Jump to content

I've got a trojan sending spam


Recommended Posts

I got a call from my ISP that we have a port open, and that it's sending out spam. I have 3 PCs on my home network, and have isolated the problem to one PC. I removed that one from the network, and the ISP is happy again.

I had some weird things happen, like I couldn't update MBAM, so I couldn't actually do a decent scan. I finally realized this was a problem, reinstalled it, and I could update it. It then found and cleaned a bunch of things. An additional scan indicated no infections.

Attached are the scan results. I still need to install and run Spybot Search & Destroy.

Thanks for your help!

ActiveScan.txt

mbam_log_2008_10_14__22_53_34_.txt

startuplist.txt

ActiveScan.txt

mbam_log_2008_10_14__22_53_34_.txt

startuplist.txt

Link to post
Share on other sites

  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

Please upload the following files so that we can review them.

C:\WINDOWS\system32\sgjrcpqd.dll

C:\WINDOWS\system32\pexehh.dll

C:\WINDOWS\system32\krveasku.dll

Upload to: uploads.malwarebytes.org

I could only find the krveasku.dll file. I uploaded it. I also installed HJT 2.02. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:53:51 PM, on 10/15/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Documents and Settings\Dad\Desktop\HiJackThis.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 3986 bytes

Thanks!

Link to post
Share on other sites

  • Root Admin

Okay I'm told that this file has been added to MBAM now.

Please start MBAM and go to the UPDATE tab and update the program {it is now at version 1.29}

Then run a Quick Scan and allow it to fix anything found and REBOOT the computer.

After the reboot please run HJT and do a Scan. Then post back both logs.

Thanks.

Link to post
Share on other sites

Here they are. I did the full scan with MBAM.

For the 15 minutes or so that the PC has been running and connected to the internet, there does not seem to be the increase in UDP ports that I'd seen previously (as determined by running netstat -na from the command line).

Malwarebytes' Anti-Malware 1.29

Database version: 1280

Windows 5.1.2600 Service Pack 3

10/17/2008 9:31:52 PM

mbam-log-2008-10-17 (21-31-52).txt

Scan type: Full Scan (C:\|)

Objects scanned: 142660

Time elapsed: 1 hour(s), 6 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\krveasku.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:43:37 PM, on 10/17/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Dad\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 4301 bytes

Link to post
Share on other sites

  • Root Admin

The logs look clean. Please run MBAM and update it and do another Quick Scan and a new HJT scan.

Hopefully both scans should come back clean. If MBAM does come back clean this time then please proceed and run another Online PANDA scan and make sure you disable any programs like resident AV that will stop Panda from running.

Then post back the logs and all of them should come back clean. Panda will find cookies but that's okay they're not dangerous.

Link to post
Share on other sites

I did an MBAM scan with the latest version (V1.29, database 1291). It found 2 instances of Trojan.Lop.h, which it removed. The PC still opens lots of UDP ports when it is connected to the internet, so I'm afraid to run the Panda scan and leave it attached for the couple of hours that it will take to scan.

I think that I'm figuring out what is going on. I use the DOS command netstat -aon to look at the ports that are open, and tasklist to match the PIDs from both applications. It appears that the multitude of newly opened ports are from PID 4, which translates to the SYSTEM task. I looked in the c:\windows\system32 folder for anything like windows.sys, and I found win32k.sys (1,804 KB). It is dated 15-Sept-08, which is about the time the problems started! I went to one of my other computers, and the same file is dated 14-Apr-08, and is 1,803KB. I have Windows XP SP3 on both systems.

Do you have a way of checking the suspect file if I upload it? Also, I tried to simply transfer the file from the computer that is working fine to the problem PC, but the infected computer tells me that the file is in use and won't let me change it. Do you know how I can copy the known good file to the infected PC?

Attached are the HJT and MBAM logs.

Thanks for your help!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:14:27 PM, on 10/19/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Dad\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exX" -atboottime

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exx" MSRun

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\stumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 3514 bytes

Malwarebytes' Anti-Malware 1.29

Database version: 1291

Windows 5.1.2600 Service Pack 3

10/19/2008 8:06:29 PM

mbam-log-2008-10-19 (20-06-29).txt

Scan type: Quick Scan

Objects scanned: 56378

Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituneshelper (Trojan.Lop.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Lop.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

You need to be careful about trying to copy over files like that. There are a lot of reasons why file sizes can be different and that does not mean their infected.

