll

[2010/09/11 12:10:22 | 000,037,568 | ---- | C] (AVM GmbH) -- C:\WINNT\System32\dllcache\avmwan.sys

[2010/09/11 12:10:22 | 000,036,992 | ---- | C] (Aztech Systems Ltd) -- C:\WINNT\System32\dllcache\aztw2320.sys

[2010/09/11 12:10:21 | 000,036,096 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\avcaudio.sys

[2010/09/11 12:10:21 | 000,013,696 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\avcstrm.sys

[2010/09/11 12:10:20 | 000,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\avc.sys

[2010/09/11 12:10:15 | 000,104,832 | ---- | C] (ATI Technologies Inc.) -- C:\WINNT\System32\dllcache\atiraged.dll

[2010/09/11 12:10:15 | 000,070,528 | ---- | C] (ATI Technologies Inc.) -- C:\WINNT\System32\dllcache\atiragem.sys

[2010/09/11 12:10:14 | 000,289,664 | ---- | C] (ATI Technologies Inc.) -- C:\WINNT\System32\dllcache\atimpab.sys

[2010/09/11 12:10:14 | 000,281,600 | ---- | C] (ATI Technologies Inc.) -- C:\WINNT\System32\dllcache\atimtai.sys

[2010/09/11 12:10:14 | 000,075,136 | ---- | C] (ATI Technologies Inc.) -- C:\WINNT\System32\dllcache\atimpae.sys

[2010/09/11 12:10:14 | 000,037,376 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\atievxx.exe

[2010/09/11 12:10:13 | 000,382,592 | ---- | C] (ATI Technologies Inc.) -- C:\WINNT\System32\dllcache\atidrab.dll

[2010/09/11 12:10:13 | 000,268,160 | ---- | C] (ATI Technologies Inc.) -- C:\WINNT\System32\dllcache\atidvai.dll

[2010/09/11 12:10:13 | 000,137,216 | ---- | C] (ATI Technologies Inc.) -- C:\WINNT\System32\dllcache\atidrae.dll

[2010/09/11 12:10:12 | 000,096,128 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\ati.dll

[2010/09/11 12:10:12 | 000,077,568 | ---- | C] (ATI Technologies, Inc.) -- C:\WINNT\System32\dllcache\ati.sys

[2010/09/11 12:10:08 | 000,097,354 | ---- | C] (Bay Networks, Inc.) -- C:\WINNT\System32\dllcache\aspndis3.sys

[2010/09/11 12:10:05 | 000,006,272 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\apmbatt.sys

[2010/09/11 12:10:04 | 000,036,224 | ---- | C] (ADMtek Incorporated.) -- C:\WINNT\System32\dllcache\an983.sys

[2010/09/11 12:10:04 | 000,016,969 | ---- | C] (AmbiCom, Inc.) -- C:\WINNT\System32\dllcache\amb8002.sys

[2010/09/11 12:10:03 | 000,027,678 | ---- | C] (Acer Laboratories Inc.) -- C:\WINNT\System32\dllcache\ali5261.sys

[2010/09/11 12:10:03 | 000,026,624 | ---- | C] (Acer Laboratories Inc.) -- C:\WINNT\System32\dllcache\alifir.sys

[2010/09/11 12:10:01 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\agcgauge.ax

[2010/09/11 12:09:57 | 000,046,112 | ---- | C] (Adaptec, Inc ) -- C:\WINNT\System32\dllcache\adptsf50.sys

[2010/09/11 12:09:53 | 000,747,392 | ---- | C] (Aureal, Inc.) -- C:\WINNT\System32\dllcache\adm8830.sys

[2010/09/11 12:09:53 | 000,584,448 | ---- | C] (Aureal, Inc.) -- C:\WINNT\System32\dllcache\adm8810.sys

[2010/09/11 12:09:53 | 000,553,984 | ---- | C] (Aureal, Inc.) -- C:\WINNT\System32\dllcache\adm8820.sys

[2010/09/11 12:09:53 | 000,020,160 | ---- | C] (ADMtek Incorporated) -- C:\WINNT\System32\dllcache\adm8511.sys

[2010/09/11 12:09:53 | 000,010,880 | ---- | C] (Aureal, Inc.) -- C:\WINNT\System32\dllcache\admjoy.sys

[2010/09/11 12:09:53 | 000,007,424 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\adicvls.sys

[2010/09/11 12:09:52 | 000,084,480 | ---- | C] (VIA Technologies, Inc.) -- C:\WINNT\System32\dllcache\ac97via.sys

[2010/09/11 12:09:52 | 000,061,440 | ---- | C] (Color Flatbed Scanner) -- C:\WINNT\System32\dllcache\acerscad.dll

[2010/09/11 12:09:51 | 000,297,728 | ---- | C] (Silicon Integrated Systems Corp.) -- C:\WINNT\System32\dllcache\ac97sis.sys

[2010/09/11 12:09:51 | 000,231,552 | ---- | C] (Acer Laboratories Inc.) -- C:\WINNT\System32\dllcache\ac97ali.sys

[2010/09/11 12:09:51 | 000,096,256 | ---- | C] (Intel Corporation) -- C:\WINNT\System32\dllcache\ac97intc.sys

[2010/09/11 12:09:50 | 000,462,848 | ---- | C] (Aureal Inc.) -- C:\WINNT\System32\dllcache\a3dapi.dll

[2010/09/11 12:09:50 | 000,098,304 | ---- | C] (Aureal Semiconductor) -- C:\WINNT\System32\dllcache\a3d.dll

[2010/09/11 12:09:50 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\61883.sys

[2010/09/11 12:09:50 | 000,038,400 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\8514a.dll

[2010/09/11 12:09:49 | 000,762,780 | ---- | C] (3Com, Inc.) -- C:\WINNT\System32\dllcache\3cwmcru.sys

[2010/09/11 12:09:49 | 000,689,216 | ---- | C] (3dfx Interactive, Inc.) -- C:\WINNT\System32\dllcache\3dfxvs.dll

[2010/09/11 12:09:49 | 000,148,352 | ---- | C] (3dfx Interactive, Inc.) -- C:\WINNT\System32\dllcache\3dfxvsm.sys

[2010/09/11 12:09:49 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\4mmdat.sys

[2010/09/11 12:09:49 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\1394vdbg.sys

[2010/09/11 12:09:48 | 000,053,376 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\1394bus.sys

[2010/09/11 12:09:38 | 000,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\s3legacy.dll

[2010/09/06 10:05:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINNT\SWXCACLS.exe

[2010/09/06 10:05:43 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINNT\SWREG.exe

[2010/09/06 10:05:43 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINNT\SWSC.exe

[2010/09/06 10:05:43 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINNT\NIRCMD.exe

[2010/09/06 10:05:33 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/09/03 00:10:12 | 000,000,000 | ---D | C] -- C:\Program Files\Wise Disk Cleaner

[2010/09/03 00:08:19 | 000,000,000 | ---D | C] -- C:\Program Files\Wise Registry Cleaner

[4 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

[2 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/11 13:38:42 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk

[2010/09/11 13:38:20 | 000,002,206 | ---- | M] () -- C:\WINNT\System32\wpa.dbl

[2010/09/11 13:38:19 | 000,000,882 | ---- | M] () -- C:\WINNT\tasks\GoogleUpdateTaskMachineCore.job

[2010/09/11 12:13:32 | 000,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT

[2010/09/11 12:13:29 | 000,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat

[2010/09/10 14:15:13 | 000,000,554 | -H-- | M] () -- C:\WINNT\tasks\Norton Security Scan for gxh.job

[2010/09/09 21:12:13 | 000,001,308 | ---- | M] () -- C:\WINNT\dellstat.ini

[2010/09/09 20:20:37 | 000,002,133 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/09/08 20:51:29 | 000,011,023 | ---- | M] () -- C:\Documents and Settings\gxh\My Documents\steroids.docx

[2010/09/08 16:58:06 | 000,011,757 | ---- | M] () -- C:\Documents and Settings\gxh\My Documents\Defining morality (interview).docx

[2010/09/07 16:07:36 | 000,000,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/09/07 16:03:22 | 000,014,346 | ---- | M] () -- C:\Documents and Settings\gxh\My Documents\grace.docx

[2010/09/06 22:54:00 | 000,000,284 | ---- | M] () -- C:\WINNT\tasks\AppleSoftwareUpdate.job

[2010/09/06 22:01:17 | 000,015,152 | ---- | M] () -- C:\Documents and Settings\gxh\My Documents\American Dream Ragtime.docx

[2010/09/06 10:09:04 | 000,000,227 | ---- | M] () -- C:\WINNT\system.ini

[2010/09/06 10:08:58 | 000,000,027 | ---- | M] () -- C:\WINNT\System32\drivers\etc\hosts