Please run the following scan and ATTACH the file please. Do not post it directly to the forum. This will help us to determine what files are legitimate on your system or not.

Click on
START - RUN
and type in
SIGVERIF
and click OK

This is a Microsoft File Signature Verification program that will check some file status for us.
  • Click on the
    START
    button and let it run.
  • It will popup a box when it's done to show the status, you can close that box.

  • Close the
    File Signature Verification
    application.

  • Find and attach the file C:\WINDOWS\
    SIGVERIF.TXT
    to your reply.

  • DO NOT
    post the log directly into your reply, attach the file please.

Link to post
Share on other sites

Please see the attached sigverif.txt file. It says the win32k.sys file is signed. Note that when I click on the properties of this file, the file version is:

5.1.2600.5676 (xpsp_sp3_gdr.080915-1443)

This file has a creation date of 9/15/2008. The version on my other computer from 4/14/2008 has the version

5.1.2600.5512 (xpsp.080413-2105)

(For what it's worth)

Also, below is a copy of running netstat -aon. PID=4 is the system task.

Thanks again for your help.

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Dad>netstat -aon

Active Connections

Proto Local Address Foreign Address State PID

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1300

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4

TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING 2376

TCP 127.0.0.1:1117 127.0.0.1:1118 ESTABLISHED 3012

TCP 127.0.0.1:1118 127.0.0.1:1117 ESTABLISHED 3012

TCP 127.0.0.1:1146 127.0.0.1:1147 ESTABLISHED 3012

TCP 127.0.0.1:1147 127.0.0.1:1146 ESTABLISHED 3012

TCP 127.0.0.1:10025 0.0.0.0:0 LISTENING 2240

TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING 2240

TCP 192.168.0.108:139 0.0.0.0:0 LISTENING 4

TCP [::]:135 [::]:0 LISTENING 1300

UDP 0.0.0.0:445 *:* 4

UDP 0.0.0.0:500 *:* 1008

UDP 0.0.0.0:1045 *:* 4

UDP 0.0.0.0:1056 *:* 4

UDP 0.0.0.0:1067 *:* 4

UDP 0.0.0.0:1068 *:* 4

UDP 0.0.0.0:1081 *:* 4

UDP 0.0.0.0:1082 *:* 4

UDP 0.0.0.0:1083 *:* 4

UDP 0.0.0.0:1329 *:* 4

UDP 0.0.0.0:1331 *:* 4

UDP 0.0.0.0:1894 *:* 4

UDP 0.0.0.0:1895 *:* 4

UDP 0.0.0.0:1901 *:* 4

UDP 0.0.0.0:1907 *:* 4

UDP 0.0.0.0:1908 *:* 4

UDP 0.0.0.0:1913 *:* 4

UDP 0.0.0.0:1914 *:* 4

UDP 0.0.0.0:1919 *:* 4

UDP 0.0.0.0:1920 *:* 4

UDP 0.0.0.0:1921 *:* 4

UDP 0.0.0.0:1922 *:* 4

UDP 0.0.0.0:1954 *:* 4

UDP 0.0.0.0:1955 *:* 4

UDP 0.0.0.0:1958 *:* 4

UDP 0.0.0.0:1959 *:* 4

UDP 0.0.0.0:3503 *:* 4

UDP 0.0.0.0:3504 *:* 4

UDP 0.0.0.0:3505 *:* 4

UDP 0.0.0.0:3506 *:* 4

UDP 0.0.0.0:3540 *:* 4

UDP 0.0.0.0:3573 *:* 4

UDP 0.0.0.0:3574 *:* 4

UDP 0.0.0.0:3575 *:* 4

UDP 0.0.0.0:3776 *:* 656

UDP 0.0.0.0:4161 *:* 4

UDP 0.0.0.0:4171 *:* 4

UDP 0.0.0.0:4176 *:* 4

UDP 0.0.0.0:4184 *:* 4

UDP 0.0.0.0:4189 *:* 4

UDP 0.0.0.0:4191 *:* 4

UDP 0.0.0.0:4193 *:* 4

UDP 0.0.0.0:4206 *:* 4

UDP 0.0.0.0:4223 *:* 4

UDP 0.0.0.0:4226 *:* 4

UDP 0.0.0.0:4448 *:* 4

UDP 0.0.0.0:4461 *:* 4

UDP 0.0.0.0:4463 *:* 4

UDP 0.0.0.0:4471 *:* 4

UDP 0.0.0.0:4484 *:* 4

UDP 0.0.0.0:4500 *:* 1008

UDP 0.0.0.0:4504 *:* 4

UDP 0.0.0.0:4542 *:* 4

UDP 0.0.0.0:4550 *:* 4

UDP 0.0.0.0:4552 *:* 4

UDP 0.0.0.0:4567 *:* 4

UDP 0.0.0.0:4572 *:* 4

UDP 0.0.0.0:4664 *:* 4

UDP 0.0.0.0:4674 *:* 4

UDP 127.0.0.1:123 *:* 1380

UDP 127.0.0.1:1900 *:* 1884

UDP 192.168.0.108:123 *:* 1380

UDP 192.168.0.108:137 *:* 4

UDP 192.168.0.108:138 *:* 4