[2010/09/04 16:15:11 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\gxh\Desktop\Shortcut to iexplore.exe.lnk

[2010/09/04 13:00:42 | 006,815,744 | -H-- | M] () -- C:\Documents and Settings\gxh\NTUSER.DAT

[2010/09/04 11:20:10 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\gxh\ntuser.ini

[2010/09/02 19:16:09 | 000,002,068 | -H-- | M] () -- C:\Documents and Settings\gxh\My Documents\Default.rdp

[2010/09/01 16:13:41 | 000,012,030 | ---- | M] () -- C:\Documents and Settings\gxh\My Documents\Bacon's Rebellion.docx

[2010/08/28 22:27:48 | 000,198,455 | ---- | M] () -- C:\Documents and Settings\gxh\My Documents\georgia.docx

[2010/08/26 21:39:07 | 000,011,678 | ---- | M] () -- C:\Documents and Settings\gxh\My Documents\Child of the Americas.docx

[2010/08/25 20:26:17 | 000,062,713 | ---- | M] () -- C:\Documents and Settings\gxh\Desktop\41362_133247590053301_100001041834739_208215_3414152_n.jpg

[2010/08/25 20:25:52 | 000,000,152 | ---- | M] () -- C:\Documents and Settings\gxh\Desktop\photo.php-pid=153236&id=100001041834739.url

[2010/08/22 11:20:57 | 000,266,856 | ---- | M] () -- C:\Documents and Settings\gxh\My Documents\AP Psych info.docx

[2010/08/22 11:08:07 | 000,245,021 | ---- | M] () -- C:\Documents and Settings\gxh\Desktop\photo[1].JPG

[2010/08/21 12:43:17 | 000,013,194 | ---- | M] () -- C:\Documents and Settings\gxh\My Documents\4 central questions.docx

[2010/08/20 16:20:21 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\gxh\Desktop\Course_Description_10_11

[2010/08/20 11:17:04 | 000,039,730 | ---- | M] () -- C:\Documents and Settings\gxh\Desktop\2009 extension.pdf

[2010/08/16 18:57:54 | 000,002,856 | ---- | M] () -- C:\Documents and Settings\gxh\Desktop\Inkpop_Jacket_228201023929421[1].jpg

[4 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

[2 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/11 12:10:16 | 000,026,624 | ---- | C] () -- C:\WINNT\System32\dllcache\ativxbar.sys

[2010/09/11 12:10:16 | 000,023,552 | ---- | C] () -- C:\WINNT\System32\dllcache\atixbar.sys

[2010/09/11 12:10:16 | 000,019,456 | ---- | C] () -- C:\WINNT\System32\dllcache\ativttxx.sys

[2010/09/11 12:10:16 | 000,017,152 | ---- | C] () -- C:\WINNT\System32\dllcache\atitvsnd.sys

[2010/09/11 12:10:16 | 000,009,472 | ---- | C] () -- C:\WINNT\System32\dllcache\ativmdcd.sys

[2010/09/11 12:10:15 | 000,049,920 | ---- | C] () -- C:\WINNT\System32\dllcache\atirtcap.sys

[2010/09/11 12:10:15 | 000,026,880 | ---- | C] () -- C:\WINNT\System32\dllcache\atirtsnd.sys

[2010/09/11 12:10:15 | 000,017,152 | ---- | C] () -- C:\WINNT\System32\dllcache\atitunep.sys

[2010/09/11 12:10:15 | 000,010,240 | ---- | C] () -- C:\WINNT\System32\dllcache\atipcxxx.sys

[2010/09/11 12:10:13 | 000,046,464 | ---- | C] () -- C:\WINNT\System32\dllcache\atibt829.sys

[2010/09/08 19:06:21 | 000,011,023 | ---- | C] () -- C:\Documents and Settings\gxh\My Documents\steroids.docx

[2010/09/08 16:58:06 | 000,011,757 | ---- | C] () -- C:\Documents and Settings\gxh\My Documents\Defining morality (interview).docx

[2010/09/06 21:08:19 | 000,014,346 | ---- | C] () -- C:\Documents and Settings\gxh\My Documents\grace.docx

[2010/09/06 11:33:51 | 000,015,152 | ---- | C] () -- C:\Documents and Settings\gxh\My Documents\American Dream Ragtime.docx