UDP 192.168.0.108:1900 *:* 1884

C:\Documents and Settings\Dad>

Link to post
Share on other sites

  • Root Admin

Yes I'm reviewing it. The file win32k.sys is signed and valid. Do not see anything else in that log myself so I'll check with someone else and see if they find anything amiss with it and get back to you soon.

win32k.sys 9/15/2008 2:5.1 Signed KB954211.cat Microsoft Windows Component Publisher

Link to post
Share on other sites

  • Root Admin

Please make sure all your data, documents, images, videos, etc are backed up.

At this point if you are infected then it's something deeper and it may already have control of your system.

DO NOT do any Financial, Banking, etc type work from this computer at least for now until we can track down the cause. It's possible that we may remove some type of infection as we move forward that could also prevent the computer from booting into Windows, that's why the caution of backing up your data.

MBAM 1.30 was released today.

Please start MBAM and go to the UPDATE tab and update the program and do another Quick Scan, fix anything found and Reboot the computer.

Run a new HJT scan and save the log.

Then run these routines

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I need you to follow the instructions provided here
Pre- HJT Post Instructions
first.

I also need for you to download this program
OTListIt.exe
to your desktop.
  • Close all applications and windows so that you have nothing open and are at your Desktop

  • Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.

  • Place a checkmark in the
    Scan All Users
    checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)

  • Click the Run Scan button

  • NOTE:
    Please be patient and let the scan run without using the computer

  • When the scan is complete, a text file (
    OTListIt.Txt
    ) will open in Notepad (if not, it can be found on your Desktop)

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.

  • Submit your reply and close the Notepad window with
    OTList.txt

  • Also OTListIt's
    Extras.txt
    log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.

  • NOTE:
    If the files (
    OTListIt.txt, Extras.txt
    ) do not appear in your taskbar, just open the files in notepad from your desktop.


Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

Then when that one is finished please run this one.

Please download the following scanning tool.
GMER
  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a
    .ZIP
    file.

  • Click OK and quit the GMER program.

When you're done with these please post back the logs from all of them, in the order they were run.

Thanks.

Link to post
Share on other sites

Data is backed up. Here's the MBAM scan, followed by the HJT log. I'll do OTListIt next.

Malwarebytes' Anti-Malware 1.30

Database version: 1320

Windows 5.1.2600 Service Pack 3

10/25/2008 2:31:54 PM

mbam-log-2008-10-25 (14-31-54).txt

Scan type: Quick Scan

Objects scanned: 57060

Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{393c2547-b2ab-422c-87af-385238c73416} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8ea86503-476f-476a-a55a-7225082df3eb} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:01:02 PM, on 10/25/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18241)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Dad\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 3881 bytes

Link to post
Share on other sites

Here's the OTListIt.Txt log:

OTListIt logfile created on: 10/25/2008 3:11:11 PM - Run

OTListIt by OldTimer - Version 1.0.11.0 Folder = C:\Documents and Settings\Dad\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18241)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.98 Gb Total Physical Memory | 1.57 Gb Available Physical Memory | 79.09% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): C:\pagefile.sys 3000 3005;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 69.79 Gb Total Space | 13.33 Gb Free Space | 19.10% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 600.95 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Drive F: | 699.96 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Drive G: | 465.76 Gb Total Space | 412.25 Gb Free Space | 88.51% Space Free | Partition Type: NTFS

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DANEL

Current User Name: Dad

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Whitelist: On

File Age = 30 Days

========== Processes ==========

[2008/08/01 00:21:05 | 00,573,440 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe

[2008/08/01 00:21:05 | 00,573,440 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe

[2008/09/25 20:57:00 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe

[2008/07/17 17:12:24 | 00,161,064 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

[2005/08/05 13:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe

[2008/09/24 22:03:14 | 00,287,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe

[2008/09/25 20:56:58 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe

[2008/01/10 16:27:36 | 00,385,024 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe

[2008/09/29 16:55:05 | 01,234,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe

[2007/07/17 11:13:56 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

[2008/07/17 17:12:04 | 00,177,448 | ---- | M] (Seagate LLC) -- C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[2007/07/17 11:13:34 | 00,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

[2008/07/18 22:10:42 | 00,053,448 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe

[2008/10/25 15:06:02 | 00,417,792 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dad\Desktop\OTListIt.exe

========== (O23) Win32 Services ==========

[2008/07/07 08:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Disabled | Stopped])

[2008/01/15 03:40:04 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Disabled | Stopped])

[2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])

[2008/08/01 00:21:05 | 00,573,440 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])

[2008/07/31 21:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])

[2008/09/25 20:56:58 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])

[2008/09/25 20:57:00 | 00,231,704 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])

[2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

[2008/07/17 17:12:24 | 00,161,064 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service [Auto | Running])

[2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])

[2008/01/15 04:22:44 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])

[2005/08/05 13:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe -- (McrdSvc [Auto | Running])

[2007/12/25 21:46:44 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA [Disabled | Stopped])

File not found -- -- (PnkBstrB [Disabled | Stopped])

[2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services ==========

[2001/08/17 14:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\drivers\aliide.sys -- (AliIde [Disabled | Stopped])

[2008/04/14 00:06:40 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\drivers\amdagp.sys -- (amdagp [Disabled | Stopped])

[2001/08/17 14:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc.sys -- (asc [Disabled | Stopped])

[2001/08/17 14:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc3550.sys -- (asc3550 [Disabled | Stopped])

[2008/08/01 02:38:20 | 03,266,560 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])

[2007/07/20 18:40:10 | 00,084,992 | ---- | M] (ATI Research Inc.) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService [On_Demand | Running])

[2008/09/25 20:56:58 | 00,097,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86 [system | Running])

[2008/09/24 22:03:30 | 00,026,824 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86 [system | Running])

[2008/09/24 22:03:37 | 00,076,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX [Auto | Running])

[2001/08/17 14:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\drivers\cmdide.sys -- (CmdIde [Disabled | Stopped])

[2001/08/17 14:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\drivers\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])

[2004/12/01 04:22:00 | 00,087,488 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb [boot | Running])

[2004/11/23 03:56:00 | 00,040,480 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm [Auto | Running])

[2004/10/14 21:30:46 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Stopped])

[2006/06/05 01:49:08 | 00,230,400 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express [On_Demand | Running])

[2008/09/13 23:55:18 | 00,133,248 | ---- | M] () -- C:\WINDOWS\system32\drivers\ethzbtwk.sys -- (ethzbtwk [system | Stopped])

[2006/09/19 16:44:04 | 00,015,664 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])

[2008/04/13 22:06:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])

[2006/06/01 00:43:56 | 00,043,264 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI [On_Demand | Running])

[2004/03/06 05:14:42 | 01,233,525 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51 [On_Demand | Stopped])

[2004/03/06 05:15:34 | 00,647,929 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52 [On_Demand | Stopped])

[2004/06/16 04:52:40 | 00,061,157 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53 [On_Demand | Stopped])

[2008/04/14 00:09:50 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [system | Running])

[2001/08/17 14:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Stopped])