[2010/09/06 10:05:43 | 000,256,512 | ---- | C] () -- C:\WINNT\PEV.exe

[2010/09/06 10:05:43 | 000,098,816 | ---- | C] () -- C:\WINNT\sed.exe

[2010/09/06 10:05:43 | 000,080,412 | ---- | C] () -- C:\WINNT\grep.exe

[2010/09/06 10:05:43 | 000,077,312 | ---- | C] () -- C:\WINNT\MBR.exe

[2010/09/06 10:05:43 | 000,068,096 | ---- | C] () -- C:\WINNT\zip.exe

[2010/09/04 16:15:11 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\gxh\Desktop\Shortcut to iexplore.exe.lnk

[2010/09/01 16:11:27 | 000,012,030 | ---- | C] () -- C:\Documents and Settings\gxh\My Documents\Bacon's Rebellion.docx

[2010/08/28 18:38:39 | 000,198,455 | ---- | C] () -- C:\Documents and Settings\gxh\My Documents\georgia.docx

[2010/08/26 18:55:06 | 000,011,678 | ---- | C] () -- C:\Documents and Settings\gxh\My Documents\Child of the Americas.docx

[2010/08/25 20:26:17 | 000,062,713 | ---- | C] () -- C:\Documents and Settings\gxh\Desktop\41362_133247590053301_100001041834739_208215_3414152_n.jpg

[2010/08/25 20:25:52 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\gxh\Desktop\photo.php-pid=153236&id=100001041834739.url

[2010/08/22 11:08:07 | 000,245,021 | ---- | C] () -- C:\Documents and Settings\gxh\Desktop\photo[1].JPG

[2010/08/22 11:00:54 | 000,266,856 | ---- | C] () -- C:\Documents and Settings\gxh\My Documents\AP Psych info.docx

[2010/08/21 12:28:15 | 000,013,194 | ---- | C] () -- C:\Documents and Settings\gxh\My Documents\4 central questions.docx

[2010/08/20 16:20:20 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\gxh\Desktop\Course_Description_10_11

[2010/08/20 11:17:04 | 000,039,730 | ---- | C] () -- C:\Documents and Settings\gxh\Desktop\2009 extension.pdf

[2010/08/16 19:04:22 | 000,002,856 | ---- | C] () -- C:\Documents and Settings\gxh\Desktop\Inkpop_Jacket_228201023929421[1].jpg

[2010/01/30 19:16:29 | 000,002,930 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2009/12/24 20:01:16 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\gxh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINNT\System32\OGACheckControl.dll

[2009/04/27 18:07:20 | 000,002,528 | ---- | C] () -- C:\WINNT\FCIC.INI

[2009/04/11 17:58:00 | 000,176,128 | ---- | C] () -- C:\WINNT\System32\dlbuinsb.dll

[2009/04/11 17:58:00 | 000,077,824 | ---- | C] () -- C:\WINNT\System32\dlbucub.dll

[2009/04/11 17:57:59 | 000,139,264 | ---- | C] () -- C:\WINNT\System32\dlbuins.dll

[2009/04/11 17:57:59 | 000,098,304 | ---- | C] () -- C:\WINNT\System32\dlbuinsr.dll

[2009/04/11 17:57:59 | 000,040,960 | ---- | C] () -- C:\WINNT\System32\dlbuvs.dll

[2009/04/11 17:57:58 | 000,069,632 | ---- | C] () -- C:\WINNT\System32\dlbucu.dll

[2009/04/11 17:57:58 | 000,032,768 | ---- | C] () -- C:\WINNT\System32\dlbucur.dll

[2009/04/11 17:57:57 | 000,155,648 | ---- | C] () -- C:\WINNT\System32\dlbucoin.dll

[2009/04/11 17:57:57 | 000,135,168 | ---- | C] () -- C:\WINNT\System32\dlbujswr.dll

[2009/04/11 17:57:57 | 000,126,976 | ---- | C] () -- C:\WINNT\System32\dlbusnls.dll

[2009/04/11 17:57:53 | 000,397,312 | ---- | C] () -- C:\WINNT\System32\dlbuutil.dll

[2009/04/11 17:53:13 | 000,001,308 | ---- | C] () -- C:\WINNT\dellstat.ini

[2009/03/25 11:22:34 | 000,000,000 | ---- | C] () -- C:\WINNT\vpc32.INI

[2009/03/25 10:05:38 | 000,000,502 | ---- | C] () -- C:\WINNT\ODBC.INI

[2009/03/25 09:57:32 | 000,004,764 | ---- | C] () -- C:\WINNT\System32\CcmFramework.ini

[2009/03/20 16:38:54 | 000,000,461 | ---- | C] () -- C:\WINNT\smscfg.ini

[2009/03/19 13:40:00 | 000,001,408 | ---- | C] () -- C:\WINNT\System32\OEMINFO.INI

[2009/03/19 12:33:52 | 000,271,264 | ---- | C] () -- C:\WINNT\VBRUN100.DLL

[2009/03/19 12:33:12 | 000,147,456 | ---- | C] () -- C:\WINNT\System32\igfxCoIn_v4990.dll

[2007/10/26 14:28:18 | 000,197,408 | ---- | C] () -- C:\WINNT\System32\vpnapi.dll

[2007/10/26 14:28:04 | 000,193,312 | ---- | C] () -- C:\WINNT\System32\CSGina.dll

========== Custom Scans ==========

< MD5 for: MSTSC.EXE >

[2009/10/19 14:06:38 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=D32DBE88F84E5349F0BD80F62D8F0286 -- C:\WINNT\system32\dllcache\mstsc.exe

[2009/10/19 14:06:38 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=D32DBE88F84E5349F0BD80F62D8F0286 -- C:\WINNT\system32\mstsc.exe

========== Files - Unicode (All) ==========

[2010/05/01 16:50:55 | 000,000,138 | ---- | M] ()(C:\Documents and Settings\gxh\Desktop\Have you ever been in love- by ?HoNbLeSs?.url) -- C:\Documents and Settings\gxh\Desktop\Have you ever been in love- by ?HoNbLeSs?.url

[2010/05/01 16:50:55 | 000,000,138 | ---- | C] ()(C:\Documents and Settings\gxh\Desktop\Have you ever been in love- by ?HoNbLeSs?.url) -- C:\Documents and Settings\gxh\Desktop\Have you ever been in love- by ?HoNbLeSs?.url

========== Alternate Data Streams ==========

@Alternate Data Stream - 60 bytes -> C:\WINNT\VBRUN300.DLL:AFP_AfpInfo

@Alternate Data Stream - 60 bytes -> C:\WINNT\VBRUN200.DLL:AFP_AfpInfo

@Alternate Data Stream - 60 bytes -> C:\WINNT\VBRUN100.DLL:AFP_AfpInfo

@Alternate Data Stream - 60 bytes -> C:\WINNT\vb40032.dll:AFP_AfpInfo

@Alternate Data Stream - 60 bytes -> C:\WINNT\REXX.EXE:AFP_AfpInfo

@Alternate Data Stream - 244 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9A870F8B

< End of report >

Link to post
Share on other sites

The normal file is in place, it might be an imagepath that is set wrong, lets see that with the following tool.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :regfind
    mstsc.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

SystemLook 04.09.10 by jpshortstuff

Log created at 14:35 on 11/09/2010 by gxh

Administrator - Elevation successful

========== regfind ==========

Searching for "mstsc.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

"001"="mstsc.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rdp\OpenWithList]

"a"="mstsc.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]

"C:\WINNT\$NtUninstallKB969084$\mstsc.exe"="Remote Desktop Connection"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]

"C:\WINNT\system32\mstsc.exe"="Remote Desktop Connection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\MSTSC.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B462D7B-72D8-4544-ACC1-D84E5B9A8A14}\LocalServer32]

@=""C:\WINNT\system32\mstsc.exe""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RDP.File]

"FriendlyTypeName"="@C:\WINNT\system32\mstsc.exe,-4004"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RDP.File\DefaultIcon]

@="C:\WINNT\system32\mstsc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RDP.File\shell\Connect]

"MUIVerb"="@C:\WINNT\system32\mstsc.exe,-4002"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RDP.File\shell\Connect\command]

@="mstsc.exe "%l""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RDP.File\shell\Edit]

"MUIVerb"="@C:\WINNT\system32\mstsc.exe,-4003"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RDP.File\shell\Edit\command]

@="mstsc.exe -edit "%l""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9C757116-4367-4DA9-AC0E-6C6577AD5560}\1.0\0\win32]

@="C:\WINNT\system32\mstsc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP10\KB969084\Filelist\1]

"FileName"="mstsc.exe.mui"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP10\KB969084\Filelist\10]

"FileName"="mstsc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP10\KB969084\Filelist\18]