[2004/03/06 05:13:38 | 00,037,048 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt [On_Demand | Stopped])

[2007/07/13 10:20:24 | 00,113,952 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP [system | Running])

[2001/08/17 14:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\drivers\mraid35x.sys -- (mraid35x [Disabled | Stopped])

[2004/08/03 23:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Stopped])

[2002/11/08 20:45:06 | 00,017,217 | ---- | M] (Dell Computer Corporation) -- C:\WINDOWS\system32\drivers\omci.sys -- (omci [system | Running])

[2008/06/19 17:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [boot | Running])

[2008/05/18 22:06:02 | 00,022,328 | ---- | M] () -- C:\WINDOWS\system32\drivers\PnkBstrK.sys -- (PnkBstrK [On_Demand | Stopped])

[2004/08/10 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])

[2005/01/26 03:03:00 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [boot | Running])

[2001/08/17 14:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1080.sys -- (ql1080 [Disabled | Stopped])

[2001/08/17 14:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql12160.sys -- (ql12160 [Disabled | Stopped])

[2001/08/17 14:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1280.sys -- (ql1280 [Disabled | Stopped])

[2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])

[2006/03/01 13:51:15 | 00,051,200 | ---- | M] (Protection Technology (StarForce)) -- C:\WINDOWS\system32\drivers\sfdrv01.sys -- (sfdrv01 [boot | Running])

[2006/02/14 10:48:36 | 00,006,656 | ---- | M] (Protection Technology (StarForce)) -- C:\WINDOWS\system32\drivers\sfhlp02.sys -- (sfhlp02 [boot | Running])

[2005/12/02 05:38:04 | 00,041,728 | R--- | M] (Sonic Focus, Inc) -- C:\WINDOWS\system32\drivers\sfng32.sys -- (sfng32 [On_Demand | Running])

[2005/11/03 10:40:07 | 00,063,488 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfvfs02.sys -- (sfvfs02 [boot | Running])

[2008/04/14 00:06:40 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\sisagp.sys -- (sisagp [Disabled | Stopped])

[2001/08/17 15:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\sparrow.sys -- (Sparrow [Disabled | Stopped])

[2008/05/14 00:12:39 | 00,716,272 | ---- | M] () -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd [boot | Running])

[2004/07/14 12:29:04 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5 [system | Running])

[2004/07/14 12:28:50 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln [system | Running])

[2006/05/25 19:59:12 | 01,177,032 | R--- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA [On_Demand | Running])

[2001/08/17 15:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\drivers\symc810.sys -- (symc810 [Disabled | Stopped])

[2001/08/17 15:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\symc8xx.sys -- (symc8xx [Disabled | Stopped])

[2001/08/17 15:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_hi.sys -- (sym_hi [Disabled | Stopped])

[2001/08/17 15:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_u3.sys -- (sym_u3 [Disabled | Stopped])

[2008/06/20 07:08:27 | 00,225,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6 [system | Running])

[2004/12/06 02:05:00 | 00,025,883 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio [Auto | Running])

[2004/12/06 02:05:00 | 00,034,843 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs [Auto | Running])

[2004/12/06 02:05:00 | 00,004,123 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct [Auto | Running])

[2004/12/06 02:05:00 | 00,002,239 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres [Auto | Running])

[2004/12/06 02:05:00 | 00,086,586 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs [Auto | Running])

[2004/12/06 02:05:00 | 00,015,227 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio [Auto | Running])

[2004/12/06 02:05:00 | 00,006,363 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool [Auto | Running])

[2004/12/06 02:05:00 | 00,098,714 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf [Auto | Running])

[2004/12/06 02:05:00 | 00,100,603 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Running])

[2008/09/25 21:05:14 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])

[2008/04/14 00:26:02 | 00,012,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tunmp.sys -- (tunmp [On_Demand | Running])

[2001/08/17 14:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\ultra.sys -- (ultra [Disabled | Stopped])

[2006/11/02 07:22:54 | 00,492,000 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])

[2007/08/28 17:05:12 | 00,055,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\xusb21.sys -- (xusb21 [On_Demand | Stopped])

========== Internet Explorer ==========

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default =

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway

HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway

HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-21-1683007301-4088656309-4283784868-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default =