"FileName"="mstsc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\System Programs]

"mstsc"="mstsc.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\mstsc.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\mstsc.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\mstsc.exe]

[HKEY_USERS\S-1-5-21-395820274-3051342167-180645541-1009\Software\Microsoft\Search Assistant\ACMru\5603]

"001"="mstsc.exe"

[HKEY_USERS\S-1-5-21-395820274-3051342167-180645541-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rdp\OpenWithList]

"a"="mstsc.exe"

[HKEY_USERS\S-1-5-21-395820274-3051342167-180645541-1009\Software\Microsoft\Windows\ShellNoRoam\MUICache]

"C:\WINNT\$NtUninstallKB969084$\mstsc.exe"="Remote Desktop Connection"

[HKEY_USERS\S-1-5-21-395820274-3051342167-180645541-1009\Software\Microsoft\Windows\ShellNoRoam\MUICache]

"C:\WINNT\system32\mstsc.exe"="Remote Desktop Connection"

-= EOF =-

Link to post
Share on other sites

Please run the following fix and let me know afterwards if the problem is now fixed.

OTL FIX

------------

We need to run an OTL Fix

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"
    :files
    C:\WINNT\$NtUninstallKB969084$\mstsc.exe|C:\WINNT\system32\mstsc.exe /replace

    :commands
    [emptytemp]


  3. Push runFixbutton.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click btnOK.png.
  6. A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites

Please run the following fix and let me know afterwards if the problem is now fixed.

OTL FIX

------------

We need to run an OTL Fix

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"
    :files
    C:\WINNT\$NtUninstallKB969084$\mstsc.exe|C:\WINNT\system32\mstsc.exe /replace

    :commands
    [emptytemp]


  3. Push runFixbutton.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click btnOK.png.
  6. A report will open. Copy and Paste that report in your next reply.

Response:

ok, now it comes up with the error that it can't find mstsc.ece.MUI

below is the log

ll processes killed

========== FILES ==========

Unable to replace file: C:\WINNT\$NtUninstallKB969084$\mstsc.exe with C:\WINNT\system32\mstsc.exe without a reboot.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Christian

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 873 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 56504 bytes

User: gxh

->Temp folder emptied: 875153 bytes

->Temporary Internet Files folder emptied: 26031766 bytes

->Java cache emptied: 53560379 bytes

->FireFox cache emptied: 63024156 bytes

->Apple Safari cache emptied: 0 bytes

->Flash cache emptied: 152462 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 819334 bytes

->Flash cache emptied: 15238 bytes

User: Lyhn

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Marlena

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 560 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 551316 bytes

->Java cache emptied: 0 bytes

->Flash cache emptied: 29045 bytes

User: PEARL

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Flash cache emptied: 321 bytes

User: wayneyu-a

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 39138 bytes

%systemroot%\System32 .tmp files removed: 19383825 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 598184 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32902 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 158.00 mb

OTL by OldTimer - Version 3.2.11.0 log created on 09122010_090307

Files\Folders moved on Reboot...

File\Folder C:\Documents and Settings\gxh\Local Settings\Temp\~DFD3E.tmp not found!

File\Folder C:\Documents and Settings\gxh\Local Settings\Temp\~DFD49.tmp not found!

File\Folder C:\Documents and Settings\gxh\Local Settings\Temp\~DFDD0.tmp not found!

File\Folder C:\Documents and Settings\gxh\Local Settings\Temp\~DFDDB.tmp not found!

File\Folder C:\Documents and Settings\gxh\Local Settings\Temp\~DFE33.tmp not found!

File\Folder C:\Documents and Settings\gxh\Local Settings\Temp\~DFE3E.tmp not found!

C:\Documents and Settings\gxh\Local Settings\Temporary Internet Files\Content.IE5\X4GP5VOE\index[1].php moved successfully.

C:\Documents and Settings\gxh\Local Settings\Temporary Internet Files\Content.IE5\LWE1RMA4\iframe[3].htm moved successfully.

C:\Documents and Settings\gxh\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites

Can you please give me the exact error message?

Select the error box, press ctrl + c, then click in the reply box here and press ctrl + v.

Please click Start > Run, type mstsc.exe and press enter. What happens then?

---------------------------

Error

---------------------------

The system cannot find the file specified.

C:\WINNT\system32\<LANG_NAME>\mstsc.exe.MUI

---------------------------

OK

---------------------------

if I type it in I get identical error message

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.