HKU\S-1-5-21-1683007301-4088656309-4283784868-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKU\S-1-5-21-1683007301-4088656309-4283784868-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKU\S-1-5-21-1683007301-4088656309-4283784868-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/

HKU\S-1-5-21-1683007301-4088656309-4283784868-1006\S-1-5-21-1683007301-4088656309-4283784868-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O3 - HKCU\..\Toolbar: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-1683007301-4088656309-4283784868-1006\..\Toolbar: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-1683007301-4088656309-4283784868-1006\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-1683007301-4088656309-4283784868-1006\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found

O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" (Seagate LLC)

O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)

O4 - HKLM..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun (Advanced Micro Devices, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1683007301-4088656309-4283784868-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)

O15 - HKLM\..Trusted Sites: 1 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKCU\..Trusted Sites: 2 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKU\S-1-5-21-1683007301-4088656309-4283784868-1006\..Trusted Sites: 2 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)

O18 - Protocol\Handler: - ipp - No CLSID value found

O18 - Protocol\Handler: - ipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler: - linkscanner - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)

O18 - Protocol\Handler: - msdaipp - No CLSID value found

O18 - Protocol\Handler: - msdaipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler: - msdaipp\oledb - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler: - skype4com - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20 - See sections below for AppInitDlls and Winlogon settings

========== HKLM WinNT Load/Run ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"load" = poxy4.exx

>File not found --

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]

AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)

WgaLogon: "DllName" = Reg Error: Value DLLName does not exist or could not be read. -- File not found

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{47836122-9D2E-476C-9763-B1D366F704E1}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== HKLM *SecurityProviders* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]

"SecurityProviders" = msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll,

>[2001/09/18 18:37:34 | 00,016,973 | ---- | M] () -- C:\WINDOWS\system32\ZWebAuth.dll

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages" = msv1_0,C:\WINDOWS\system32\xxyvuurp,

>File not found --

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []

[2004/08/19 17:07:14 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

Autorun.exe [MZ

Link to post
Share on other sites

OTListIt Extras logfile created on: 10/25/2008 3:11:11 PM - Run

OTListIt by OldTimer - Version 1.0.11.0 Folder = C:\Documents and Settings\Dad\Desktop

Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18241)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.98 Gb Total Physical Memory | 1.57 Gb Available Physical Memory | 79.09% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): C:\pagefile.sys 3000 3005;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 69.79 Gb Total Space | 13.33 Gb Free Space | 19.10% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 600.95 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Drive F: | 699.96 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Drive G: | 465.76 Gb Total Space | 412.25 Gb Free Space | 88.51% Space Free | Partition Type: NTFS

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DANEL

Current User Name: Dad

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Whitelist: On

File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 1

"FirewallDisableNotify" = 1

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

"EnableFirewall" = 1

"DisableNotifications" = 0

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[2008/04/14 00:23:34 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

[2008/01/15 04:22:48 | 19,926,824 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes

[2008/09/25 20:56:58 | 00,875,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe

[2008/09/25 20:56:41 | 00,641,304 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe

[2008/04/14 00:23:34 | 00,558,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business

"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player

"{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}" = Battlefield 2

"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center

"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data

"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA

"{14298AFE-9001-9CFB-595E-38BB3DCB25D3}" = ccc-utility

"{174D5678-D941-433C-BD23-58A5C7B0D36D}" = Jasc Animation Shop 3

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{1BA6EE26-3358-B634-FD05-D07C964EE944}" = Skins

"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD LE

"{25F31730-1B6C-4E8E-A3B9-818DC0CD961D}" = Seagate Manager Installer

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager

"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7

"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page

"{36BD0774-6CD6-4FF9-A148-83CA09AC123E}" = Intel® PROSafe for Wired Connections

"{403EF592-953B-4794-BCEF-ECAB835C2095}" = Intel® PROSafe for Wired Connections

"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0

"{4F55E486-4EDE-A879-B6CC-0B07DD475540}" = Catalyst Control Center Graphics Light

"{548EEA8E-8299-497F-8057-811D2D7097DC}" = Dell Support 3.1

"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool

"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.